Re: chroot(2) and bind mounts as non-root

[Colin Walters <walters@verbum.org>]

On Mon, 2011-12-19 at 01:22 -0800, Eric W. Biederman wrote:
> "
> As long as Colin only cares about being able to be the root user I
> agree.  

I don't actually need "pretend to be uid 0" functionality myself, but
the "fakeroot" case was cited on the user namespace page, and so I
wanted to understand how it works.

> If Colin needs several uids during his build that is trickier.
> But it sounds like Colin just needs to have a chroot build environment and
> for that a single user sounds good enough.

Right, just need chroot (and bind mounts).

> Being able to use the other namespaces to get a good isolation from the
> host environment is also nice and especially the pid namespace can
> guarantee that processes won't escape his build environment.

Yeah, CLONE_NEWPID is great.

> It is one of those worse is better implementation details but we can
> discuss that more when I start posting patches in January. 
> 
> I am not an immediate fan of writing random uids to disk.  Uids being
> persistent can be interesting to deal with if those uids are ever
> reused.

Right...

> Right now my implementation supports just 5 non-overlapping uid mapping
> ranges.  Which is enough to cover a lot of uids but still fit within one
> cacheline.  And I think to keep stat reasonable fast I want at to fit in
> a cacheline at least for now.  Oy.  Hopefully it isn't too hard to find
> some benchmarks to prove this out.  I expect the torture case is to
> time ls -l in a huge directory with a lot of files, owned by a lot of
> different users.

Where's the current user namespace tree?  The link on
https://wiki.ubuntu.com/UserNamespace is broken.

Is it:
http://kernel.ubuntu.com/git?p=serge/linux-2.6.git;a=summary

?