[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: lxc and subuid
From: |
Ludovic Courtès |
Subject: |
Re: lxc and subuid |
Date: |
Fri, 01 Apr 2022 10:12:39 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) |
Hi,
Maxime Devos <maximedevos@telenet.be> skribis:
> Antonio Carlos Padoan Junior schreef op wo 30-03-2022 om 08:51 [+0200]:
>> Hello,
>>
>> I'm trying to figure out how to set a unprivileged container using lxc
>> in guix. I do not know either how to allocate subuid/gid space in guix,
>
> subuid/gid are _not_ unprivileged. They are an userspace feature by
> the (privileged) setuid binary 'newuidmap', see
> <https://manpages.debian.org/buster/uidmap/newuidmap.1.en.html>.
>
> I don't think there's currently a mechanism for that in Guix System,
> except manually creating and modifying /etc/subuid appropriately and
> installing the setuid binaries. However, I suppose that the 'user-
> account' record could be extended to support subuid/subgid and
> automatically create /etc/subuid.
Or we could unconditionally add 65536 subuids for each non-system user
account; that’s what other distros seem to be doing.
I think we could take advantage of it for ‘guix system container’: it
could run in an unprivileged user namespace and map several UIDs in that
namespace, such that it doesn’t need to run as root anymore.
Thoughts?
Ludo’.
- Re: lxc and subuid,
Ludovic Courtès <=