On Wed, Feb 12, 2014 at 12:51:10PM +0100, arnaud gaboury wrote: > Dear all, > > I am slowly building a Arch Linux VM guest on my Arch Linux host. > > The guest machine is now built and is recognized as shown by this command : > > gabx@hortensia ➤➤ ~ % machinectl list > MACHINE CONTAINER SERVICE > dahlia container nspawn > > 1 machines listed. > > I an following the libvirt.org documentation. Now, according this > page[1] about lxc driver, i am dealing with namespace requirements. > This sentence, in bold, puzzles me: > > A suitably configured UID/GID mapping is a pre-requisite to making > containers secure, in the absence of sVirt confinement. > > If I understand what a namespace is, I have no idea how to make sure > my UIG/GID mapping is well configured. I would appreciate having any > hints abut this part of the settings. Basically this means that uid == 0 in the container has the same access as uid == 0 in the host. So if the container can see sysfs, for example, it would be able to write to any files owned by the uid == 0 which is clearly not what you want a container to be able todo :-) To avoid this you must setup an UID+GID mapping in the container using the <idmap> syntax, and also make sure that the filesystem you give to the container has corresponding changes. eg if you set the XML to remap container uid==0 to uid == 3000 on the host then the container's filesystemm must also use uid == 3000 for any files that are intended to be accessible to root in the container. Likewise for other uid's beyond root. http://libvirt.org/formatdomain.html#elementsOSContainer NB user namespaces are a fairly new piece of functionality that is still somewhat rough around the edges. You usuaully want to have the most recent kernel.org stable kernel available when using this. > Another question : is there any advantage/disadvantage using the lxc > Userspace tools[2] instead of libvirt to manage these namespaces ? They are broadly speaking functionally equivalent but using libvirt gives you all the usual benefits libvirt has. Stable API, accessible from multiple programming languages, stable configuration, integration with other apps using libvirt. eg you can use virt-top to monitor things or virt-manager as a GUI frontend, etc, etc Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| _______________________________________________ libvirt-users mailing list libvirt-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvirt-users
