[arch-general] Linux container

Timothée Ravier siosm99 at gmail.com
Wed Feb 12 14:31:14 EST 2014

On 12/02/2014 20:06, ProgAndy wrote:
> To secure your container you have to make sure that the users in the
> container will be represented as different ids to the host system.
> Especially root in the container must not have root access to the host.
> Here is some more reading material for you:
> http://libvirt.org/drvlxc.html#secureusers
> http://libvirt.org/formatdomain.html#elementsOSContainer

The (kernel) feature discussed here is the user namespace. It enables
cointainers to have a different uid/guid mapping than the one on the
host. This should be a safe way to allow root users inside containers
whitout giving them full access on the host at the same time.

This feature is relatively new and is not enabled in the default Arch
Linux kernel:
$ zgrep USER_NS /proc/config.gz
# CONFIG_USER_NS is not set

You'll have to build a custom kernel.

Timothée Ravier

More information about the arch-general mailing list