Chris Webb writes:
> Prompted by the new userns support merged in the 3.8/3.9 kernels, I've been
> playing with namespaces and trying to understand how I could use them to
> build containers to replace some of my uses of qemu-kvm virtual machines.
I now have most things working as I'd want and a
"Eric W. Biederman" writes:
> It is a wider issue. Capabilities cover most of places in the kernel
> where the kernel tests if you have privilege but there are other
> filesystems like devtmpsfs, and the occasional silly piece of kernel
> code that should be using capabilities but is not. Beyond
Chris Webb writes:
> "Eric W. Biederman" writes:
>
>> Hmm. I guess it depends on how your VM is reading them. If it is
>> blocked based access to the filesystem you have a problem. If the VM
>> is effectively NFS mounting the filesystem you can do all kinds of
>> things.
>>
>> It is possibl
"Eric W. Biederman" writes:
> Hmm. I guess it depends on how your VM is reading them. If it is
> blocked based access to the filesystem you have a problem. If the VM
> is effectively NFS mounting the filesystem you can do all kinds of
> things.
>
> It is possible to just change the user name
oping for in practice is to be able to create containers
> whose access to its filesystem subtree is untranslated, i.e. uid/gid N in
> the container maps to uid/gid N in a subdirectory of the filesystem, but
> which is still isolated from the rest of the host filesystem and can't do
> ext
Chris Webb writes:
> "Eric W. Biederman" writes:
>
>> That will work, but you really don't want to run with uid == 0 mapped to
>> uid == 0. There are too many things in /proc and /sys and similar that
>> grant access to uid == 0.
>
> Many thanks for the swift reply. If I map UID zero in the use
"Eric W. Biederman" writes:
> That will work, but you really don't want to run with uid == 0 mapped to
> uid == 0. There are too many things in /proc and /sys and similar that
> grant access to uid == 0.
Many thanks for the swift reply. If I map UID zero in the userns to a
non-zero UID outside
its filesystem subtree is untranslated, i.e. uid/gid N in
the container maps to uid/gid N in a subdirectory of the filesystem, but
which is still isolated from the rest of the host filesystem and can't do
externally privileged things. This is pretty much what a BSD jail provides,
for example.
>
> To build a virtual network device requires code for the device, code
> for routing the device
> in the kernel, some way to tell the router that this machine is hosted
> through the host
> machine's ethernet card, and control of which processes use which
> network devices.
>
I've bombed out. I
Quoting Serge E. Hallyn ([EMAIL PROTECTED])
>Quoting Joshua Hudson ([EMAIL PROTECTED]):
> Why would you want a virtual network device implementation? The whole
>
>So that a jailed process can use the net but can't use your network
>address (intercept ssh, imap/stunnel, etc).
[snip]
>But in the en
All right, I'll see what I can come up with. This is quite a tall order.
1. A mechanism for creating virtual network interfaces
2. A mechanism for restricting binding to certain network interfaces
3. A mechanism for binding certain network interfaces.
4. The jail code itself
Much of the work is al
Quoting Joshua Hudson ([EMAIL PROTECTED]):
> Why would you want a virtual network device implementation? The whole
So that a jailed process can use the net but can't use your network
address (intercept ssh, imap/stunnel, etc).
> I do like the idea of patching in through LSM, however not everythin
On 8/13/05, Serge E. Hallyn <[EMAIL PROTECTED]> wrote:
> The latest version (which is still quite old) is at
> http://www.sf.net/projects/linuxjail and does have ipv6 support. The last
> time I submitted it, Christoph had objected to the way the networking was
> done in general. I've tried twice
Quoting Joshua Hudson ([EMAIL PROTECTED]):
> I had been wanting this functionality myself, but for some reason it never
> found
> its way into the stock kernel. I looked around, started coding,
> looked some more,
> coded some more, looked some more until I found this:
>
> http://kerneltrap.org/
y the BSD jail(2) call, but did it
without breaking
programs that depend on chroot escapes working (there are a few).
I am currently about a third of the way to completion. This means that
I will finish
unless some other mechanism is provided before I do. I personally
don't care if my
patch i
15 matches
Mail list logo
