-
-
Notifications
You must be signed in to change notification settings - Fork 709
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use user namespaces! #12
Conversation
On new enough kernels, sandbox-supervisor now works without being setuid root. I know of two regressions: * --proc is broken when user namespaces are used. Fixing this is possible but tricky. * Running sandbox-supervisor as root with user namespaces fails. This happens because, once root has entered the namespace, it has insufficient privilege to map anyone else into the namespace. This should be straightforward to fix.
This now requires CONFIG_USER_NAMESPACE. It is no longer safe to install setuid root. It is probably unwise to run it as root. The code simplification should be worth it.
It occurs to me that this might allow sandstorm to run inside Docker. |
This is awesome and I'm excited to merge it. Currently, it looks like AWS and GCE both default to kernel 3.10 and don't provide any particularly easy way to upgrade (you can compile your own kernel, but that's not exactly turnkey). I see that 3.12 is being dubbed a long-term release as well, so there's at least some chance they'll switch over, but I have no idea how to determine if/when this might actually happen. It would be pretty sad if people couldn't easily run instances on AWS/GCE, but maybe supporting Docker better would be worth it. Maybe we just need to provide decent instructions for updating the kernel on these targets. Thoughts? |
Conflicts: src/sandstorm/supervisor-main.c++
This is useful: it makes /proc more useful inside the container. It also works around a kernel bug that was introduced by Linux commit e51db73532955dc5eaba4235e62b74b460709d5b and fixed in 41301ae78a99ead04ea42672a1ab72c6f44cc81d.
We can use "/". Yes, this is ugly.
I'm reasonably happy with this now. |
Yay, no more suid-root supervisor! Now to use UID namespaces in run-bundle as well, so that it need not be root... and then maybe we can make Sandstorm work in Docker. |
This is a draft of user namespace support. --uid, --gid, and setuid root support are gone!
The sequence of events looks like: