[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt-users] LXC container driver



On Wed, Feb 12, 2014 at 12:51:10PM +0100, arnaud gaboury wrote:
> Dear all,
> 
> I am slowly building a Arch Linux VM guest on my Arch Linux host.
> 
> The guest machine is now built and is recognized as shown by this command :
> 
> gabx hortensia ➤➤ ~ % machinectl list
> MACHINE                          CONTAINER SERVICE
> dahlia                           container nspawn
> 
> 1 machines listed.
> 
> I an following the libvirt.org documentation. Now, according this
> page[1] about lxc driver, i am dealing with namespace requirements.
> This sentence, in bold, puzzles me:
> 
> A suitably configured UID/GID mapping is a pre-requisite to making
> containers secure, in the absence of sVirt confinement.
> 
> If I understand what a namespace is, I have no idea how to make sure
> my UIG/GID mapping is well configured. I would appreciate having any
> hints abut this part of the settings.

Basically this means that  uid == 0 in the container has the same
access as uid == 0 in the host. So if the container can see sysfs,
for example, it would be able to write to any files owned by the
uid == 0 which is clearly not what you want a container to be able
todo :-)

To avoid this you must setup an UID+GID mapping in the container
using the <idmap> syntax, and also make sure that the filesystem
you give to the container has corresponding changes. eg if you
set the XML to remap container uid==0 to uid == 3000 on the host
then the container's filesystemm must also use  uid == 3000 for
any files that are intended to be accessible to root in the
container. Likewise for other uid's beyond root.

http://libvirt.org/formatdomain.html#elementsOSContainer

NB user namespaces are a fairly new piece of functionality that
is still somewhat rough around the edges. You usuaully want to
have the most recent kernel.org stable kernel available when
using this.

> Another question : is there any advantage/disadvantage using the lxc
> Userspace tools[2] instead of libvirt to manage these namespaces ?

They are broadly speaking functionally equivalent but using libvirt gives
you all the usual benefits libvirt has. Stable API, accessible from
multiple programming languages, stable configuration, integration with
other apps using libvirt. eg you can use virt-top to monitor things
or virt-manager as a GUI frontend, etc, etc

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]