Proposal: Support for user namespaces
dineshs-altiscale opened this issue · comments
The details of user namespace support have been discussed quite a bit under the following docker and libcontainer PRs. However, there was never really a proposal to provide a space to discuss the big picture. This issue is created to cover that purpose.
#4572
docker-archive/libcontainer#23
docker-archive/libcontainer#53
To summarize, docker support for user namespaces requires the backend exec driver to provide the necessary system interface. Currently LXC supports it but libcontainer support is gated by Go (https://code.google.com/p/go/issues/detail?id=8447).
One of the questions to answer is whether the high level support in Docker (regardless of the backend) can be shepherded along based on LXC, while Go issues for libcontainer are being worked out in parallel. If so, we can discuss approaches currently proposed in #4572 along with other potential alternatives.
Has the potential development of this feature come to a halt?
It would have been a great addition, from security/isolation perspective.
@gdm85 There will be support in native driver in 1.6.
@LK4D4 Where can we track the progress of that development work if not in this issue?
What @jaybuff said.
Very excited about this - is it definitely confirmed for docker 1.6?
See PR #11253 for the user-facing proposal. I can't confirm that all components will make it for 1.6, but work is ongoing. The most important is to have the libcontainer version that has the support in the Docker vendor tree, and that PR (to update libcontainer in vendor/ and use the new libcontainer API) is going through review at the moment.
Could this have label project/security added?
Is this already available in the latest 1.6 rc?
Not yet - plan is for v1.7
Do we know if this is going to make 1.7. I can't see it in the listed features https://github.com/docker/libnetwork/wiki/Docker-1.7-Project-Page
Due to some issues that were exposed recently this has been push out to after v1.7.
@duglin i'd like to be able to track this progres on this feature. userns are quite important to my planning
@afolarin we'll probably continue to use the open PR to track progress: #12648
At this point we have some work to resolve the order of namespace creation and some recently realized restrictions in the Linux kernel namespaces implementation. With the inclusion of libnetwork in 1.7, this "surprise" was exposed and we had to keep user namespaces out of 1.7 until we resolve this.
Any projections as to when this will be available?
