Quoting Glauber Costa (glommer@xxxxxxxxxxxxx): > On 02/22/2013 08:34 PM, Eric W. Biederman wrote: > > Glauber Costa <glommer@xxxxxxxxxxxxx> writes: > > > >> On 01/22/2013 01:11 PM, Eric W. Biederman wrote: > >>> > >>> The kernel support for user namespaces allows ordinary users to use > >>> multiple uids and gids if they can get a trusted program to tell the > >>> kernel the set of subordinate uids and gids they are allowed to use. > >>> > >>> This is my work to make that trusted program. > >>> Two new files are added /etc/subuid /etc/subgid that specify > >>> ranges of uids and gids that users may uses. > >>> > >>> useradd, and newusers are modifed to add users to those files. > >>> > >>> userdel is modeifed to remove users from those files. > >>> > >>> usermod is modified to give manual control of what goes in those files. > >>> > >>> newuidmap and newgidmap read the new files and update > >>> /proc/[pid]/uid_map and /proc/[pid]/gid_map respectively > >>> as requested by their command line parameters and as allowed > >>> by the /etc/subuid and /etc/subgid. > >>> > >>> The following patches are against the current developent trunk > >>> of pkg-shadow svn rev 3745. With minor tweaking of man/Makefile.am > >>> these patches also apply to shadow 4.1.5. > >>> > >>> Eric W. Biederman (11): > >>> Documentation for /etc/subuid and /etc/subgid > >>> login.defs.5: Document the new variables in login.defs > >>> Implement commonio_append. > >>> Add backend support for suboridnate uids and gids > >>> Implement find_new_sub_uids find_new_sub_gids > >>> userdel: Add support for removing subordinate user and group ids. > >>> useradd: Add support for subordinate user identifiers > >>> Add support for detecting busy subordinate user ids > >>> usermod: Add support for subordinate uids and gids. > >>> newusers: Add support for assiging subordinate uids and gids. > >>> newuidmap,newgidmap: New suid helpers for using subordinate uids and gids > >> > >> Hi, > >> > >> Is there any intention to merge this (or any later version thereof) ? > >> I intend to start excluding uid ranges for containers usage in OpenVZ, > >> and support for that in tooling would come in handy. > > > > I don't know what the state of the main pkg-shadow package is. I have > > heard anything and the repository seems to have been dormant since the > > last release almost a year ago. > > > > However the last I heard Serge was working on getting these changes into > > Ubuntu. > > > > So the intention is to get this code merged but I don't know what more > > needs to be done at this point. > > > I understand, this was more a question for the package maintainers. > It would be interesting for us to have those changes more widely > available than just @Ubuntu Well, I would aim to get it into Debian, from where it should make it into all its downstreams eventually... But I know that's not what you mean :) Note that the core of this really isn't a big deal, and you can easily implement your own distro-independent wrappers. Just provide an easy tool for admins to assign subuids to users, and a small setuid-root binary to allow users, subject to those constraints, to write to /proc/$$/uid_maps. Shadow integration will be nice, but for your use case you should be able to by-step it until shadow integration is complete. -serge _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
