Hi Ben, On Thu, 30 Jun 2016 13:12:16 -0700 Ben Longbons <brlongbons@gmail.com> wrote: > Now that the kernel supports user_namespaces(7), it should be possible to > debootstrap in them. Some small changes are needed. > > Configuration needed: > * Kernel 3.8 or later (3.11 recommended) > * Set the sysctl kernel.unprivileged_userns_clone to 1 > (Debian-specific "temporary" patch from years ago). > * Install the `uidmap` package and add yourself to /etc/sub[ug]id > * Install the `lxc` package (for one helper binary only) > * Make sure the current directory is searchable by other. > > I have attached the necessary changes as a wrapper script, I find your script highly interesting! A year ago I tried to write a tool that combined the powers of lxc-usernsexec(1) and unshare(1) because I was unable to combine them in a way that would give me both: correct mapping of user and group ids as well as unsharing the user namespace and others. I blogged about it here: https://blog.mister-muffin.de/2015/10/25/unshare-without-superuser-privileges/ and the code is here: https://gitlab.mister-muffin.de/josch/user-unshare/blob/master/user-unshare I do not know whether what you demonstrated now in shell already worked one year ago (in particular I was not aware of the lxc-unshare tool) but your script works fine for me. I'm happy that it seems that I don't have to further dabble with the perl code I came up with because lxc-usernsexec and lxc-unshare seem to be able to do the major grunt work while the rest can be done in simple POSIX shell. Thank you! I wonder though: why would this feature be useful for debootstrap? The resulting directory would have all the wrong ownership information. The directory would only be useful if its user knows exactly how to map the user ids between the host and the unshared user namespace. So my practical question: How do you use the chroots that you create in this fashion? Which commands do you use to work with them? Thanks! cheers, josch
Attachment:
signature.asc
Description: signature