What are user namespaces? Sticking with the apartment complex analogy, the numbering of users and groups have historically been the same in every container and in the underlying host, just like public channel 10 is generally the same in every unit in an apartment building.
But, imagine that people in different apartments are getting their television signal from different cable and satellite companies. Channel 10 is now different for for each person. It might be sports for one person, and news for another.
Historically, in the Linux kernel, there was a single data structure which held users and groups. Starting in kernel version 3.8
, user namespaces were implemented. Using the clone() system call with the CLONE_NEWUSER flag, a separate user namespace can be created. Think of these as nested data structures within a new namespace. In this new namespace, there is a virtual set of users and groups. These users and groups, beginning with uid/gid 0 are mapped to a non-trusted (not root) uid/gid outside the namespace.
In modern Linux kernels, administrators can create about four billion users, 4,294,967,294 (unsigned 32 bit integer) to be specific. These four billion users can be mapped among each user namespace, giving administrators plenty of scalability.
useradd -u 4294967294 testusr
Try 4294967295 yourself….
User Namespaces and Containers
With a user namespace, different containers can have completely different user (uid) and group (gid) numbers. User 500 in the container A may map to user 1500 outside the container and user 500 in container B can map to user 2500 outside the container.
So, why would I want to do this? Well, this is especially useful for providing root access inside of a container. Imagine that the root user (uid 0) in container A maps to uid 1000, and that root in container B maps to user id 2000 outside the container. Similar to network port mapping, this allows the administrator to give someone uid 0 (root) in the container without giving them uid 0 on the underlying system. It also allows a user to freely add/delete users inside the container.
This may sound good at first, but there’s more to the story. Going back to the apartment complex analogy, imagine that each renter could modify their own electric and plumbing. Each person would be their own miniature superintendent. Imagine a single user wired their apartment without using the proper gauge wiring, this could create risk for all of the other renters.
Work to Be Done
So, checking the kernel commit logs, user namespaces were added in kernel version 3.8 and Red Hat Enterprise Linux 7 has kernel 3.10, but namespaces don’t work in Red Hat Enterprise Linux 7.1, what gives? Well, through the Fedora Project, the wider Linux community and internally, Red Hat has been working on user namespaces for quite some time and we view it as a great feature to encourage container adoption. That said, Red Hat disabled them, because we think that user namespaces need to incubate in the upstream community longer to fully understand the security implications and mitigate/remediate any exploits/attack vectors that could expose our customers to malicious activity. Put differently, as with all of Red Hat’s enterprise products, including our solutions that focus on Linux containers (like Red Hat Enterprise Linux Atomic Host and OpenShift Enterprise 3), we don’t enable features until we are sure that they are ready for enterprise use.
As suggested above, the upstream Fedora community has enabled this feature in the latest versions of Fedora Cloud, Fedora Server and Fedora Workstation as part of the project’s commitment to leading-edge Linux technologies, which provides an excellent test bed for how this feature behaves in practice and allows for continued community innovation around it, a vital component of the enterprise hardening process.
It’s also important to note that for user namespaces to be easily consumable by end users, this feature must also be enabled in Docker. Currently (July 2015), user namespaces are not enabled in Docker, but Red Hat is working with the upstream community to enable them.
The goal of Red Hat Enterprise Linux and all of its specialized offerings is to provide customers with a stable, secure, and easy to manage operating environment on which they can deploy their applications. Red Hat’s approach to enabling user namespaces only for the root user, is a reflection of the incredibly high bar that we set for product security. Software is changing rapidly, and there is a constant struggle between features and security and Red Hat is hard at work driving both forward.
Update: As of September 2015, user namespaces have been enabled as a Technology Preview in the beta release of Red Hat Enterprise Linux 7.2.
Über den Autor
Nach Thema durchsuchen
Automatisierung
Das Neueste zum Thema IT-Automatisierung für Technologien, Teams und Umgebungen
Künstliche Intelligenz
Erfahren Sie das Neueste von den Plattformen, die es Kunden ermöglichen, KI-Workloads beliebig auszuführen
Open Hybrid Cloud
Erfahren Sie, wie wir eine flexiblere Zukunft mit Hybrid Clouds schaffen.
Sicherheit
Erfahren Sie, wie wir Risiken in verschiedenen Umgebungen und Technologien reduzieren
Edge Computing
Erfahren Sie das Neueste von den Plattformen, die die Operations am Edge vereinfachen
Infrastruktur
Erfahren Sie das Neueste von der weltweit führenden Linux-Plattform für Unternehmen
Anwendungen
Entdecken Sie unsere Lösungen für komplexe Herausforderungen bei Anwendungen
Original Shows
Interessantes von den Experten, die die Technologien in Unternehmen mitgestalten
Produkte
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Cloud-Services
- Alle Produkte anzeigen
Tools
- Training & Zertifizierung
- Eigenes Konto
- Kundensupport
- Für Entwickler
- Partner finden
- Red Hat Ecosystem Catalog
- Mehrwert von Red Hat berechnen
- Dokumentation
Testen, kaufen und verkaufen
Kommunizieren
Über Red Hat
Als weltweit größter Anbieter von Open-Source-Software-Lösungen für Unternehmen stellen wir Linux-, Cloud-, Container- und Kubernetes-Technologien bereit. Wir bieten robuste Lösungen, die es Unternehmen erleichtern, plattform- und umgebungsübergreifend zu arbeiten – vom Rechenzentrum bis zum Netzwerkrand.
Wählen Sie eine Sprache
Red Hat legal and privacy links
- Über Red Hat
- Jobs bei Red Hat
- Veranstaltungen
- Standorte
- Red Hat kontaktieren
- Red Hat Blog
- Diversität, Gleichberechtigung und Inklusion
- Cool Stuff Store
- Red Hat Summit