[libvirt] LXC: user namespaces

[Daniel P. Berrange]

On Tue, Apr 30, 2013 at 12:17:15PM +0200, Richard RW. Weinberger wrote:
> ----- Ursprüngliche Mail -----
> > On Tue, Apr 30, 2013 at 12:07:33PM +0200, Richard RW. Weinberger
> > wrote:
> > > ----- Ursprüngliche Mail -----
> > > > > We'd like to use libvirt for managing our lxc machines.
> > > > > Currently libvirt lacks of user namespace support.
> > > > > Is anyone working on that? Otherwise David and I will implement
> > > > > it
> > > > > and send patches very soon.
> > > > 
> > > > There were some people at Fujitsu who have done a little work on
> > > > it.
> > > > They posted some very basic patches a month or two ago, but not
> > > > heard
> > > > more since then, so don't know if any progress has been made by
> > > > them.
> > > 
> > > Found the patches. :)
> > > They do mostly the same what our preliminary userns support does.
> > > 1. Add support for uid/gid mappings.
> > > 2. Don't mount disallowed files systems in the userns.
> > > 3. Create devices nodes outside of the userns.
> > > 
> > > What we still need to consider is how to deal with capability
> > > dropping.
> > > Daniel, do you have any plans how to support this?
> > > Using securebits would be a good idea.
> > 
> > We already have to deal with that - we allow all capabilities
> > except for CAP_MKNOD, SYS_MODULE, SYS_TIME, AUDIT_CONTROL
> > and MAC_ADMIN currently.  If user namespaces are active, we
> > might be able to actually relax that and allow more of them.
> > TBD.
> 
> So, you are currently limiting the bounding set?

Yes, we limit the bounding set (when possible - you can't limit the
bounding set as non-root, even if you only want to discard bits, which
rather sucks).

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|