[libvirt-users] [libvirt] LXC, user namespaces and systemd
Dariusz Michaluk
d.michaluk at samsung.com
Thu Feb 27 14:07:20 UTC 2014
On 26.02.2014 17:59, Stephan Sachse wrote:
>> # chown -R foo:foo /var/lib/libvirt/filesystems/mycontainer
>
> you must "shift" the uids for the container 0 -> 666, 1 -> 667, 2 ->
> 668. there is a tool for this: uidmapshift
I prepared two containers, the first I used chown, in the second
uidmapshift, here is the results.
./uidmapshift -r /var/lib/libvirt/filesystems/mycontainer
UIDs 666 - 666
GIDs 1001 - 2000
foo 28919 28917 0 14:42 ? 00:00:00 /sbin/init
747 28950 28919 0 14:42 ? 00:00:00 /bin/dbus-daemon
./uidmapshift -r /var/lib/libvirt/filesystems/test
UIDs 888 - 1776
GIDs 1002 - 2001
foo1 29298 29296 0 14:45 ? 00:00:00 /sbin/init
969 29329 29298 0 14:45 ? 00:00:00 /bin/dbus-daemon
As you can see root is mapped to foo or foo1 user and dbus user is
mapped to 747 (uid=81(dbus) + uid=666(foo)) or 969 (uid=81(dbus) +
uid=888(foo1)). Mapping looks properly. Why use uidmapshift ?, it still
performs chown. Could you explain more?
> some tools may not work, because of the missing file capabilities.
> chown removes all file capabilities! try ping as user inside the
> container. (missing file cap cap_net_admin,cap_net_raw)
# getcap /usr/bin/ping
# ping localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.077 ms
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.066 ms
^C
--- localhost ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.066/0.071/0.077/0.010 ms
Yes you are right, chown removed capabilities, but ping still works
properly.
--
Dariusz Michaluk
Samsung R&D Institute Poland
Samsung Electronics
d.michaluk at samsung.com
More information about the libvirt-users
mailing list