[Pkg-shadow-devel] [PATCH 00/11] pkg-shadow support subordinate ids with user namespaces
Eric W. Biederman
ebiederm at xmission.com
Tue Feb 26 01:03:34 UTC 2013
Glauber Costa <glommer at parallels.com> writes:
> Well, the main problem is that I don't talk on behalf of any distro. We
> distribute OpenVZ, and would like to create containers such that each
> container has its own user range - all that without having the
> containers users conflicting with users created by useradd's normal
> operation.
>
> I am *hoping* that by selecting ranges high enough I will avoid
> conflicts at least in the beginning, but it is a bit of guesswork.
Two suggestions.
1) Use /etc/subuid even if the disto doesn't yet.
Where in your case you reserve the subordinate uids for root.
2) The default range for normal uids is 1000 - 60000.
The default range for subordinate uids is 100000- 600100000.
That leaves most of the uids between 600100000 and 4294967296 unclaimed,
while leaving enough that each user can have 10000 subordinate uids by
default.
Eric
More information about the Pkg-shadow-devel
mailing list