[Dev] [Multiuser] Multi-user support and containers.

José Bollo jose.bollo at open.eurogiciel.org
Wed Apr 16 11:58:19 GMT 2014

Why not.
But can you be more precise on what part will be containerized?
>From "man 2 unshare" I get:
       CLONE_NEWIPC (since Linux 2.6.19)
       CLONE_NEWNET (since Linux 2.6.24)
       CLONE_NEWUTS (since Linux 2.6.19)
       CLONE_SYSVSEM (since Linux 2.6.26)

Best regards

On mer, 2014-04-16 at 13:42 +0200, Jacek Pielaszkiewicz wrote:
> Hi,
>       Together with my team I'm working on containers in TIZEN. Regarding 
> to open discussion about multi-user support I would like share our proposal 
> and show how we imagine multi-user support in containers.
>       Our assumptions are:
> 1. We assumed that any application/services located in containers will be
> able 
>    access services located on host or on other containers. 
>    It implicate that must exists in system a global service (Cynara) that
> will 
>    control security policy for whole system.
> 2. The Cynara will control security policies for both services located
> directly 
>    on the host as well as in containers. 
>    Containers will not have own Cyrana instance. We don't see any benefits
> for that.
>    It will only complicate the solution because and so some security rules
> will have 
>    to be applied on host (a container must have access to some services
> located directly 
>    on host or in other containers).
>    All containers must share common IPC to allow containers services
> communicate 
>    with global Cyrana instance.
> 3. We assumed that new user can be created on host and in containers as
> well. 
>    Containers and host will have dedicated service to mage user (for example
> gumd).
>    A user creation/update in the container will trigger the creation/update 
>    of the corresponding user on the host.
>    User management services on host and in containers will have to populate 
>    security politics into Cynara (in case of user creation/update). 
> 4. Installer (responsible for setup new and removal existing application) 
>    will have to populate required by application security politics into
> Cyrana. 
> 5. The Cynara identify security policy by user id. Therefore all users on 
>    the system (on host and in containers) will have to have unique ids. It
> cause that:
>   - any user created in any container and on the host must be registered in
> Cynara
>   - any user in system (on the host and in any container) must have unique
> id. 
>   - In case if "user namespaces" is not available or is not use, any
> service/application 
>     running in the container that interact with external services should not
> be run as root 
>     user (UID = 0) - problem how to distinguish "container root" from "host
> root".
>   - In case if "user namespaces" is available all container users/groups ids
>     must be mapped into unique range.
>       The enclosed files show as example two typical usage scenarios -
> service usage 
> authorization and user creation. Examples show cases from a container
> perspective.
>       I will be grateful for your opinions and comments.
> Best regards
> Jacek Pielaszkiewicz
> Samsung R&D Institute Poland
> Samsung Electronics
> Email: j.pielaszkie at samsung.com
> _______________________________________________
> Dev mailing list
> Dev at lists.tizen.org
> https://lists.tizen.org/listinfo/dev

More information about the Dev mailing list