Unprivileged containers and co-ordinating user namespaces

Phil Estes estesp at gmail.com
Wed May 4 15:21:45 UTC 2016


Eric W. Biederman wrote:
> James Bottomley<James.Bottomley at HansenPartnership.com>  writes:
>
>> On Thu, 2016-04-28 at 16:00 -0700, W. Trevor King wrote:
>>> On Thu, Apr 28, 2016 at 03:02:08PM -0700, James Bottomley wrote:
>>>> /etc/usernamespaces
>>>>
>>>> and the format be :::
>>>>
>>>>>>>>
>>>> If this sounds OK to people, I can code up a utility that does this,
>>>> which should probably belong in util-linux.
>>> This sounds a lot like shadow's newuidmap and newgidmap [1,2,3].
>>>
>>> Cheers,
>>> Trevor
>>>
>>> [1]: https://github.com/shadow-maint/shadow/commit/673c2a6f9aa6c69588f4c1be08589b8d3475a520
>>> [2]: http://man7.org/linux/man-pages/man1/newuidmap.1.html
>>> [3]: http://man7.org/linux/man-pages/man5/subuid.5.html
>> I think that mostly works.  No-one's packaging it yet, which is why I
>> didn't notice.  It also looks like the build dependencies have vastly
>> expanded, so I can't get it to build in the build service yet.
>
> Both Fedora and Ubuntu should be packaging it.  Further Docker should
> already be using these files.
Yes, based on our discussion in the PRs when user namespaces 
capabilities were added to Docker, we respect the /etc/sub{u,g}id files 
for sourcing mappings for userns-confined processes.

- Phil


More information about the Containers mailing list