Why not.
But can you be more precise on what part will be containerized?
From "man 2 unshare" I get:
CLONE_FILES
CLONE_FS
CLONE_NEWIPC (since Linux 2.6.19)
CLONE_NEWNET (since Linux 2.6.24)
CLONE_NEWNS
CLONE_NEWUTS (since Linux 2.6.19)
CLONE_SYSVSEM (since Linux 2.6.26)
Best regards
José
On mer, 2014-04-16 at 13:42 +0200, Jacek Pielaszkiewicz wrote:
> Hi,
>
>
> Together with my team I'm working on containers in TIZEN. Regarding
> to open discussion about multi-user support I would like share our proposal
> and show how we imagine multi-user support in containers.
>
> Our assumptions are:
>
> 1. We assumed that any application/services located in containers will be
> able
> access services located on host or on other containers.
>
> It implicate that must exists in system a global service (Cynara) that
> will
> control security policy for whole system.
>
> 2. The Cynara will control security policies for both services located
> directly
> on the host as well as in containers.
>
> Containers will not have own Cyrana instance. We don't see any benefits
> for that.
> It will only complicate the solution because and so some security rules
> will have
> to be applied on host (a container must have access to some services
> located directly
> on host or in other containers).
>
> All containers must share common IPC to allow containers services
> communicate
> with global Cyrana instance.
>
> 3. We assumed that new user can be created on host and in containers as
> well.
> Containers and host will have dedicated service to mage user (for example
> gumd).
>
> A user creation/update in the container will trigger the creation/update
> of the corresponding user on the host.
>
> User management services on host and in containers will have to populate
> security politics into Cynara (in case of user creation/update).
>
> 4. Installer (responsible for setup new and removal existing application)
> will have to populate required by application security politics into
> Cyrana.
>
> 5. The Cynara identify security policy by user id. Therefore all users on
> the system (on host and in containers) will have to have unique ids. It
> cause that:
>
> - any user created in any container and on the host must be registered in
> Cynara
>
> - any user in system (on the host and in any container) must have unique
> id.
>
> - In case if "user namespaces" is not available or is not use, any
> service/application
> running in the container that interact with external services should not
> be run as root
> user (UID = 0) - problem how to distinguish "container root" from "host
> root".
>
> - In case if "user namespaces" is available all container users/groups ids
>
> must be mapped into unique range.
>
> The enclosed files show as example two typical usage scenarios -
> service usage
> authorization and user creation. Examples show cases from a container
> perspective.
>
> I will be grateful for your opinions and comments.
>
> Best regards
>
>
> Jacek Pielaszkiewicz
> Samsung R&D Institute Poland
> Samsung Electronics
> Email: [email protected]
>
>
>
> _______________________________________________
> Dev mailing list
> [email protected]
> https://lists.tizen.org/listinfo/dev
_______________________________________________
Dev mailing list
[email protected]
https://lists.tizen.org/listinfo/dev
