From 03cfe0d51499e86b1573d121337594719d9f2012 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 21 May 2015 16:30:58 +0200 Subject: nspawn: finish user namespace support --- man/systemd-nspawn.xml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) (limited to 'man/systemd-nspawn.xml') diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml index 3a2af2711c..6a5db86cec 100644 --- a/man/systemd-nspawn.xml +++ b/man/systemd-nspawn.xml @@ -320,6 +320,42 @@ + + + + Enables user namespacing. If enabled the + container will run with its own private set of Unix user and + group ids (UIDs and GIDs). Takes none, one or two + colon-separated parameters: the first parameter specifies the + first host UID to assign to the container, the second + parameter specifies the number of host UIDs to assign to the + container. If the second parameter is omitted, 65536 UIDs are + assigned. If the first parameter is also ommitted (and hence + no parameter passed at all), the first UID assigned to the + container is read from the owner of the root directory of the + container's directory tree. By default no user namespacing is + applied. + + Note that user namespacing currently requires OS trees + that are prepared for the UID shift that is being applied: + UIDs and GIDs used for file ownership or in file ACL entries + must be shifted to the container UID base that is + used during container runtime. + + It is recommended to assign as least 65536 UIDs to each + container, so that the usable UID range in the container + covers 16bit. For best security do not assign overlapping UID + ranges to multiple containers. It is hence a good idea to use + the upper 16bit of the host 32bit UIDs as container + identifier, while the lower 16bit encode the container UID + used. + + When user namespaces are used the GID range assigned to + each container is always chosen identical to the UID + range. + + + -- cgit v1.2.3-54-g00ecf