[arch-general] Linux container
Guus Snijders
gsnijders at gmail.com
Wed Feb 12 11:25:48 EST 2014
Op 12 feb. 2014 12:59 schreef "arnaud gaboury" <arnaud.gaboury at gmail.com>
het volgende:
>
> Dear all,
>
> I am slowly building a Arch Linux VM guest on my Arch Linux host.
>
> The guest machine is now built
[...]
> I an following the libvirt.org documentation. Now, according this
> page[1] about lxc driver, i am dealing with namespace requirements.
> This sentence, in bold, puzzles me:
>
> A suitably configured UID/GID mapping is a pre-requisite to making
> containers secure, in the absence of sVirt confinement.
>
> If I understand what a namespace is, I have no idea how to make sure
> my UIG/GID mapping is well configured. I would appreciate having any
> hints abut this part of the settings.
That means is that you need to make sure that the users on the host and the
guest machine should have the same UID (usernumber) and GID(GroupNumber).
The point is that you now have 2 "computers" that can access the same data.
If you set access to certain files using different usernames, but identical
(numeric) UID's, the "wrong" people could be able to access those files.
Other then what one would think based on the displayed user- and
groupnames.
It would also make troubleshooting trickier.
If you can keep the used numbers in sync between both installations, then
every user/group permission means the same in both environments.
mvg, Guus
More information about the arch-general
mailing list