[libvirt] LXC: user namespaces

Daniel P. Berrange berrange at redhat.com
Tue Apr 30 10:10:12 UTC 2013


On Tue, Apr 30, 2013 at 12:07:33PM +0200, Richard RW. Weinberger wrote:
> ----- Ursprüngliche Mail -----
> > > We'd like to use libvirt for managing our lxc machines.
> > > Currently libvirt lacks of user namespace support.
> > > Is anyone working on that? Otherwise David and I will implement it
> > > and send patches very soon.
> > 
> > There were some people at Fujitsu who have done a little work on it.
> > They posted some very basic patches a month or two ago, but not heard
> > more since then, so don't know if any progress has been made by them.
> 
> Found the patches. :)
> They do mostly the same what our preliminary userns support does.
> 1. Add support for uid/gid mappings.
> 2. Don't mount disallowed files systems in the userns.
> 3. Create devices nodes outside of the userns.
> 
> What we still need to consider is how to deal with capability dropping.
> Daniel, do you have any plans how to support this?
> Using securebits would be a good idea.

We already have to deal with that - we allow all capabilties
except for CAP_MKNOD, SYS_MODULE, SYS_TIME, AUDIT_CONTROL
and MAC_ADMIN currently.  If user namespaces are active, we
might be able to actually relax that and allow more of them.
TBD.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|




More information about the libvir-list mailing list