-
-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
containers: automatically use user namespaces on supporting systems #28425
Conversation
On kernels that support user namespaces, `-U` enables their use. This is the default if `systemd-nspawn@.service` is used (which it isn't (yet) in `containers.nix`). Basically, a 16-bit subset (that is not 0-65535) of the 32-bit UID and GID spaces is chosen and used as the hosts' UID and GID segments the container's UID and GID ranges map to. The container's directory will be `chown`ed recursively to ensure that this works.
@evujumenuk, thanks for your PR! By analyzing the history of the files in this pull request, we identified @wavewave, @edolstra and @kampfschlaefer to be potential reviewers. |
Sounds good! Have you tested this? |
Nope, not at all :) Right now, I don't have (access to) a system that is set up correctly to test this. I also don't know whether separate UIDs and/or separate GIDs for processes and/or files break anyone's workflow. Comments welcome! Maybe this isn't such a great idea after all. Also, we'd get this change for free if |
Thanks for the info. I'll give this a spin soon! |
@@ -123,7 +123,7 @@ let | |||
EXIT_ON_REBOOT=1 \ | |||
exec ${config.systemd.package}/bin/systemd-nspawn \ | |||
--keep-unit \ | |||
-M "$INSTANCE" -D "$root" $extraFlags \ | |||
-M "$INSTANCE" -D "$root" -U $extraFlags \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I also attempted to do this, but I have at the moment several problems with systemd related services running in nspawn in unprivileged mode. A different problem is, that you cannot setup setuid wrappers in a user namespaces.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
User namespaces are unlikely to work for all applications. For instance, bind-mounting a host data directory into a user-namespaced container may lead to ownership and permission issues. I prefer to use user namespaces on a case-by-case basis. #35541 proposes an extraFlags option to pass additional flags like -U
to systemd-nspawn.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
systemd-nspawn does not even start for me at the moment. An upstream patch is required.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Bind mouting would require shiftfs to be upstreamed in the linux kernel.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Guess we'll have to wait then...
This pull request has been mentioned on Nix community. There might be relevant details there: https://discourse.nixos.org/t/nixos-container-limitations/1835/4 |
@Mic92 do you have a test case for that? I added the option |
@asbachb Could have been fixed in the meantime. A different problem for enabling that by default are our setuid/setcap wrappers. In usernamespaces those are not allowed, which can break tools like sudo or services like postfix. |
@Mic92 I see. Basically I wanted to know if there are known problems with user namespaces enabled. I wonder if the feature is stable enough or if it's useful to assign it a dedicated configuration value like |
This is an old PR, and #35541 added a generic workaround ( @evujumenuk if you still want to push this change, please add it as |
On kernels that support user namespaces,
-U
enables their use. This is the default ifsystemd-nspawn@.service
is used (which it isn't (yet) incontainers.nix
).Basically, a 16-bit subset (that is not 0-65535) of the 32-bit UID and GID spaces is chosen and used as the hosts' UID and GID segments the container's UID and GID ranges map to. The container's directory will be
chown
ed recursively to ensure that this works.Motivation for this change
Things done
(nix.useSandbox on NixOS,
or option
build-use-sandbox
innix.conf
on non-NixOS)
nix-shell -p nox --run "nox-review wip"
./result/bin/
)