Simple tool using user namespaces to build containers

Prompted by the merge of support for user namespaces in recent kernels, I've written a couple of simple standalone tools that use them together with mount, PID and other namespaces to implement containers. I've put these utilities up here in case they're of use to anyone else, and also as demonstr

Building a BSD-jail clone out of namespaces

Prompted by the new userns support merged in the 3.8/3.9 kernels, I've been playing with namespaces and trying to understand how I could use them to build containers to replace some of my uses of qemu-kvm virtual machines. I've successfully created a fakeroot-type container running as an unprivile

Re: Building a BSD-jail clone out of namespaces

"Eric W. Biederman" writes: > That will work, but you really don't want to run with uid == 0 mapped to > uid == 0. There are too many things in /proc and /sys and similar that > grant access to uid == 0. Many thanks for the swift reply. If I map UID zero in the userns to a non-zero UID outside

Re: Building a BSD-jail clone out of namespaces

"Eric W. Biederman" writes: > Hmm. I guess it depends on how your VM is reading them. If it is > blocked based access to the filesystem you have a problem. If the VM > is effectively NFS mounting the filesystem you can do all kinds of > things. > > It is possible to just change the user name

Re: Building a BSD-jail clone out of namespaces

"Eric W. Biederman" writes: > It is a wider issue. Capabilities cover most of places in the kernel > where the kernel tests if you have privilege but there are other > filesystems like devtmpsfs, and the occasional silly piece of kernel > code that should be using capabilities but is not. Beyond

Re: Building a BSD-jail clone out of namespaces

Chris Webb writes: > Prompted by the new userns support merged in the 3.8/3.9 kernels, I've been > playing with namespaces and trying to understand how I could use them to > build containers to replace some of my uses of qemu-kvm virtual machines. I now have most things working a

Re: [PATCH] bnx2: update bnx2-mips-09 firmware to bnx2-mips-09-6.2.1b

Eric Dumazet writes: > Have you read firmware/README.AddingFirmware ? I hadn't, but now I have, and if firmware upgrades are considered 'adding new firmware', I agree this patch is wrong, and should have just removed the obsolete bnx2-mips-09-6.2.1a file that is no longer used by the bnx2 driver