On Tue, Apr 30, 2013 at 12:07:33PM +0200, Richard RW. Weinberger wrote: > ----- Ursprüngliche Mail ----- > > > We'd like to use libvirt for managing our lxc machines. > > > Currently libvirt lacks of user namespace support. > > > Is anyone working on that? Otherwise David and I will implement it > > > and send patches very soon. > > > > There were some people at Fujitsu who have done a little work on it. > > They posted some very basic patches a month or two ago, but not heard > > more since then, so don't know if any progress has been made by them. > > Found the patches. :) > They do mostly the same what our preliminary userns support does. > 1. Add support for uid/gid mappings. > 2. Don't mount disallowed files systems in the userns. > 3. Create devices nodes outside of the userns. > > What we still need to consider is how to deal with capability dropping. > Daniel, do you have any plans how to support this? > Using securebits would be a good idea. We already have to deal with that - we allow all capabilties except for CAP_MKNOD, SYS_MODULE, SYS_TIME, AUDIT_CONTROL and MAC_ADMIN currently. If user namespaces are active, we might be able to actually relax that and allow more of them. TBD. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list