First i want to to say that i didn't test this feature by myself up to now. But
from reading the list, i have questions.
For me, the main usecases of the user namespace feature seems to be:
a) to "shift" the containers root user - a security driven term ("jailbreaking")
b) to "shift" the containers "other users" - a privacy driven term ("data
separation")
with my bad English, i have no better words for this. The first one might be
advisable for many scenarios; the second one is a good instrument if a set of
containers is offered as a service to independent subadministrators.
>From my understanding, from the kernel's point of view -- with is also the
>hosts point of view -- the user namespace feature is a uid/gid translation for
>an assigned process (and it's children). With a appropriate rule, particularly
>the container tasksets user 0/0 will act "in reality" as the user n/m. Or
>maybe it even better to imagine, that the taskset will be flamed to see n/m as
>0/0.
Now, what i want to ask:
* The container may be have access to shared/outerwold resources. What happes
with by-rule unmapped uid/gids? *Are* they passed unmapped, what one may call
"transparent"? Or are they mapped to "nobody"?
* What will happen in the usecase "real device reach though" and similar, e.g.
if one want to provide not a veth but dedicated physical network adapter. Or,
maybe more common, a videocard. Will the container root user have "root
privileges" on it? Or is it neccessary to grant this privileges to the uid/gid
n/m on the host, too?
* What will happen in the usecase "NFS V3 client". Here, the nfs server locally
uses the uid/gid transmitted from client. Must one mount the nfs source on the
host and bind-mount into the container to conserve the user namespace mapping?
In the other hand, will a nfs mount inside the container skip this mapping?
* What will happen in the usecase "NFS V4 client". Here, the there is the idmap
framework which will use user/group names instead of the uid/gid numbers.
Again, i wounder what happens in both cases.
Guido
------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Lxc-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/lxc-devel
