First i want to to say that i didn't test this feature by myself up to now. But 
from reading the list, i have questions.

For me, the main usecases of the user namespace feature seems to be:

a) to "shift" the containers root user - a security driven term ("jailbreaking")
b) to "shift" the containers "other users" - a privacy driven term ("data 
separation")

with my bad English, i have no better words for this. The first one might be 
advisable for many scenarios; the second one is a good instrument if a set of 
containers is offered as a service to independent subadministrators.


>From my understanding, from the kernel's point of view -- with is also the 
>hosts point of view -- the user namespace feature is a uid/gid translation for 
>an assigned process (and it's children). With a appropriate rule, particularly 
>the container tasksets user 0/0 will act "in reality" as the user n/m. Or 
>maybe it even better to imagine, that the taskset will be flamed to see n/m as 
>0/0.

Now, what i want to ask:

* The container may be have access to shared/outerwold resources. What happes 
with by-rule unmapped uid/gids? *Are* they passed unmapped, what one may call 
"transparent"? Or are they mapped to "nobody"? 

* What will happen in the usecase "real device reach though" and similar, e.g. 
if one want to provide not a veth but dedicated physical network adapter. Or, 
maybe more common, a videocard. Will the container root user have "root 
privileges" on it? Or is it neccessary to grant this privileges to the uid/gid 
n/m on the host, too?

* What will happen in the usecase "NFS V3 client". Here, the nfs server locally 
uses the uid/gid transmitted from client. Must one mount the nfs source on the 
host and bind-mount into the container to conserve the user namespace mapping? 
In the other hand, will a nfs mount inside the container skip this mapping?

* What will happen in the usecase "NFS V4 client". Here, the there is the idmap 
framework which will use user/group names instead of the uid/gid numbers. 
Again, i wounder what happens in both cases.


Guido

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel

Reply via email to