On Wed, Nov 13, 2013 at 3:41 PM, Daniel P. Berrange <berra...@redhat.com>wrote:
> On Wed, Nov 13, 2013 at 11:13:15AM +0530, Saurabh Deochake wrote:
> > Hi all,
> >
> > I'm trying to restrict privileges of "root" user inside the container. I
> > came across this "idmap" element of Libvirt Domain XML file.
> >
> > <idmap>
> > <uid start='0' target='1000' count='10'/>
> > <gid start='0' target='1000' count='10'/>
> > </idmap>
> >
> > This says that user with uid 0 in the container is mapped to user with
> uid
> > 1000 on the host.
> >
> > I checked if it works, I created a file with root user inside the
> container
> > and checked uid of the file. Inside the container I get uid of file as 0
> > and even on host I get the same uid as 0 instead of 1000.
>
> NB, libvirt related questions should really be directed to the libvirt
> users
> mailing list. The libvirt code is completely different to the sf.net LXC
> tool
> so its not appropriate to ask the latter's developers for help with
> something
> they didn't write :-)
>
> http://libvirt.org/contact.html#email
> https://www.redhat.com/mailman/listinfo/libvirt-users
I'm sorry. I did not intend to spam this mailing list with Libvirt related
stuff but I was explaining the steps I followed to get user namespace
working. :)
>
>
> > Later I checked the output of "lxc-checkconfig". Output was:
>
>
>
> >
> > --- Namespaces ---
> > Namespaces: enabled
> > Utsname namespace: enabled
> > Ipc namespace: enabled
> > Pid namespace: enabled
> > *User namespace: missing*
> > Network namespace: enabled
> > Multiple /dev/pts instances: enabled
> >
> > Here it shows that User namespace support is missing. I tried to check
> for
> > Namespaces Support in kernel menuconfig. It has support for following
> > namespaces only:
> >
> > --- Namespaces support
> > [*] UTS namespace
> > [*] IPC namespace
> > [*] PID Namespaces
> > [*] Network namespace
> >
> > There is no User Namespace support.
> >
> > How should I get this user namespace working on my system?
>
> I don't know where it is in the menu, but you need to have
> CONFIG_USER_NS variable set in the resulting kernel config
> file
>
> >
> > The link says that User Namespace feature has already been implemented
> > in *kernel
> > 3.9.*
> > Reference Link: https://lwn.net/Articles/532593/
> >
> > My system details are as follow:
> > OS: Fedora 19
> > *Kernel: 3.9.5*
> >
> > Please help me out getting user namespace working on my system.
>
> For a start I think you should update to the curent Fedora 19
> kernels which are version 3.11.6. Then I'd suggest taking thue
> Fedora kernel src.rpm and just setting the CONFIG_USER_NS var
> in its config file, rather than trying navigate the menus.
>
> We're not supporting user namespaces in Fedora until at least
> Fedora 21, since we don't consider the implementation sufficiently
> mature / secure to enable it sooner.
>
Oh, okay. Thanks a lot for your help.
Regards,
Saurabh Deochake.
------------------------------------------------------------------------------
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk
_______________________________________________
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users
