First i want to to say that i didn't test this feature by myself up to now. But from reading the list, i have questions.
For me, the main usecases of the user namespace feature seems to be: a) to "shift" the containers root user - a security driven term ("jailbreaking") b) to "shift" the containers "other users" - a privacy driven term ("data separation") with my bad English, i have no better words for this. The first one might be advisable for many scenarios; the second one is a good instrument if a set of containers is offered as a service to independent subadministrators. >From my understanding, from the kernel's point of view -- with is also the >hosts point of view -- the user namespace feature is a uid/gid translation for >an assigned process (and it's children). With a appropriate rule, particularly >the container tasksets user 0/0 will act "in reality" as the user n/m. Or >maybe it even better to imagine, that the taskset will be flamed to see n/m as >0/0. Now, what i want to ask: * The container may be have access to shared/outerwold resources. What happes with by-rule unmapped uid/gids? *Are* they passed unmapped, what one may call "transparent"? Or are they mapped to "nobody"? * What will happen in the usecase "real device reach though" and similar, e.g. if one want to provide not a veth but dedicated physical network adapter. Or, maybe more common, a videocard. Will the container root user have "root privileges" on it? Or is it neccessary to grant this privileges to the uid/gid n/m on the host, too? * What will happen in the usecase "NFS V3 client". Here, the nfs server locally uses the uid/gid transmitted from client. Must one mount the nfs source on the host and bind-mount into the container to conserve the user namespace mapping? In the other hand, will a nfs mount inside the container skip this mapping? * What will happen in the usecase "NFS V4 client". Here, the there is the idmap framework which will use user/group names instead of the uid/gid numbers. Again, i wounder what happens in both cases. Guido ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel