From c01ff965b48bb9693dcd77cbc748b5d8676766b0 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 9 Jul 2015 14:46:20 -0300
Subject: nss-mymachines: map userns users of containers to real user names

Given a container "foo", that maps user id $UID to container user, using
user namespaces, this NSS module extenstion will now map the $UID to a
name "vu-foo-$TUID" for the translated UID $UID.

Similar, userns groups are mapped to "vg-foo-$TGID" for translated GIDs
of $GID.

This simple change should make userns users more discoverable. Also,
given that many tools like "adduser" check NSS before allocating a UID,
should lower the chance of UID range conflicts between tools.
---
 man/nss-mymachines.xml | 35 ++++++++++++++++++++---------------
 1 file changed, 20 insertions(+), 15 deletions(-)

(limited to 'man/nss-mymachines.xml')

diff --git a/man/nss-mymachines.xml b/man/nss-mymachines.xml
index eb1ed2592b..41ec458e4b 100644
--- a/man/nss-mymachines.xml
+++ b/man/nss-mymachines.xml
@@ -59,21 +59,26 @@
     <para><command>nss-mymachines</command> is a plugin for the GNU
     Name Service Switch (NSS) functionality of the GNU C Library
     (<command>glibc</command>) providing hostname resolution for
-    containers running locally, that are registered with
+    container names of containers running locally, that are registered
+    with
     <citerefentry><refentrytitle>systemd-machined.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
-    The container names are resolved to IP addresses of the specific
-    container, ordered by their scope.</para>
+    The container names are resolved to the IP addresses of the
+    specific container, ordered by their scope.</para>
+
+    <para>The module also resolves user IDs used by containers to user
+    names indicating the container name, and back.</para>
 
     <para>To activate the NSS modules, <literal>mymachines</literal>
-    has to be added to the line starting with
-    <literal>hosts:</literal> in
+    has to be added to the lines starting with
+    <literal>hosts:</literal>, <literal>passwd:</literal> and
+    <literal>group:</literal> in
     <filename>/etc/nsswitch.conf</filename>.</para>
 
     <para>It is recommended to place <literal>mymachines</literal>
-    near the end of the <filename>nsswitch.conf</filename> line to
-    make sure that this mapping is only used as fallback, and any DNS
-    or <filename>/etc/hosts</filename> based mapping takes
-    precedence.</para>
+    near the end of the <filename>nsswitch.conf</filename> lines to
+    make sure that its mappings are only used as fallback, and any
+    other mappings, such as DNS or <filename>/etc/hosts</filename>
+    based mappings take precedence.</para>
   </refsect1>
 
   <refsect1>
@@ -82,17 +87,17 @@
     <para>Here's an example <filename>/etc/nsswitch.conf</filename>
     file, that enables <command>mymachines</command> correctly:</para>
 
-<programlisting>passwd:   compat
-group:    compat
-shadow:   compat
+    <programlisting>passwd:         compat <command>mymachines</command>
+group:          compat <command>mymachines</command>
+shadow:         compat
 
-hosts:    files dns <command>mymachines</command> myhostname
+hosts:          files dns <command>mymachines</command> myhostname
 networks:       files
 
 protocols:      db files
 services:       db files
-ethers:   db files
-rpc:      db files
+ethers:         db files
+rpc:            db files
 
 netgroup:       nis</programlisting>
 
-- 
cgit v1.2.3-54-g00ecf