[Dev] [Multiuser] Multi-user support and containers.
j.pielaszkie at samsung.com
Wed Apr 16 15:17:53 GMT 2014
We plan to create fully separated containers (all namespaces will be enabled).
Due to some problems with user namespace (for example SMACK doesn’t support namespaces)
probably user namespace in initial version will not be ENABLED.
Samsung R&D Institute Poland
Email: j.pielaszkie at samsung.com
> -----Original Message-----
> From: José Bollo [mailto:jose.bollo at open.eurogiciel.org]
> Sent: Wednesday, April 16, 2014 1:58 PM
> To: Jacek Pielaszkiewicz
> Cc: dev at lists.tizen.org
> Subject: Re: [Dev] [Multiuser] Multi-user support and containers.
> Why not.
> But can you be more precise on what part will be containerized?
> From "man 2 unshare" I get:
> CLONE_NEWIPC (since Linux 2.6.19)
> CLONE_NEWNET (since Linux 2.6.24)
> CLONE_NEWUTS (since Linux 2.6.19)
> CLONE_SYSVSEM (since Linux 2.6.26)
> Best regards
> On mer, 2014-04-16 at 13:42 +0200, Jacek Pielaszkiewicz wrote:
> > Hi,
> > Together with my team I'm working on containers in TIZEN.
> > Regarding to open discussion about multi-user support I would like
> > share our proposal and show how we imagine multi-user support in
> > Our assumptions are:
> > 1. We assumed that any application/services located in containers
> > be able
> > access services located on host or on other containers.
> > It implicate that must exists in system a global service (Cynara)
> > that will
> > control security policy for whole system.
> > 2. The Cynara will control security policies for both services
> > directly
> > on the host as well as in containers.
> > Containers will not have own Cyrana instance. We don't see any
> > benefits for that.
> > It will only complicate the solution because and so some security
> > rules will have
> > to be applied on host (a container must have access to some
> > services located directly
> > on host or in other containers).
> > All containers must share common IPC to allow containers services
> > communicate
> > with global Cyrana instance.
> > 3. We assumed that new user can be created on host and in containers
> > as well.
> > Containers and host will have dedicated service to mage user (for
> > example gumd).
> > A user creation/update in the container will trigger the
> > of the corresponding user on the host.
> > User management services on host and in containers will have to
> > security politics into Cynara (in case of user creation/update).
> > 4. Installer (responsible for setup new and removal existing
> > will have to populate required by application security politics
> > into Cyrana.
> > 5. The Cynara identify security policy by user id. Therefore all
> users on
> > the system (on host and in containers) will have to have unique
> > ids. It cause that:
> > - any user created in any container and on the host must be
> > registered in Cynara
> > - any user in system (on the host and in any container) must have
> > unique id.
> > - In case if "user namespaces" is not available or is not use, any
> > service/application
> > running in the container that interact with external services
> > should not be run as root
> > user (UID = 0) - problem how to distinguish "container root" from
> > "host root".
> > - In case if "user namespaces" is available all container
> > users/groups ids
> > must be mapped into unique range.
> > The enclosed files show as example two typical usage scenarios
> > service usage authorization and user creation. Examples show cases
> > from a container perspective.
> > I will be grateful for your opinions and comments.
> > Best regards
> > Jacek Pielaszkiewicz
> > Samsung R&D Institute Poland
> > Samsung Electronics
> > Email: j.pielaszkie at samsung.com
> > _______________________________________________
> > Dev mailing list
> > Dev at lists.tizen.org
> > https://lists.tizen.org/listinfo/dev
More information about the Dev