[Pkg-shadow-devel] [test] newuidmap/newgidmap
Serge Hallyn
serge.hallyn at ubuntu.com
Tue Jun 3 18:52:57 UTC 2014
Quoting Philippe Grégoire (gregoirep at hotmail.com):
>
> TLDR; no easy solution. Either the /etc/subuid is in the kernel and we remove
> the file. Or newuidmap reflects the kernel, and they must be kept in sync.
Allowed subuids represent policy which as much as possible belongs in
userspace, not the kernel.
> I had to play with it because lxc is broken on Debian, and Ubuntu. Quickly, I
> can create a container as a unprivileged user but running it produces:
>
> 'Error creating container whatever'
serge at sergelap:~$ lxc-usernsexec
# id
uid=0(root) gid=0(root) groups=0(root)
> which is, quite frankly, purely unsatisfying. What am I expected to do with that
> error message? What am I suppose to investigate? Also, why would cgroups be
> mandatory? etc. But that is another topic; and I am no longer interested in lxc
> (version 1.x? -- please...).
...
> Also, I yet have to see an official user_namespaces(7) (which newuidmap(1)
> refers to) which would probably instruct how to use uid_map.
I already owe Michael a cgroups(7) manpage (in progress). I'm certain there
is a namespaces(7) man page in progress, but I'll see if I can help out with
it.
-serge
More information about the Pkg-shadow-devel
mailing list