[arch-general] Linux container

Leonid Isaev lisaev at umail.iu.edu
Wed Feb 12 14:30:26 EST 2014

On Wed, 12 Feb 2014 12:59:43 +0100
arnaud gaboury <arnaud.gaboury at gmail.com> wrote:

> Dear all,
> I am slowly building a Arch Linux VM guest on my Arch Linux host.
> The guest machine is now built and is recognized as shown by this command :
> gabx at hortensia ➤➤ ~ % machinectl list
> MACHINE                          CONTAINER SERVICE
> dahlia                           container nspawn
> 1 machines listed.
> I an following the libvirt.org documentation. Now, according this
> page[1] about lxc driver, i am dealing with namespace requirements.
> This sentence, in bold, puzzles me:
> A suitably configured UID/GID mapping is a pre-requisite to making
> containers secure, in the absence of sVirt confinement.
> If I understand what a namespace is, I have no idea how to make sure
> my UIG/GID mapping is well configured. I would appreciate having any
> hints abut this part of the settings.

User namespaces are currently disabled in the -ARCH kernel, so you should
either build your own kernel, or do not configure any mapping (it is optional).

> Another question : is there any advantage/disadvantage using the lxc
> Userspace tools[2] instead of libvirt to manage these namespaces ?

Namespaces are property of the kernel, not a userspace tool, so both are

Having said that, I prefer lxc tools because they are somewhat more flexible
and come with fewer dependencies.

Also notice, that if you don't need an advanced network configuration,
systemd-nspawn may be sufficient for your purposes.

> Thank you for help.
> [1]http://libvirt.org/drvlxc.html
> [2]http://linuxcontainers.org/

Leonid Isaev
GPG key fingerprint: C0DF 20D0 C075 C3F1 E1BE  775A A7AE F6CB 164B 5A6D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20140212/bdb2ee91/attachment.asc>

More information about the arch-general mailing list