Difference between revisions of "User namespace"
m (Kir moved page UserNamespace to User namespace: fix title according to mediawiki standards) |
|||
(6 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
+ | == Problems == | ||
+ | |||
Implementing user namespace support in CRIU requires a few changes on kernel side. First of all when a new user namespace is created its capability get dropped off, thus any kernel aspect guarded with capable() may fail. In particular we found that the following things are not functional when we restore tasks running in own user namespace: | Implementing user namespace support in CRIU requires a few changes on kernel side. First of all when a new user namespace is created its capability get dropped off, thus any kernel aspect guarded with capable() may fail. In particular we found that the following things are not functional when we restore tasks running in own user namespace: | ||
− | |||
− | |||
− | |||
− | |||
− | |||
* mknod() requires CAP_MKNOD | * mknod() requires CAP_MKNOD | ||
+ | * Lots of IPCNS and UTSNS sysctls require CAP_SYS_ADMIN | ||
The list will be updated with time. To resolve the problems we need to address every issue and modify the kernel. For first bullet there is a patch already floating around in kernel mailing list. | The list will be updated with time. To resolve the problems we need to address every issue and modify the kernel. For first bullet there is a patch already floating around in kernel mailing list. | ||
− | [ | + | == Usernsd == |
+ | |||
+ | This daemon is the salvation to most of the problems we've found. Since many restricted operations involve a file descriptor, we may ask a privileged process to do the action and exchange the relevant FD for that. | ||
+ | |||
+ | [[Category:Development]] |
Latest revision as of 15:48, 6 April 2015
Problems[edit]
Implementing user namespace support in CRIU requires a few changes on kernel side. First of all when a new user namespace is created its capability get dropped off, thus any kernel aspect guarded with capable() may fail. In particular we found that the following things are not functional when we restore tasks running in own user namespace:
- mknod() requires CAP_MKNOD
- Lots of IPCNS and UTSNS sysctls require CAP_SYS_ADMIN
The list will be updated with time. To resolve the problems we need to address every issue and modify the kernel. For first bullet there is a patch already floating around in kernel mailing list.
Usernsd[edit]
This daemon is the salvation to most of the problems we've found. Since many restricted operations involve a file descriptor, we may ask a privileged process to do the action and exchange the relevant FD for that.