On Mon, Dec 29, 2014 at 2:34 PM, Lennart Poettering
<lenn...@poettering.net> wrote:
> On Mon, 29.12.14 09:07, Matthias Urlichs (matth...@urlichs.de) wrote:
>
>> > On Sun, Dec 28, 2014 at 6:18 PM, Stéphane Graber
>> > <stephane.gra...@canonical.com> wrote:
>> > > My host system doesn't have nspawn so I can't easily test it this way,
>> > > but it was my understanding that nspawn didn't support user namespaces
>> > > and uid/gid mappings which is what I'm working with here.
>> >
>> > Indeed, that is not supported by nspawn (which explains why I cannot
>> > reproduce). I was able to reproduce using the userns_child_exec test
>> > program from [0], so I'll take a look.
>> >
>> Hmm. IMHO it would be reasonable to add a mapping option
>> ("--{user,group}map=inside:outside[:length]") to nspawn.
>
> I am open to adding support for this, but I think the allocation of
> the UID ranges should really happen automatically, and not be
> something the admin has to manually assign.
>
> Which means we'd enter dynamic UID allocation terroritory, and that
> opens a huge can of worms...Would we not also need to support explicit assignment, in case someone has a preexisting image they want to match in a specific way? In that case we could start off without the dynamic allocation and add that later. It certainly would make testing a lot simpler if we had userns support sooner rather than later (at least in the case of netlink it appears to be quite a mess). Cheers, Tom _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
