On 02/25/2013 06:34 PM, Serge Hallyn wrote: > Quoting Glauber Costa (glommer@xxxxxxxxxxxxx): >> On 02/22/2013 08:34 PM, Eric W. Biederman wrote: >>> Glauber Costa <glommer@xxxxxxxxxxxxx> writes: >>> >>>> On 01/22/2013 01:11 PM, Eric W. Biederman wrote: >>>>> >>>>> The kernel support for user namespaces allows ordinary users to use >>>>> multiple uids and gids if they can get a trusted program to tell the >>>>> kernel the set of subordinate uids and gids they are allowed to use. >>>>> >>>>> This is my work to make that trusted program. >>>>> Two new files are added /etc/subuid /etc/subgid that specify >>>>> ranges of uids and gids that users may uses. >>>>> >>>>> useradd, and newusers are modifed to add users to those files. >>>>> >>>>> userdel is modeifed to remove users from those files. >>>>> >>>>> usermod is modified to give manual control of what goes in those files. >>>>> >>>>> newuidmap and newgidmap read the new files and update >>>>> /proc/[pid]/uid_map and /proc/[pid]/gid_map respectively >>>>> as requested by their command line parameters and as allowed >>>>> by the /etc/subuid and /etc/subgid. >>>>> >>>>> The following patches are against the current developent trunk >>>>> of pkg-shadow svn rev 3745. With minor tweaking of man/Makefile.am >>>>> these patches also apply to shadow 4.1.5. >>>>> >>>>> Eric W. Biederman (11): >>>>> Documentation for /etc/subuid and /etc/subgid >>>>> login.defs.5: Document the new variables in login.defs >>>>> Implement commonio_append. >>>>> Add backend support for suboridnate uids and gids >>>>> Implement find_new_sub_uids find_new_sub_gids >>>>> userdel: Add support for removing subordinate user and group ids. >>>>> useradd: Add support for subordinate user identifiers >>>>> Add support for detecting busy subordinate user ids >>>>> usermod: Add support for subordinate uids and gids. >>>>> newusers: Add support for assiging subordinate uids and gids. >>>>> newuidmap,newgidmap: New suid helpers for using subordinate uids and gids >>>> >>>> Hi, >>>> >>>> Is there any intention to merge this (or any later version thereof) ? >>>> I intend to start excluding uid ranges for containers usage in OpenVZ, >>>> and support for that in tooling would come in handy. >>> >>> I don't know what the state of the main pkg-shadow package is. I have >>> heard anything and the repository seems to have been dormant since the >>> last release almost a year ago. >>> >>> However the last I heard Serge was working on getting these changes into >>> Ubuntu. >>> >>> So the intention is to get this code merged but I don't know what more >>> needs to be done at this point. >>> >> I understand, this was more a question for the package maintainers. >> It would be interesting for us to have those changes more widely >> available than just @Ubuntu > > Well, I would aim to get it into Debian, from where it should make it > into all its downstreams eventually... But I know that's not what you > mean :) > > Note that the core of this really isn't a big deal, and you can easily > implement your own distro-independent wrappers. Just provide an easy > tool for admins to assign subuids to users, and a small setuid-root > binary to allow users, subject to those constraints, to write to > /proc/$$/uid_maps. > > Shadow integration will be nice, but for your use case you should be > able to by-step it until shadow integration is complete. > Well, the main problem is that I don't talk on behalf of any distro. We distribute OpenVZ, and would like to create containers such that each container has its own user range - all that without having the containers users conflicting with users created by useradd's normal operation. I am *hoping* that by selecting ranges high enough I will avoid conflicts at least in the beginning, but it is a bit of guesswork. _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
