mirror of
https://github.com/systemd/systemd.git
synced 2024-12-22 17:35:35 +03:00
man: document new nspawn functionality around unpriv support
This commit is contained in:
parent
29df5667c3
commit
327daea5e9
@ -841,6 +841,12 @@
|
||||
host and container UIDs/GIDs are chosen identically it does provide process capability isolation,
|
||||
but may be useful if proper user namespacing with distinct UID maps is not possible. This option is
|
||||
not secure and must not be used to run untrusted code.</para></listitem>
|
||||
|
||||
<listitem><para>If the parameter is <literal>managed</literal>, user namespacing is employed with
|
||||
in <emphasis>managed</emphasis> mode, i.e. allocation of a UID range is delegated to
|
||||
<citerefentry><refentrytitle>systemd-nsresourced.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>. This
|
||||
mode is selected by default if invoked unprivileged, but can also be requested explicitly when
|
||||
privileged. In this mode a 64K UID range is automatically picked.</para></listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>It is recommended to assign at least 65536 UIDs/GIDs to each container, so that the usable
|
||||
@ -852,18 +858,23 @@
|
||||
<para>When user namespaces are used, the GID range assigned to each container is always chosen
|
||||
identical to the UID range.</para>
|
||||
|
||||
<para>In most cases, using <option>--private-users=pick</option> is the recommended option as user
|
||||
namespacing is required for security, and this option massively enhances container security while
|
||||
<para>In most cases, <option>--private-users=managed</option> (or when privileged
|
||||
<option>--private-users=pick</option>, too) is the recommended option as user
|
||||
namespacing is advised for security, and this option massively enhances container security while
|
||||
operating fully automatically in most cases.</para>
|
||||
|
||||
<para>Note that the picked UID/GID range is not written to <filename>/etc/passwd</filename> or
|
||||
<filename>/etc/group</filename>. In fact, the allocation of the range is not stored persistently,
|
||||
except in the file ownership of the files and directories of the container.</para>
|
||||
except possibly in the file ownership of the files and directories of the container, see
|
||||
<option>--private-users-ownership=</option>.</para>
|
||||
|
||||
<para>Note that when user namespacing is used file ownership on disk reflects this, and all of the container's
|
||||
files and directories are owned by the container's effective user and group IDs. This means that copying files
|
||||
from and to the container image requires correction of the numeric UID/GID values, according to the UID/GID
|
||||
shift applied.</para>
|
||||
<para>Note that when user namespacing is used without UID mapping (see below) file ownership on disk
|
||||
reflects this, and all of the container's files and directories are owned by the container's
|
||||
effective user and group IDs. This means that copying files from and to the container image requires
|
||||
correction of the numeric UID/GID values, according to the UID/GID shift applied.</para>
|
||||
|
||||
<para>Note that for fully unprivileged operation in <literal>managed</literal> mode, any directory
|
||||
image should be ownd by the foreign UID range.</para>
|
||||
|
||||
<xi:include href="version-info.xml" xpointer="v220"/></listitem>
|
||||
</varlistentry>
|
||||
@ -875,8 +886,10 @@
|
||||
chosen with <option>--private-users=</option>, see above. Takes one of <literal>off</literal> (to
|
||||
leave the image as is), <literal>chown</literal> (to recursively <function>chown()</function> the
|
||||
container's directory tree as needed), <literal>map</literal> (in order to use transparent ID mapping
|
||||
mounts) or <literal>auto</literal> for automatically using <literal>map</literal> where available and
|
||||
<literal>chown</literal> where not.</para>
|
||||
mounts from UID 0 to the target UID range), <literal>foreign</literal> (the same, but from the
|
||||
foreign UID range base) or <literal>auto</literal> for automatically using <literal>map</literal> or
|
||||
<literal>foreign</literal>, where available and applicable and <literal>chown</literal> where
|
||||
not.</para>
|
||||
|
||||
<para>If <literal>chown</literal> is selected, all files and directories in the container's directory
|
||||
tree will be adjusted so that they are owned by the appropriate UIDs/GIDs selected for the container
|
||||
@ -884,14 +897,19 @@
|
||||
directory tree of the container. Besides actual file ownership, file ACLs are adjusted as
|
||||
well.</para>
|
||||
|
||||
<para>Typically <literal>map</literal> is the best choice, since it transparently maps UIDs/GIDs in
|
||||
memory as needed without modifying the image, and without requiring an expensive recursive adjustment
|
||||
operation. However, it is not available for all file systems, currently.</para>
|
||||
<para>Typically <literal>foreign</literal> or <literal>map</literal> is the best choice, since it
|
||||
transparently maps UIDs/GIDs in memory as needed without modifying the image, and without requiring
|
||||
an expensive recursive adjustment operation. However, it is not available for all file systems,
|
||||
currently.</para>
|
||||
|
||||
<para>The <option>--private-users-ownership=auto</option> option is implied if
|
||||
<option>--private-users=pick</option> is used. This option has no effect if user namespacing is not
|
||||
used.</para>
|
||||
|
||||
<para><citerefentry><refentrytitle>systemd-dissect</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
|
||||
<option>--shift</option> switch may be used to shift UID/GID ownership from or to the 0, foreign or
|
||||
specific container UID/GID base outside of any <command>systemd-nspawn</command></para> invocation.
|
||||
|
||||
<xi:include href="version-info.xml" xpointer="v230"/></listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user