[libvirt] LXC: user namespaces
Daniel P. Berrange
berrange at redhat.com
Tue Apr 30 10:10:12 UTC 2013
On Tue, Apr 30, 2013 at 12:07:33PM +0200, Richard RW. Weinberger wrote:
> ----- Ursprüngliche Mail -----
> > > We'd like to use libvirt for managing our lxc machines.
> > > Currently libvirt lacks of user namespace support.
> > > Is anyone working on that? Otherwise David and I will implement it
> > > and send patches very soon.
> >
> > There were some people at Fujitsu who have done a little work on it.
> > They posted some very basic patches a month or two ago, but not heard
> > more since then, so don't know if any progress has been made by them.
>
> Found the patches. :)
> They do mostly the same what our preliminary userns support does.
> 1. Add support for uid/gid mappings.
> 2. Don't mount disallowed files systems in the userns.
> 3. Create devices nodes outside of the userns.
>
> What we still need to consider is how to deal with capability dropping.
> Daniel, do you have any plans how to support this?
> Using securebits would be a good idea.
We already have to deal with that - we allow all capabilties
except for CAP_MKNOD, SYS_MODULE, SYS_TIME, AUDIT_CONTROL
and MAC_ADMIN currently. If user namespaces are active, we
might be able to actually relax that and allow more of them.
TBD.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list