improve documentation of unshare mode
This commit is contained in:
parent
02769190ad
commit
46fc269b54
1 changed files with 22 additions and 6 deletions
28
mmdebstrap
28
mmdebstrap
|
@ -6649,14 +6649,30 @@ needs to be able to mount and thus requires C<SYS_CAP_ADMIN>.
|
||||||
|
|
||||||
=item B<unshare>
|
=item B<unshare>
|
||||||
|
|
||||||
This mode uses Linux user namespaces to allow unprivileged use of chroot and
|
When used as a normal (not root) user, this mode uses Linux user namespaces to
|
||||||
creation of files that appear to be owned by the superuser inside the unshared
|
allow unprivileged use of chroot and creation of files that appear to be owned
|
||||||
namespace. A tarball created in this mode should be bit-by-bit identical to a
|
by the superuser inside the unshared namespace. A tarball created in this mode
|
||||||
tarball created with the B<root> mode.
|
will be bit-by-bit identical to a tarball created with the B<root> mode. With
|
||||||
|
this mode, the only binaries that will run as the root user will be
|
||||||
|
B<newuidmap(1)> and B<newgidmap(1)> via their setuid bit. Running those
|
||||||
|
successfully requires F</etc/subuid> and F</etc/subgid> to have an entry for
|
||||||
|
your username. This entry was usually created by B<adduser(8)> already.
|
||||||
|
|
||||||
|
The unshared user will not automatically have access to the same files as you
|
||||||
|
do. This is intentional and an additional security against unintended changes
|
||||||
|
to your files that could theoretically result from running B<mmdebstrap> and
|
||||||
|
package maintainer scripts. To copy files in and out of the chroot, either use
|
||||||
|
globally readable or writable directories or use special hooks like B<copy-in>
|
||||||
|
and B<copy-out>.
|
||||||
|
|
||||||
|
Besides the user namespace, the mount, pid (process ids), uts (hostname) and
|
||||||
|
ipc namespaces will be unshared as well. See the man pages of B<namespaces(7)>
|
||||||
|
and B<unshare(2)> as well as the manual pages they are linking to.
|
||||||
|
|
||||||
A directory chroot created with this mode will end up with wrong ownership
|
A directory chroot created with this mode will end up with wrong ownership
|
||||||
information. For correct ownership information, the directory must be accessed
|
information (seen from outside the unshared user namespace). For correct
|
||||||
from a user namespace with the right subuid/subgid offset, like so:
|
ownership information, the directory must be accessed from a user namespace
|
||||||
|
with the right subuid/subgid offset, like so:
|
||||||
|
|
||||||
$ lxc-usernsexec -- lxc-unshare -s 'MOUNT|PID|UTSNAME|IPC' -- \
|
$ lxc-usernsexec -- lxc-unshare -s 'MOUNT|PID|UTSNAME|IPC' -- \
|
||||||
> /usr/sbin/chroot ./debian-rootfs /bin/bash
|
> /usr/sbin/chroot ./debian-rootfs /bin/bash
|
||||||
|
|
Loading…
Reference in a new issue