User namespaces - Phase 1

[icecrime]

Description

User namespaces are a long awaited feature, on which Phil Estes (@estesp) did some amazing work (see #12648). Unfortunately, the integration unexpectedly conflicted with the recent introduction of libnetwork.

We want to fix this for 1.9.0 and be able to merge Phil's work, which means:

• All containers have their own user namespace (effectively preventing the use of --net=host or --net=container:<id>).
• A daemon-wide setting remaps the root user for all containers.

How to

We need the following:

• Patch to libcontainer to enable a hook after namespaces creation (Add prestart/poststop hooks to runc opencontainers/runc#160) - while the hooks in runc/160 are for runC configs specifically, a separate PR (Implement hooks in libcontainer code base opencontainers/runc#261) brought the same function into libcontainer directly and is merged and already vendored into Docker with the 0.0.4 vendor merge
• Patch to libnetwork to enable a single entrypoint to be called in that hook (Design change to accomodate User namespace requirement libnetwork#429) - PR Vendor-in libnetwork 2baa2ddc78b42f011f55633282ac63a72e1b09c1 #16282 was merged 9/14
• Patch to connect the libcontainer pre-start hook to the new libnetwork sandbox "setExternalKey" function - PR Use libcontainer hook for network namespace info passing to libnetwork's sandbox #16305 merged 9/16
• Re-submitting the user namespace integration PR (@estesp) Phase 1 implementation of user namespaces as a remapped container root #12648 - branch currently has UI as experimental; can be moved into master when necessary

[mrunalp]

PR for hooks in runc opencontainers/runc#160

[estesp]

Thanks @mrunalp!

[bradrydzewski]

@icecrime would you mind providing more detail regarding this item:

All containers have their own user namespace (effectively preventing the use of --net=host or --net=container:id).

If we are using --net=container:<id> today I'm wondering what impact this will have. Will it be possible for a group of containers to share a namespace, effectively accomplishing the same thing as --net=container:<id>?

[rhatdan]

Why is --net=host or --net-container:ID blocked? Doesn't it just treat the PID as the real UID?

Are we developing --user=containerID?

[mrunalp]

With some of the work that is being done in runc, --net-container:ID should work with user namespaces.

[mrunalp]

Actually, to correct myself, it will work with some limitations unless the usernamespace is also shared with the other container.

[thaJeztah]

For inspiration; here's an old PR and discussion on uid-mappings for User namespaces #4572

[estesp]

#12648 re-opened and code rebased on current master while runC/libcontainer and libnetwork work is completed.

Todo items:

• figure out why cgroup mount permission flag change required (d5dcb261f5835097ae1cbbfaba72a27bfdb0f858)
• resolve Ubuntu 3.16 latest kernel update (and 4.1/4.2) kernel break w.r.t. user namespaces: potentially related to http://www.spinics.net/lists/linux-fsdevel/msg86256.html, but maybe not?
• need A container can join namespaces of another container opencontainers/runc#105 finished/vendor updated in docker/docker to validate that docker exec works appropriately with user namespaced original (init) container process.
• need Add prestart/poststop hooks to runc opencontainers/runc#160 merged/vendor updated in docker/docker to get hook capability for use by libnetwork sandbox code update (to resolve user namespace+net namespace conflict)
• understand if we need to close/re-open fd 0, 1, 2 once clone()'d to resolve the open("/dev/std{err,out,..}") use case (ping @crosbymichael re: our conversation on this)

ping @mrunalp

[jessfraz]

Sweet @estesp let me know when we can start testing this on a punch of
images to see what we break ;)

On Wed, Aug 26, 2015 at 10:38 AM, Phil Estes notifications@github.com
wrote:

#12648 #12648 re-opened and code
rebased on current master while runC/libcontainer and libnetwork work is
completed.

Todo items:

• figure out why cgroup mount permission flag change required (d5dcb26
  d5dcb26
  )
• resolve Ubuntu 3.16 latest kernel update (and 4.1/4.2) kernel break
  w.r.t. user namespaces: potentially related to
  http://www.spinics.net/lists/linux-fsdevel/msg86256.html, but maybe
  not?
• need A container can join namespaces of another container opencontainers/runc#105
  A container can join namespaces of another container opencontainers/runc#105 finished/vendor
  updated in docker/docker to validate that docker exec works
  appropriately with user namespaced original (init) container process.
• need Add prestart/poststop hooks to runc opencontainers/runc#160
  Add prestart/poststop hooks to runc opencontainers/runc#160 merged/vendor
  updated in docker/docker to get hook capability for use by
  libnetwork sandbox code update (to resolve user namespace+net namespace
  conflict)

ping @mrunalp https://github.com/mrunalp

—
Reply to this email directly or view it on GitHub
#15187 (comment).