User Namespaces LXC meeting

Last week we held an irc meeting to talk about user namespaces as they relate to lxc containers. The IRC log is posted at https://wiki.ubuntu.com/LxcUsernsIrcChat .

I had two goals for this meeting. The first was to make sure that lxc developers were familiar with user namespaces, so that as new patches started rolling in to accomodate user namespaces, more people might be inclined to review them – and spot my silly errors. The other was to discuss some design issues in the lxc code.

I began with some background on user namespaces, their design, motivation, and current status, topped off by a little demo on ec2. Then we proceeded to discuss future needed changes.

There are two terrific advantages to using user namespaces.

The first is that host resources are not subject to privilege in the container. That is, root in the container is not root on the host, and a fully privileged task in a container cannot exert any privilege over any resources which are not owned by the container. This advantage is fully realized right now when using lxc with a custom kernel, as per http://s3hh.wordpress.com/2012/10/31/full-ubuntu-container-confined-in-a-user-namespace. By the time raring is released, I hope for the stock raring lxc, with a custom kernel from ppa:ubuntu-lxc/kernels, to be usable in place of my personal ppa.

The second advantage of user namespaces is that they will allow unprivileged users to create and use containers. There are little things which will require privilege – like mapping userids into the container, and hooking the container’s network interface somehow into the host. Each of those can be enabled by small privileged helpers and configured in advance (and generically). So that, by 14.04 LTS, an unprivileged user should be able to safely, out of the box, do

lxc-create -t ubuntu -n r1
lxc-start -n r1

This should also be tremendously helpful for safer usage of juju with local provider.

The steps needed (or, at least, hopefully most of them) to get to that point are discussed in the meeting log above.

About these ads
This entry was posted in Uncategorized and tagged , . Bookmark the permalink.

4 Responses to User Namespaces LXC meeting

  1. kyhwana says:

    So did username spaces not make it into the 13.04 kernel? Will they be in 13.10?
    Is there any way to get username spaces working in 13.04?

    • s3hh says:

      They’re not in the 13.04 kernel. They are almost complete in 3.9 (which is the saucy kernel) with the biggest missing part being xfs support. You can get a working kernel for saucy from ppa:serge-hallyn/userns-natty right now. I intend to keep the working kernels in ppa:ubuntu-lxc/kernel, and will try to get them there by next week, built for both raring and saucy.

      • kyhwana says:

        Ahh excellent! Now I just need to find a VPS provider that allows custom built kernels :P

  2. Kyhwana says:

    Hmm, is this in the 3.10 kernel? Having trouble actually finding out if it is or not..

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s