755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumilxc: linux Container library
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi(C) Copyright IBM Corp. 2007, 2008
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH YasufumiDaniel Lezcano <daniel.lezcano at free.fr>
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH YasufumiSerge Hallyn <serge.hallyn at ubuntu.com>
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH YasufumiThis library is free software; you can redistribute it and/or
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumimodify it under the terms of the GNU Lesser General Public
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH YasufumiLicense as published by the Free Software Foundation; either
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumiversion 2.1 of the License, or (at your option) any later version.
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH YasufumiThis library is distributed in the hope that it will be useful,
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumibut WITHOUT ANY WARRANTY; without even the implied warranty of
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH YasufumiMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH YasufumiLesser General Public License for more details.
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH YasufumiYou should have received a copy of the GNU Lesser General Public
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH YasufumiLicense along with this library; if not, write to the Free Software
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH YasufumiFoundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH YasufumiTranslated into Japanese
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumiby KATOH Yasufumi <karma at jazz.email.ne.jp>
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi<!ENTITY commonoptions SYSTEM "@builddir@/common_options.sgml">
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi<!ENTITY seealso SYSTEM "@builddir@/see_also.sgml">
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi <docinfo><date>@LXC_GENERATE_DATE@</date></docinfo>
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi <refentrytitle>lxc-usernsexec</refentrytitle>
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi Run a task as root in a new user namespace.
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi 新しいユーザ名前空間内で root としてタスクを実行する
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi </refpurpose>
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi </refnamediv>
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi <refsynopsisdiv>
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi <cmdsynopsis>
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi <arg choice="opt">-m <replaceable>uid-map</replaceable></arg>
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi </cmdsynopsis>
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi </refsynopsisdiv>
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi <command>lxc-usernsexec</command> can be used to run a task as root
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi in a new user namespace.
dc421f3aac1f0e516c763dd156629a8ed2a7b4caKATOH Yasufumi <command>lxc-usernsexec</command> は、新しいユーザ名前空間内で root としてタスクを実行するのに使います。
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi <variablelist>
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi <varlistentry>
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi <option>-m <replaceable>uid-map</replaceable></option>
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi The uid map to use in the user namespace. Each map consists of
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi four colon-separate values. First a character 'u', 'g' or 'b' to
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi specify whether this map perttains to user ids, group ids, or
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi both; next the first userid in the user namespace; next the
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi first userid as seen on the host; and finally the number of
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi ids to be mapped.
dc421f3aac1f0e516c763dd156629a8ed2a7b4caKATOH Yasufumi ユーザ名前空間内で使うための uid のマッピング。マッピングは、コロンで分けられた 4 つの値から構成されます。
dc421f3aac1f0e516c763dd156629a8ed2a7b4caKATOH Yasufumi 最初の文字は 'u', 'g', 'b' のどれかで、マッピングが UID, GID, UID と GID の両方のうちのどれに関するものなのかを指定します。
dc421f3aac1f0e516c763dd156629a8ed2a7b4caKATOH Yasufumi 次はユーザ名前空間内の最初の ID を指定します。その次はホスト上での最初の ID を指定します。最後はマッピングされる ID の数を指定します。
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi More than one map can be specified. If no map is
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi specified, then by default the full uid and gid ranges granted
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi by /etc/subuid and /etc/subgid will be mapped to the
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi uids and gids starting at 0 in the container.
dc421f3aac1f0e516c763dd156629a8ed2a7b4caKATOH Yasufumi 複数回のマッピングを指定することも可能です。もしマッピングを指定しない場合、デフォルトでは /etc/subuid, /etc/subgid で許可された全ての範囲の UID, GID が、コンテナ内の 0 から始まる UID, GID にマッピングされます。
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi Note that <replaceable>lxc-usernsexec</replaceable> always tries
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi to setuid and setgid to 0 in the namespace. Therefore uid 0 in
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi the namespace must be mapped.
dc421f3aac1f0e516c763dd156629a8ed2a7b4caKATOH Yasufumi <replaceable>lxc-usernsexec</replaceable> は、常に名前空間内の 0 に setuid, setgid しようとしますので、名前空間内の UID 0 は必ずマッピングしなければいけないことに注意してください。
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi </varlistentry>
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi </variablelist>
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi To spawn a shell with the full allotted subuids mapped into
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi the container, use
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi <programlisting>
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi lxc-usernsexec
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi </programlisting>
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi To run a different shell than <replaceable>/bin/sh</replaceable>, use
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi <programlisting>
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi lxc-usernsexec -- /bin/bash
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi </programlisting>
dc421f3aac1f0e516c763dd156629a8ed2a7b4caKATOH Yasufumi 割り当てられた subuid の全てをコンテナ内にマッピングしてシェルを起動するには、
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi <programlisting>
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi lxc-usernsexec
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi </programlisting>
dc421f3aac1f0e516c763dd156629a8ed2a7b4caKATOH Yasufumi のようにしてください。<replaceable>/bin/sh</replaceable> とは違うシェルを起動する場合、
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi <programlisting>
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi </programlisting>
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi If your user id is 1000, root in a container is mapped to 190000, and
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi you wish to chown a file you own to root in the container, you can use:
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi <programlisting>
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi lxc-usernsexec -m b:0:1000:1 -m b:1:190000:1 -- /bin/chown 1:1 $file
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi </programlisting>
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi This maps your userid to root in the user namespace, and 190000 to uid 1.
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi Since root in the user namespace is privileged over all userids mapped
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi into the namespace, you are allowed to change the file ownership, which
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi you could not do on the host using a simple chown.
dc421f3aac1f0e516c763dd156629a8ed2a7b4caKATOH Yasufumi あなたの UID が 1000 で、コンテナ内の root を 190000 にマッピングする場合で、あなたの所有するファイルをコンテナ内の root に chown したい場合は、以下のように実行します。
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi <programlisting>
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi lxc-usernsexec -m b:0:1000:1 -m b:1:190000:1 -- /bin/chown 1:1 $file
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi </programlisting>
dc421f3aac1f0e516c763dd156629a8ed2a7b4caKATOH Yasufumi これはあなたの UID をユーザ名前空間の root に、190000 を uid 1 にマッピングしています。
dc421f3aac1f0e516c763dd156629a8ed2a7b4caKATOH Yasufumi ユーザ名前空間内の root は、名前空間内の全ての ID に対して特権があるため、ホスト上で単純に chown を使えない場合でも、あなたはファイルのオーナーを変更する事が可能です。
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi <para>Serge Hallyn <email>serge.hallyn@ubuntu.com</email></para>
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumi<!-- Keep this comment at the end of the file
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH YasufumiLocal variables:
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumisgml-omittag:t
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumisgml-shorttag:t
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumisgml-minimize-attributes:nil
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumisgml-always-quote-attributes:t
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumisgml-indent-step:2
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumisgml-indent-data:t
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumisgml-parent-document:nil
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumisgml-default-dtd-file:nil
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumisgml-exposed-tags:nil
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumisgml-local-catalogs:nil
755d8d03b148a0ada1ec93e4701edea0a92a4705KATOH Yasufumisgml-local-ecat-files:nil