[PATCH 00/11] pkg-shadow support subordinate ids with user namespaces
Eric W. Biederman
ebiederm at xmission.com
Tue Feb 26 01:03:34 UTC 2013
Glauber Costa <glommer at parallels.com> writes:
> Well, the main problem is that I don't talk on behalf of any distro. We
> distribute OpenVZ, and would like to create containers such that each
> container has its own user range - all that without having the
> containers users conflicting with users created by useradd's normal
> operation.
>
> I am *hoping* that by selecting ranges high enough I will avoid
> conflicts at least in the beginning, but it is a bit of guesswork.
Two suggestions.
1) Use /etc/subuid even if the disto doesn't yet.
Where in your case you reserve the subordinate uids for root.
2) The default range for normal uids is 1000 - 60000.
The default range for subordinate uids is 100000- 600100000.
That leaves most of the uids between 600100000 and 4294967296 unclaimed,
while leaving enough that each user can have 10000 subordinate uids by
default.
Eric
More information about the Containers
mailing list