Re: Building a BSD-jail clone out of namespaces

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Chris Webb <chris@arachsys.com>
To: linux-kernel@vger.kernel.org
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Subject: Re: Building a BSD-jail clone out of namespaces
Date: Thu, 27 Jun 2013 14:43:09 +0100	[thread overview]
Message-ID: <20130627134308.GG18100@arachsys.com> (raw)
In-Reply-To: <20130606161010.GI12062@arachsys.com>

Chris Webb <chris@arachsys.com> writes:

> Prompted by the new userns support merged in the 3.8/3.9 kernels, I've been
> playing with namespaces and trying to understand how I could use them to
> build containers to replace some of my uses of qemu-kvm virtual machines.

I now have most things working as I'd want and am just polishing my
userspace container tool before release to make sure it fits well with
common conventions such as those mentioned at

  http://www.freedesktop.org/wiki/Software/systemd/ContainerInterface/

and parses /etc/subuid and /etc/subgid files in the format you've defined
them in your shadow patches. I was delighted by how it all nests nicely,
provided I bind mount my /dev nodes from the level above rather than try to
mknod them in the outer container.

I'd like to arrange for slightly different behaviour when the tool is run at
the top-level 'host' user namespace, for example warning about attempts to
map the dangerous UID 0.

Is there a canonical way to detect when I'm in the top-level user namespace?
I can clearly try doing something which should be impossible for a
non-top-level root user like opening /proc/kpageflags for reading or
/proc/sys/ctrl-alt-del for writing, but I wondered if there was something
more idiomatic as a test? (Some sort of 'get parent namespace' that might
return null at top-level maybe?)

Cheers,

Chris.

     prev parent reply	other threads:[~2013-06-27 13:43 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-06-06 16:10 Building a BSD-jail clone out of namespaces Chris Webb
2013-06-06 16:35 ` Eric W. Biederman
2013-06-06 16:46   ` Chris Webb
2013-06-06 16:56     ` Eric W. Biederman
2013-06-06 21:51   ` Chris Webb
2013-06-07  4:06     ` Eric W. Biederman
2013-06-07 12:58       ` Chris Webb
2013-06-27 13:43 ` Chris Webb [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130627134308.GG18100@arachsys.com \
    --to=chris@arachsys.com \
    --cc=ebiederm@xmission.com \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox