Re: Building a BSD-jail clone out of namespaces

[Chris Webb]

Chris Webb <chris@xxxxxxxxxxxx> writes:

> Prompted by the new userns support merged in the 3.8/3.9 kernels, I've been
> playing with namespaces and trying to understand how I could use them to
> build containers to replace some of my uses of qemu-kvm virtual machines.

I now have most things working as I'd want and am just polishing my
userspace container tool before release to make sure it fits well with
common conventions such as those mentioned at

  http://www.freedesktop.org/wiki/Software/systemd/ContainerInterface/

and parses /etc/subuid and /etc/subgid files in the format you've defined
them in your shadow patches. I was delighted by how it all nests nicely,
provided I bind mount my /dev nodes from the level above rather than try to
mknod them in the outer container.

I'd like to arrange for slightly different behaviour when the tool is run at
the top-level 'host' user namespace, for example warning about attempts to
map the dangerous UID 0.

Is there a canonical way to detect when I'm in the top-level user namespace?
I can clearly try doing something which should be impossible for a
non-top-level root user like opening /proc/kpageflags for reading or
/proc/sys/ctrl-alt-del for writing, but I wondered if there was something
more idiomatic as a test? (Some sort of 'get parent namespace' that might
return null at top-level maybe?)

Cheers,

Chris.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/