On Wed, Nov 13, 2013 at 11:13:15AM +0530, Saurabh Deochake wrote: > Hi all, > > I'm trying to restrict privileges of "root" user inside the container. I > came across this "idmap" element of Libvirt Domain XML file. > > <idmap> > <uid start='0' target='1000' count='10'/> > <gid start='0' target='1000' count='10'/> > </idmap> > > This says that user with uid 0 in the container is mapped to user with uid > 1000 on the host. > > I checked if it works, I created a file with root user inside the container > and checked uid of the file. Inside the container I get uid of file as 0 > and even on host I get the same uid as 0 instead of 1000.
NB, libvirt related questions should really be directed to the libvirt users mailing list. The libvirt code is completely different to the sf.net LXC tool so its not appropriate to ask the latter's developers for help with something they didn't write :-) http://libvirt.org/contact.html#email https://www.redhat.com/mailman/listinfo/libvirt-users > Later I checked the output of "lxc-checkconfig". Output was: > > --- Namespaces --- > Namespaces: enabled > Utsname namespace: enabled > Ipc namespace: enabled > Pid namespace: enabled > *User namespace: missing* > Network namespace: enabled > Multiple /dev/pts instances: enabled > > Here it shows that User namespace support is missing. I tried to check for > Namespaces Support in kernel menuconfig. It has support for following > namespaces only: > > --- Namespaces support > [*] UTS namespace > [*] IPC namespace > [*] PID Namespaces > [*] Network namespace > > There is no User Namespace support. > > How should I get this user namespace working on my system? I don't know where it is in the menu, but you need to have CONFIG_USER_NS variable set in the resulting kernel config file > > The link says that User Namespace feature has already been implemented > in *kernel > 3.9.* > Reference Link: https://lwn.net/Articles/532593/ > > My system details are as follow: > OS: Fedora 19 > *Kernel: 3.9.5* > > Please help me out getting user namespace working on my system. For a start I think you should update to the curent Fedora 19 kernels which are version 3.11.6. Then I'd suggest taking thue Fedora kernel src.rpm and just setting the CONFIG_USER_NS var in its config file, rather than trying navigate the menus. We're not supporting user namespaces in Fedora until at least Fedora 21, since we don't consider the implementation sufficiently mature / secure to enable it sooner. Regards, Daniel [1] https://bugzilla.redhat.com/show_bug.cgi?id=917708 -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| ------------------------------------------------------------------------------ DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access Free app hosting. Or install the open source package on any LAMP server. Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk _______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
