Last week we held an irc meeting to talk about user namespaces as they relate to lxc containers. The IRC log is posted at https://wiki.ubuntu.com/LxcUsernsIrcChat .
I had two goals for this meeting. The first was to make sure that lxc developers were familiar with user namespaces, so that as new patches started rolling in to accomodate user namespaces, more people might be inclined to review them – and spot my silly errors. The other was to discuss some design issues in the lxc code.
I began with some background on user namespaces, their design, motivation, and current status, topped off by a little demo on ec2. Then we proceeded to discuss future needed changes.
There are two terrific advantages to using user namespaces.
The first is that host resources are not subject to privilege in the container. That is, root in the container is not root on the host, and a fully privileged task in a container cannot exert any privilege over any resources which are not owned by the container. This advantage is fully realized right now when using lxc with a custom kernel, as per https://s3hh.wordpress.com/2012/10/31/full-ubuntu-container-confined-in-a-user-namespace. By the time raring is released, I hope for the stock raring lxc, with a custom kernel from ppa:ubuntu-lxc/kernels, to be usable in place of my personal ppa.
The second advantage of user namespaces is that they will allow unprivileged users to create and use containers. There are little things which will require privilege – like mapping userids into the container, and hooking the container’s network interface somehow into the host. Each of those can be enabled by small privileged helpers and configured in advance (and generically). So that, by 14.04 LTS, an unprivileged user should be able to safely, out of the box, do
lxc-create -t ubuntu -n r1
lxc-start -n r1
This should also be tremendously helpful for safer usage of juju with local provider.
The steps needed (or, at least, hopefully most of them) to get to that point are discussed in the meeting log above.
S3hh's Blog 
So did username spaces not make it into the 13.04 kernel? Will they be in 13.10?
Is there any way to get username spaces working in 13.04?
They’re not in the 13.04 kernel. They are almost complete in 3.9 (which is the saucy kernel) with the biggest missing part being xfs support. You can get a working kernel for saucy from ppa:serge-hallyn/userns-natty right now. I intend to keep the working kernels in ppa:ubuntu-lxc/kernel, and will try to get them there by next week, built for both raring and saucy.
Ahh excellent! Now I just need to find a VPS provider that allows custom built kernels 😛
Hmm, is this in the 3.10 kernel? Having trouble actually finding out if it is or not..