On Thu, 11.06.15 09:40, Richard Weinberger (richard.weinber...@gmail.com) wrote:
> Hi! > > Recent systemd-nspawn seems to support unprivileged containers (user > namespaces). That's awesome, thank you guys for working on that! Well, the name "unprivileged containers" usually is used for the concept where you don't need any privs to start and run a container. We don't support that, and that's turned off in the kernel of Fedora at least, for good reasons. We do support user namespaces now, but we require privs on the host to set them up. I doubt though that UID namespacing as it is now is really that useful though: you have to prep your images first, apply a uid shift to all file ownership and ACLs of your tree, and this needs to be done manually. This makes it pretty hard to deploy since you cannot boot unmodified container images this way you download from the internet. Also, since there is no sane, established scheme for allocating UID ranges for the containers automatically. So far uid namespaces hence appear mostly like an useless excercise, far from being deployable in real life hence. > Maybe you can help me so sort this out, can I run any systemd enabled > distribution > using the most current systemd-nspawn? > Say, my host is FC22 using systemd-nspawn from git, can it spawn an > openSUSE 13.2 container which has only systemd v210? > > Or has the systemd version on the container side to match the systemd > version on the host side? It generally does not have to match. We try to maintain compatibility there (though we make no guarantees -- the stuff is too new). That said, newer systemd versions work much better in nspawn than older ones, and v210 is pretty old already. Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
