containers: automatically use user namespaces on supporting systems #28425
Conversation
On kernels that support user namespaces, `-U` enables their use. This is the default if `systemd-nspawn@.service` is used (which it isn't (yet) in `containers.nix`). Basically, a 16-bit subset (that is not 0-65535) of the 32-bit UID and GID spaces is chosen and used as the hosts' UID and GID segments the container's UID and GID ranges map to. The container's directory will be `chown`ed recursively to ensure that this works.
|
@evujumenuk, thanks for your PR! By analyzing the history of the files in this pull request, we identified @wavewave, @edolstra and @kampfschlaefer to be potential reviewers. |
|
Sounds good! Have you tested this? |
|
Nope, not at all :) Right now, I don't have (access to) a system that is set up correctly to test this. I also don't know whether separate UIDs and/or separate GIDs for processes and/or files break anyone's workflow. Comments welcome! Maybe this isn't such a great idea after all. Also, we'd get this change for free if |
|
Thanks for the info. I'll give this a spin soon! |
| @@ -123,7 +123,7 @@ let | |||
| EXIT_ON_REBOOT=1 \ | |||
| exec ${config.systemd.package}/bin/systemd-nspawn \ | |||
| --keep-unit \ | |||
| -M "$INSTANCE" -D "$root" $extraFlags \ | |||
| -M "$INSTANCE" -D "$root" -U $extraFlags \ | |||
There was a problem hiding this comment.
I also attempted to do this, but I have at the moment several problems with systemd related services running in nspawn in unprivileged mode. A different problem is, that you cannot setup setuid wrappers in a user namespaces.
There was a problem hiding this comment.
User namespaces are unlikely to work for all applications. For instance, bind-mounting a host data directory into a user-namespaced container may lead to ownership and permission issues. I prefer to use user namespaces on a case-by-case basis. #35541 proposes an extraFlags option to pass additional flags like -U to systemd-nspawn.
There was a problem hiding this comment.
systemd-nspawn does not even start for me at the moment. An upstream patch is required.
There was a problem hiding this comment.
Bind mouting would require shiftfs to be upstreamed in the linux kernel.
There was a problem hiding this comment.
Guess we'll have to wait then...
|
This pull request has been mentioned on Nix community. There might be relevant details there: https://discourse.nixos.org/t/nixos-container-limitations/1835/4 |
@Mic92 do you have a test case for that? I added the option |
|
@asbachb Could have been fixed in the meantime. A different problem for enabling that by default are our setuid/setcap wrappers. In usernamespaces those are not allowed, which can break tools like sudo or services like postfix. |
|
@Mic92 I see. Basically I wanted to know if there are known problems with user namespaces enabled. I wonder if the feature is stable enough or if it's useful to assign it a dedicated configuration value like |
|
This is an old PR, and #35541 added a generic workaround ( @evujumenuk if you still want to push this change, please add it as |
danbst
added
the
6.topic: nixos-container
On kernels that support user namespaces,
-Uenables their use. This is the default ifsystemd-nspawn@.serviceis used (which it isn't (yet) incontainers.nix).Basically, a 16-bit subset (that is not 0-65535) of the 32-bit UID and GID spaces is chosen and used as the hosts' UID and GID segments the container's UID and GID ranges map to. The container's directory will be
chowned recursively to ensure that this works.Motivation for this change
Things done
(nix.useSandbox on NixOS,
or option
build-use-sandboxinnix.confon non-NixOS)
nix-shell -p nox --run "nox-review wip"./result/bin/)