Sponsored by Buddy.works, we've posted a pull request to integrate support for
Linux User Namespaces into OpenZFS.
https://github.com/openzfs/zfs/pull/12263
Basically, this gives Linux nearly equivalent support for containers to what
FreeBSD and illumos already have.
It allows a dataset and its children to be delegated to a container, so root
within that container can create/control those datasets.
It is implemented in much the same way, using the existing INGLOBALZONE()
checks, and implementing the same permissions model used on FreeBSD for jails.
What I am seeking feedback on is the command line interface:
zfs zone usernsid filesystem
zfs unzone usernsid filesystem
Compare this to what we have on FreeBSD:
zfs jail jailid|jailname filesystem
zfs unjail jailid|jailname filesystem
The only real difference is that user namespaces on Linux don't have a name per
se, just numeric identifier (and not a small one like jails)
So an example of using these commands looks like this:
As a user:
$ unshare -Um
$ zfs list
no datasets available
$ readlink /proc/$$/ns/user
user:[4026532291]
As root:
# zfs list
NAME ZONED MOUNTPOINT
containers off /containers
containers/host off /containers/host
containers/host/child off /containers/host/child
containers/host/child/gchild off /containers/host/child/gchild
containers/unpriv on /unpriv
containers/unpriv/child on /unpriv/child
containers/unpriv/child/gchild on /unpriv/child/gchild
# zfs userns attach 4026532291 containers/unpriv
Then back to the user namespace, and now that sub-tree of datasets if visible
to the container:
$ zfs list
NAME USED AVAIL REFER MOUNTPOINT
containers 129M 47.8G 24K /containers
containers/unpriv 128M 47.8G 24K /unpriv
containers/unpriv/child 128M 47.8G 128M /unpriv/child
This has also been tested on Ubuntu 20.04 with LXD containers.
On Linux, we re-used the same (relative) IOCTL numbers that FreeBSD uses for
jails, since they are the same functionality, and mutually exclusive of each
other.
diff --git include/sys/fs/zfs.h include/sys/fs/zfs.h
index f9fd5cf676e2..60195058b259 100644
--- include/sys/fs/zfs.h
+++ include/sys/fs/zfs.h
@@ -1449,7 +1449,9 @@ typedef enum zfs_ioc {
ZFS_IOC_EVENTS_SEEK, /* 0x83 (Linux) */
ZFS_IOC_NEXTBOOT, /* 0x84 (FreeBSD) */
ZFS_IOC_JAIL, /* 0x85 (FreeBSD) */
+ ZFS_IOC_USERNS_ATTACH = ZFS_IOC_JAIL, /* 0x85 (Linux) */
ZFS_IOC_UNJAIL, /* 0x86 (FreeBSD) */
+ ZFS_IOC_USERNS_DETACH = ZFS_IOC_UNJAIL, /* 0x86 (Linux) */
ZFS_IOC_SET_BOOTENV, /* 0x87 */
ZFS_IOC_GET_BOOTENV, /* 0x88 */
ZFS_IOC_LAST
Does anyone have any objections? or suggestions for a better way to handle the
command line interface?
------------------------------------------
openzfs: openzfs-developer
Permalink:
https://openzfs.topicbox.com/groups/developer/T846927c1f8e4a7d7-M159afe20f38dacc5e20eb396
Delivery options: https://openzfs.topicbox.com/groups/developer/subscription
