[Pkg-shadow-devel] [PATCH 00/11] pkg-shadow support subordinate ids with user namespaces

Serge Hallyn serge.hallyn at ubuntu.com
Mon Feb 25 14:30:59 UTC 2013 

Quoting Eric W. Biederman (ebiederm at xmission.com):
> Glauber Costa <glommer at parallels.com> writes:
> 
> > On 01/22/2013 01:11 PM, Eric W. Biederman wrote:
> >> 
> >> The kernel support for user namespaces allows ordinary users to use
> >> multiple uids and gids if they can get a trusted program to tell the
> >> kernel the set of subordinate uids and gids they are allowed to use.
> >> 
> >> This is my work to make that trusted program.
> >> Two new files are added /etc/subuid /etc/subgid that specify
> >> ranges of uids and gids that users may uses.
> >> 
> >> useradd, and newusers are modifed to add users to those files.
> >> 
> >> userdel is modeifed to remove users from those files.
> >> 
> >> usermod is modified to give manual control of what goes in those files.
> >> 
> >> newuidmap and newgidmap read the new files and update
> >> /proc/[pid]/uid_map and /proc/[pid]/gid_map respectively
> >> as requested by their command line parameters and as allowed
> >> by the /etc/subuid and /etc/subgid.
> >> 
> >> The following patches are against the current developent trunk
> >> of pkg-shadow svn rev 3745.  With minor tweaking of man/Makefile.am
> >> these patches also apply to shadow 4.1.5.
> >> 
> >> Eric W. Biederman (11):
> >>       Documentation for /etc/subuid and /etc/subgid
> >>       login.defs.5: Document the new variables in login.defs
> >>       Implement commonio_append.
> >>       Add backend support for suboridnate uids and gids
> >>       Implement find_new_sub_uids find_new_sub_gids
> >>       userdel: Add support for removing subordinate user and group ids.
> >>       useradd: Add support for subordinate user identifiers
> >>       Add support for detecting busy subordinate user ids
> >>       usermod: Add support for subordinate uids and gids.
> >>       newusers: Add support for assiging subordinate uids and gids.
> >>       newuidmap,newgidmap: New suid helpers for using subordinate uids and gids
> >
> > Hi,
> >
> > Is there any intention to merge this (or any later version thereof) ?
> > I intend to start excluding uid ranges for containers usage in OpenVZ,
> > and support for that in tooling would come in handy.
> 
> I don't know what the state of the main pkg-shadow package is.  I have
> heard anything and the repository seems to have been dormant since the
> last release almost a year ago.
> 
> However the last I heard Serge was working on getting these changes into
> Ubuntu.

I need to get back to this hopefully later this week.  However since the
final userns patches won't be in the raring kernel, the merge request
will become low priority.  I expect it'll be easier to push in may (when
the next devel release opens up) than now.

> So the intention is to get this code merged but I don't know what more
> needs to be done at this point.
> 
> Eric
> 
> 
> 
> _______________________________________________
> Containers mailing list
> Containers at lists.linux-foundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/containers

More information about the Pkg-shadow-devel mailing list