github.com/stackdocker/rkt@v0.10.1-0.20151109095037-1aa827478248/Documentation/devel/user-namespaces.md (about) 1 User namespaces 2 =============== 3 4 Background 5 ---------- 6 7 User namespaces is a feature of Linux that can be used to separate the user IDs 8 and group IDs between the host and containers. It can provide a better 9 isolation and security: the privileged user `root` in the container can be 10 mapped to a non-privileged user on the host. 11 12 Implementation status 13 --------------------- 14 15 rkt has an initial experimental implementation based on systemd-nspawn. A pod 16 can transparently use user IDs in the range 0-65535 and this range is mapped on 17 the host to a high range chosen randomly. 18 19 Before the pod is started, the ACIs are rendered to the filesystem and the 20 owners of the files are set with `chown` in that high range. 21 22 Future work 23 ----------- 24 25 #### Choosing the UID range 26 27 When starting several pods with user namespaces, they will each get a random 28 UID range. In order to avoid collisions, it is planned to implement a locking 29 mechanism so that two pods will always have a different UID range. 30 31 #### Working with overlayfs 32 33 The initial implementation works only with `--no-overlay`. Ideally, preparing a 34 pod should not have to iterate over all files to call `chown`. 35 36 It is planned to add kernel support for a mount option to shift the user IDs in 37 the correct range (https://github.com/coreos/rkt/issues/1057). It would make it 38 work with overlayfs. 39 40 #### Volumes 41 42 When mounting a volume from the host into the pod, the ownership of the files 43 is not shifted, so it makes volumes difficult if not impossible to use with 44 user namespaces. The same kernel support should help here too 45 (https://github.com/coreos/rkt/issues/1057). 46 47 48