[Dev] [Multiuser] Multi-user support and containers.
jose.bollo at open.eurogiciel.org
Wed Apr 16 11:58:19 GMT 2014
But can you be more precise on what part will be containerized?
>From "man 2 unshare" I get:
CLONE_NEWIPC (since Linux 2.6.19)
CLONE_NEWNET (since Linux 2.6.24)
CLONE_NEWUTS (since Linux 2.6.19)
CLONE_SYSVSEM (since Linux 2.6.26)
On mer, 2014-04-16 at 13:42 +0200, Jacek Pielaszkiewicz wrote:
> Together with my team I'm working on containers in TIZEN. Regarding
> to open discussion about multi-user support I would like share our proposal
> and show how we imagine multi-user support in containers.
> Our assumptions are:
> 1. We assumed that any application/services located in containers will be
> access services located on host or on other containers.
> It implicate that must exists in system a global service (Cynara) that
> control security policy for whole system.
> 2. The Cynara will control security policies for both services located
> on the host as well as in containers.
> Containers will not have own Cyrana instance. We don't see any benefits
> for that.
> It will only complicate the solution because and so some security rules
> will have
> to be applied on host (a container must have access to some services
> located directly
> on host or in other containers).
> All containers must share common IPC to allow containers services
> with global Cyrana instance.
> 3. We assumed that new user can be created on host and in containers as
> Containers and host will have dedicated service to mage user (for example
> A user creation/update in the container will trigger the creation/update
> of the corresponding user on the host.
> User management services on host and in containers will have to populate
> security politics into Cynara (in case of user creation/update).
> 4. Installer (responsible for setup new and removal existing application)
> will have to populate required by application security politics into
> 5. The Cynara identify security policy by user id. Therefore all users on
> the system (on host and in containers) will have to have unique ids. It
> cause that:
> - any user created in any container and on the host must be registered in
> - any user in system (on the host and in any container) must have unique
> - In case if "user namespaces" is not available or is not use, any
> running in the container that interact with external services should not
> be run as root
> user (UID = 0) - problem how to distinguish "container root" from "host
> - In case if "user namespaces" is available all container users/groups ids
> must be mapped into unique range.
> The enclosed files show as example two typical usage scenarios -
> service usage
> authorization and user creation. Examples show cases from a container
> I will be grateful for your opinions and comments.
> Best regards
> Jacek Pielaszkiewicz
> Samsung R&D Institute Poland
> Samsung Electronics
> Email: j.pielaszkie at samsung.com
> Dev mailing list
> Dev at lists.tizen.org
More information about the Dev