[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt-users] [libvirt] LXC, user namespaces and systemd



On 26.02.2014 17:59, Stephan Sachse wrote:
# chown -R foo:foo /var/lib/libvirt/filesystems/mycontainer

you must "shift" the uids for the container  0 -> 666, 1 -> 667, 2 ->
668. there is a tool for this: uidmapshift

I prepared two containers, the first I used chown, in the second uidmapshift, here is the results.

./uidmapshift -r /var/lib/libvirt/filesystems/mycontainer
UIDs 666 - 666
GIDs 1001 - 2000

foo      28919 28917  0 14:42 ?        00:00:00 /sbin/init
747      28950 28919  0 14:42 ?        00:00:00 /bin/dbus-daemon

./uidmapshift -r /var/lib/libvirt/filesystems/test
UIDs 888 - 1776
GIDs 1002 - 2001

foo1     29298 29296  0 14:45 ?        00:00:00 /sbin/init
969      29329 29298  0 14:45 ?        00:00:00 /bin/dbus-daemon

As you can see root is mapped to foo or foo1 user and dbus user is mapped to 747 (uid=81(dbus) + uid=666(foo)) or 969 (uid=81(dbus) + uid=888(foo1)). Mapping looks properly. Why use uidmapshift ?, it still performs chown. Could you explain more?

some tools may not work, because of the missing file capabilities.
chown removes all file capabilities! try ping as user inside the
container. (missing file cap cap_net_admin,cap_net_raw)

# getcap /usr/bin/ping
# ping localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.077 ms
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.066 ms
^C
--- localhost ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.066/0.071/0.077/0.010 ms


Yes you are right, chown removed capabilities, but ping still works properly.

--
Dariusz Michaluk
Samsung R&D Institute Poland
Samsung Electronics
d michaluk samsung com


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]