diff options
| author | Lennart Poettering <lennart@poettering.net> | 2015-05-21 16:30:58 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2015-05-21 16:32:01 +0200 |
| commit | 03cfe0d51499e86b1573d121337594719d9f2012 (patch) | |
| tree | cb76a92a501b16909f879944a4ad29ce88eefbad /man/systemd-nspawn.xml | |
| parent | ef6fc8ee57eff8a2b612de0270c9a25e066ee290 (diff) | |
nspawn: finish user namespace support
Diffstat (limited to 'man/systemd-nspawn.xml')
| -rw-r--r-- | man/systemd-nspawn.xml | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml index 3a2af2711c..6a5db86cec 100644 --- a/man/systemd-nspawn.xml +++ b/man/systemd-nspawn.xml @@ -321,6 +321,42 @@ </varlistentry> <varlistentry> + <term><option>--private-users=</option></term> + + <listitem><para>Enables user namespacing. If enabled the + container will run with its own private set of Unix user and + group ids (UIDs and GIDs). Takes none, one or two + colon-separated parameters: the first parameter specifies the + first host UID to assign to the container, the second + parameter specifies the number of host UIDs to assign to the + container. If the second parameter is omitted, 65536 UIDs are + assigned. If the first parameter is also ommitted (and hence + no parameter passed at all), the first UID assigned to the + container is read from the owner of the root directory of the + container's directory tree. By default no user namespacing is + applied.</para> + + <para>Note that user namespacing currently requires OS trees + that are prepared for the UID shift that is being applied: + UIDs and GIDs used for file ownership or in file ACL entries + must be shifted to the container UID base that is + used during container runtime.</para> + + <para>It is recommended to assign as least 65536 UIDs to each + container, so that the usable UID range in the container + covers 16bit. For best security do not assign overlapping UID + ranges to multiple containers. It is hence a good idea to use + the upper 16bit of the host 32bit UIDs as container + identifier, while the lower 16bit encode the container UID + used.</para> + + <para>When user namespaces are used the GID range assigned to + each container is always chosen identical to the UID + range.</para></listitem> + </varlistentry> + + + <varlistentry> <term><option>--private-network</option></term> <listitem><para>Disconnect networking of the container from |