[Pkg-shadow-devel] [test] newuidmap/newgidmap

Serge Hallyn serge.hallyn at ubuntu.com
Tue Jun 3 18:52:57 UTC 2014

Quoting Philippe Grégoire (gregoirep at hotmail.com):
> TLDR; no easy solution. Either the /etc/subuid is in the kernel and we remove
> the file. Or newuidmap reflects the kernel, and they must be kept in sync.

Allowed subuids represent policy which as much as possible belongs in
userspace, not the kernel.

> I had to play with it because lxc is broken on Debian, and Ubuntu. Quickly, I
> can create a container as a unprivileged user but running it produces:
>   'Error creating container whatever'

serge at sergelap:~$ lxc-usernsexec
# id
uid=0(root) gid=0(root) groups=0(root)

> which is, quite frankly, purely unsatisfying. What am I expected to do with that
> error message? What am I suppose to investigate? Also, why would cgroups be
> mandatory? etc. But that is another topic; and I am no longer interested in lxc
> (version 1.x? -- please...).

> Also, I yet have to see an official user_namespaces(7) (which newuidmap(1)
> refers to) which would probably instruct how to use uid_map.

I already owe Michael a cgroups(7) manpage (in progress).  I'm certain there
is a namespaces(7) man page in progress, but I'll see if I can help out with


More information about the Pkg-shadow-devel mailing list