[arch-general] Linux container
lisaev at umail.iu.edu
Wed Feb 12 14:30:26 EST 2014
On Wed, 12 Feb 2014 12:59:43 +0100
arnaud gaboury <arnaud.gaboury at gmail.com> wrote:
> Dear all,
> I am slowly building a Arch Linux VM guest on my Arch Linux host.
> The guest machine is now built and is recognized as shown by this command :
> gabx at hortensia ➤➤ ~ % machinectl list
> MACHINE CONTAINER SERVICE
> dahlia container nspawn
> 1 machines listed.
> I an following the libvirt.org documentation. Now, according this
> page about lxc driver, i am dealing with namespace requirements.
> This sentence, in bold, puzzles me:
> A suitably configured UID/GID mapping is a pre-requisite to making
> containers secure, in the absence of sVirt confinement.
> If I understand what a namespace is, I have no idea how to make sure
> my UIG/GID mapping is well configured. I would appreciate having any
> hints abut this part of the settings.
User namespaces are currently disabled in the -ARCH kernel, so you should
either build your own kernel, or do not configure any mapping (it is optional).
> Another question : is there any advantage/disadvantage using the lxc
> Userspace tools instead of libvirt to manage these namespaces ?
Namespaces are property of the kernel, not a userspace tool, so both are
Having said that, I prefer lxc tools because they are somewhat more flexible
and come with fewer dependencies.
Also notice, that if you don't need an advanced network configuration,
systemd-nspawn may be sufficient for your purposes.
> Thank you for help.
GPG key fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 490 bytes
Desc: not available
More information about the arch-general