diff options
author | Lennart Poettering <lennart@poettering.net> | 2015-07-09 14:46:20 -0300 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2015-07-09 14:46:20 -0300 |
commit | c01ff965b48bb9693dcd77cbc748b5d8676766b0 (patch) | |
tree | 63e50e4f3d4b6e6d3217fa2bf7f700eb19c258de /man/nss-mymachines.xml | |
parent | Merge pull request #531 from dvdhrm/boot-buildid (diff) | |
download | systemd-c01ff965b48bb9693dcd77cbc748b5d8676766b0.tar.gz systemd-c01ff965b48bb9693dcd77cbc748b5d8676766b0.tar.bz2 systemd-c01ff965b48bb9693dcd77cbc748b5d8676766b0.zip |
nss-mymachines: map userns users of containers to real user names
Given a container "foo", that maps user id $UID to container user, using
user namespaces, this NSS module extenstion will now map the $UID to a
name "vu-foo-$TUID" for the translated UID $UID.
Similar, userns groups are mapped to "vg-foo-$TGID" for translated GIDs
of $GID.
This simple change should make userns users more discoverable. Also,
given that many tools like "adduser" check NSS before allocating a UID,
should lower the chance of UID range conflicts between tools.
Diffstat (limited to 'man/nss-mymachines.xml')
-rw-r--r-- | man/nss-mymachines.xml | 35 |
1 files changed, 20 insertions, 15 deletions
diff --git a/man/nss-mymachines.xml b/man/nss-mymachines.xml index eb1ed2592..41ec458e4 100644 --- a/man/nss-mymachines.xml +++ b/man/nss-mymachines.xml @@ -59,21 +59,26 @@ <para><command>nss-mymachines</command> is a plugin for the GNU Name Service Switch (NSS) functionality of the GNU C Library (<command>glibc</command>) providing hostname resolution for - containers running locally, that are registered with + container names of containers running locally, that are registered + with <citerefentry><refentrytitle>systemd-machined.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>. - The container names are resolved to IP addresses of the specific - container, ordered by their scope.</para> + The container names are resolved to the IP addresses of the + specific container, ordered by their scope.</para> + + <para>The module also resolves user IDs used by containers to user + names indicating the container name, and back.</para> <para>To activate the NSS modules, <literal>mymachines</literal> - has to be added to the line starting with - <literal>hosts:</literal> in + has to be added to the lines starting with + <literal>hosts:</literal>, <literal>passwd:</literal> and + <literal>group:</literal> in <filename>/etc/nsswitch.conf</filename>.</para> <para>It is recommended to place <literal>mymachines</literal> - near the end of the <filename>nsswitch.conf</filename> line to - make sure that this mapping is only used as fallback, and any DNS - or <filename>/etc/hosts</filename> based mapping takes - precedence.</para> + near the end of the <filename>nsswitch.conf</filename> lines to + make sure that its mappings are only used as fallback, and any + other mappings, such as DNS or <filename>/etc/hosts</filename> + based mappings take precedence.</para> </refsect1> <refsect1> @@ -82,17 +87,17 @@ <para>Here's an example <filename>/etc/nsswitch.conf</filename> file, that enables <command>mymachines</command> correctly:</para> -<programlisting>passwd: compat -group: compat -shadow: compat + <programlisting>passwd: compat <command>mymachines</command> +group: compat <command>mymachines</command> +shadow: compat -hosts: files dns <command>mymachines</command> myhostname +hosts: files dns <command>mymachines</command> myhostname networks: files protocols: db files services: db files -ethers: db files -rpc: db files +ethers: db files +rpc: db files netgroup: nis</programlisting> |