Re: lxc and subuid

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: lxc and subuid

From:	Ludovic Courtès
Subject:	Re: lxc and subuid
Date:	Fri, 01 Apr 2022 10:12:39 +0200
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)

Hi,

Maxime Devos <maximedevos@telenet.be> skribis:

> Antonio Carlos Padoan Junior schreef op wo 30-03-2022 om 08:51 [+0200]:
>> Hello,
>> 
>> I'm trying to figure out how to set a unprivileged container using lxc
>> in guix. I do not know either how to allocate subuid/gid space in guix,
>
> subuid/gid are _not_ unprivileged.  They are an userspace feature by
> the (privileged) setuid binary 'newuidmap', see
> <https://manpages.debian.org/buster/uidmap/newuidmap.1.en.html>.
>
> I don't think there's currently a mechanism for that in Guix System,
> except manually creating and modifying /etc/subuid appropriately and
> installing the setuid binaries.  However, I suppose that the 'user-
> account' record could be extended to support subuid/subgid and
> automatically create /etc/subuid.

Or we could unconditionally add 65536 subuids for each non-system user
account; that’s what other distros seem to be doing.

I think we could take advantage of it for ‘guix system container’: it
could run in an unprivileged user namespace and map several UIDs in that
namespace, such that it doesn’t need to run as root anymore.

Thoughts?

Ludo’.

[Prev in Thread]

Current Thread

[Next in Thread]

Re: lxc and subuid, Ludovic Courtès <=
- Re: lxc and subuid, Maxime Devos, 2022/04/02
  - Re: lxc and subuid, Antonio Carlos Padoan Junior, 2022/04/03
  - Re: lxc and subuid, Ludovic Courtès, 2022/04/05

Prev by Date: Re: Compiling rust things without cargo (super WIP POC)
Next by Date: Re: New review checklist
Previous by thread: Re: Compiling rust things without cargo (super WIP POC)
Next by thread: Re: lxc and subuid
Index(es):
- Date
- Thread