What are user namespaces? Sticking with the apartment complex analogy, the numbering of users and groups have historically been the same in every container and in the underlying host, just like public channel 10 is generally the same in every unit in an apartment building.
But, imagine that people in different apartments are getting their television signal from different cable and satellite companies. Channel 10 is now different for for each person. It might be sports for one person, and news for another.
Historically, in the Linux kernel, there was a single data structure which held users and groups. Starting in kernel version 3.8
, user namespaces were implemented. Using the clone() system call with the CLONE_NEWUSER flag, a separate user namespace can be created. Think of these as nested data structures within a new namespace. In this new namespace, there is a virtual set of users and groups. These users and groups, beginning with uid/gid 0 are mapped to a non-trusted (not root) uid/gid outside the namespace.
In modern Linux kernels, administrators can create about four billion users, 4,294,967,294 (unsigned 32 bit integer) to be specific. These four billion users can be mapped among each user namespace, giving administrators plenty of scalability.
useradd -u 4294967294 testusr
Try 4294967295 yourself….
User Namespaces and Containers
With a user namespace, different containers can have completely different user (uid) and group (gid) numbers. User 500 in the container A may map to user 1500 outside the container and user 500 in container B can map to user 2500 outside the container.
So, why would I want to do this? Well, this is especially useful for providing root access inside of a container. Imagine that the root user (uid 0) in container A maps to uid 1000, and that root in container B maps to user id 2000 outside the container. Similar to network port mapping, this allows the administrator to give someone uid 0 (root) in the container without giving them uid 0 on the underlying system. It also allows a user to freely add/delete users inside the container.
This may sound good at first, but there’s more to the story. Going back to the apartment complex analogy, imagine that each renter could modify their own electric and plumbing. Each person would be their own miniature superintendent. Imagine a single user wired their apartment without using the proper gauge wiring, this could create risk for all of the other renters.
Work to Be Done
So, checking the kernel commit logs, user namespaces were added in kernel version 3.8 and Red Hat Enterprise Linux 7 has kernel 3.10, but namespaces don’t work in Red Hat Enterprise Linux 7.1, what gives? Well, through the Fedora Project, the wider Linux community and internally, Red Hat has been working on user namespaces for quite some time and we view it as a great feature to encourage container adoption. That said, Red Hat disabled them, because we think that user namespaces need to incubate in the upstream community longer to fully understand the security implications and mitigate/remediate any exploits/attack vectors that could expose our customers to malicious activity. Put differently, as with all of Red Hat’s enterprise products, including our solutions that focus on Linux containers (like Red Hat Enterprise Linux Atomic Host and OpenShift Enterprise 3), we don’t enable features until we are sure that they are ready for enterprise use.
As suggested above, the upstream Fedora community has enabled this feature in the latest versions of Fedora Cloud, Fedora Server and Fedora Workstation as part of the project’s commitment to leading-edge Linux technologies, which provides an excellent test bed for how this feature behaves in practice and allows for continued community innovation around it, a vital component of the enterprise hardening process.
It’s also important to note that for user namespaces to be easily consumable by end users, this feature must also be enabled in Docker. Currently (July 2015), user namespaces are not enabled in Docker, but Red Hat is working with the upstream community to enable them.
The goal of Red Hat Enterprise Linux and all of its specialized offerings is to provide customers with a stable, secure, and easy to manage operating environment on which they can deploy their applications. Red Hat’s approach to enabling user namespaces only for the root user, is a reflection of the incredibly high bar that we set for product security. Software is changing rapidly, and there is a constant struggle between features and security and Red Hat is hard at work driving both forward.
Update: As of September 2015, user namespaces have been enabled as a Technology Preview in the beta release of Red Hat Enterprise Linux 7.2.
À propos de l'auteur
Parcourir par canal
Automatisation
Les dernières nouveautés en matière d'automatisation informatique pour les technologies, les équipes et les environnements
Intelligence artificielle
Actualité sur les plateformes qui permettent aux clients d'exécuter des charges de travail d'IA sur tout type d'environnement
Cloud hybride ouvert
Découvrez comment créer un avenir flexible grâce au cloud hybride
Sécurité
Les dernières actualités sur la façon dont nous réduisons les risques dans tous les environnements et technologies
Edge computing
Actualité sur les plateformes qui simplifient les opérations en périphérie
Infrastructure
Les dernières nouveautés sur la plateforme Linux d'entreprise leader au monde
Applications
À l’intérieur de nos solutions aux défis d’application les plus difficiles
Programmes originaux
Histoires passionnantes de créateurs et de leaders de technologies d'entreprise
Produits
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Services cloud
- Voir tous les produits
Outils
- Formation et certification
- Mon compte
- Assistance client
- Ressources développeurs
- Rechercher un partenaire
- Red Hat Ecosystem Catalog
- Calculateur de valeur Red Hat
- Documentation
Essayer, acheter et vendre
Communication
- Contacter le service commercial
- Contactez notre service clientèle
- Contacter le service de formation
- Réseaux sociaux
À propos de Red Hat
Premier éditeur mondial de solutions Open Source pour les entreprises, nous fournissons des technologies Linux, cloud, de conteneurs et Kubernetes. Nous proposons des solutions stables qui aident les entreprises à jongler avec les divers environnements et plateformes, du cœur du datacenter à la périphérie du réseau.
Sélectionner une langue
Red Hat legal and privacy links
- À propos de Red Hat
- Carrières
- Événements
- Bureaux
- Contacter Red Hat
- Lire le blog Red Hat
- Diversité, équité et inclusion
- Cool Stuff Store
- Red Hat Summit