What are user namespaces? Sticking with the apartment complex analogy, the numbering of users and groups have historically been the same in every container and in the underlying host, just like public channel 10 is generally the same in every unit in an apartment building.
But, imagine that people in different apartments are getting their television signal from different cable and satellite companies. Channel 10 is now different for for each person. It might be sports for one person, and news for another.
Historically, in the Linux kernel, there was a single data structure which held users and groups. Starting in kernel version 3.8
, user namespaces were implemented. Using the clone() system call with the CLONE_NEWUSER flag, a separate user namespace can be created. Think of these as nested data structures within a new namespace. In this new namespace, there is a virtual set of users and groups. These users and groups, beginning with uid/gid 0 are mapped to a non-trusted (not root) uid/gid outside the namespace.
In modern Linux kernels, administrators can create about four billion users, 4,294,967,294 (unsigned 32 bit integer) to be specific. These four billion users can be mapped among each user namespace, giving administrators plenty of scalability.
useradd -u 4294967294 testusr
Try 4294967295 yourself….
User Namespaces and Containers
With a user namespace, different containers can have completely different user (uid) and group (gid) numbers. User 500 in the container A may map to user 1500 outside the container and user 500 in container B can map to user 2500 outside the container.
So, why would I want to do this? Well, this is especially useful for providing root access inside of a container. Imagine that the root user (uid 0) in container A maps to uid 1000, and that root in container B maps to user id 2000 outside the container. Similar to network port mapping, this allows the administrator to give someone uid 0 (root) in the container without giving them uid 0 on the underlying system. It also allows a user to freely add/delete users inside the container.
This may sound good at first, but there’s more to the story. Going back to the apartment complex analogy, imagine that each renter could modify their own electric and plumbing. Each person would be their own miniature superintendent. Imagine a single user wired their apartment without using the proper gauge wiring, this could create risk for all of the other renters.
Work to Be Done
So, checking the kernel commit logs, user namespaces were added in kernel version 3.8 and Red Hat Enterprise Linux 7 has kernel 3.10, but namespaces don’t work in Red Hat Enterprise Linux 7.1, what gives? Well, through the Fedora Project, the wider Linux community and internally, Red Hat has been working on user namespaces for quite some time and we view it as a great feature to encourage container adoption. That said, Red Hat disabled them, because we think that user namespaces need to incubate in the upstream community longer to fully understand the security implications and mitigate/remediate any exploits/attack vectors that could expose our customers to malicious activity. Put differently, as with all of Red Hat’s enterprise products, including our solutions that focus on Linux containers (like Red Hat Enterprise Linux Atomic Host and OpenShift Enterprise 3), we don’t enable features until we are sure that they are ready for enterprise use.
As suggested above, the upstream Fedora community has enabled this feature in the latest versions of Fedora Cloud, Fedora Server and Fedora Workstation as part of the project’s commitment to leading-edge Linux technologies, which provides an excellent test bed for how this feature behaves in practice and allows for continued community innovation around it, a vital component of the enterprise hardening process.
It’s also important to note that for user namespaces to be easily consumable by end users, this feature must also be enabled in Docker. Currently (July 2015), user namespaces are not enabled in Docker, but Red Hat is working with the upstream community to enable them.
The goal of Red Hat Enterprise Linux and all of its specialized offerings is to provide customers with a stable, secure, and easy to manage operating environment on which they can deploy their applications. Red Hat’s approach to enabling user namespaces only for the root user, is a reflection of the incredibly high bar that we set for product security. Software is changing rapidly, and there is a constant struggle between features and security and Red Hat is hard at work driving both forward.
Update: As of September 2015, user namespaces have been enabled as a Technology Preview in the beta release of Red Hat Enterprise Linux 7.2.
저자 소개
채널별 검색
오토메이션
기술, 팀, 인프라를 위한 IT 자동화 최신 동향
인공지능
고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트
오픈 하이브리드 클라우드
하이브리드 클라우드로 더욱 유연한 미래를 구축하는 방법을 알아보세요
보안
환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보
엣지 컴퓨팅
엣지에서의 운영을 단순화하는 플랫폼 업데이트
인프라
세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보
애플리케이션
복잡한 애플리케이션에 대한 솔루션 더 보기
오리지널 쇼
엔터프라이즈 기술 분야의 제작자와 리더가 전하는 흥미로운 스토리
제품
- Red Hat Enterprise Linux
- Red Hat OpenShift Enterprise
- Red Hat Ansible Automation Platform
- 클라우드 서비스
- 모든 제품 보기
툴
체험, 구매 & 영업
커뮤니케이션
Red Hat 소개
Red Hat은 Linux, 클라우드, 컨테이너, 쿠버네티스 등을 포함한 글로벌 엔터프라이즈 오픈소스 솔루션 공급업체입니다. Red Hat은 코어 데이터센터에서 네트워크 엣지에 이르기까지 다양한 플랫폼과 환경에서 기업의 업무 편의성을 높여 주는 강화된 기능의 솔루션을 제공합니다.