MAN-J
Man PagesPricing
LoginGet Started
systemd-nsresourced(8)
Original
English • 63 lines
SYSTEMD-NSRESOURCED.SERVICE(8)			   systemd-nsresourced.service

NAME
       systemd-nsresourced.service, systemd-nsresourced - User Namespace
       Resource Delegation Service

SYNOPSIS
       systemd-nsresourced.service

       /usr/lib/systemd/systemd-nsresourced

DESCRIPTION
       systemd-nsresourced is a system service that permits transient
       delegation of a UID/GID range to a user namespace (see
       user_namespaces(7)) allocated by a client, via a Varlink IPC API.

       Unprivileged clients may allocate a user namespace, and then request a
       UID/GID range to be assigned to it via this service. The user namespace
       may then be used to run containers and other sandboxes, and/or apply it
       to an id-mapped mount.

       Allocations of UIDs/GIDs this way are transient: when a user namespace
       goes away, its UID/GID range is returned to the pool of available
       ranges. In order to ensure that clients cannot gain persistency in
       their transient UID/GID range a BPF-LSM based policy is enforced that
       ensures that user namespaces set up this way can only write to file
       systems they allocate themselves or that are explicitly allowlisted via
       systemd-nsresourced.

       systemd-nsresourced automatically ensures that any registered UID
       ranges show up in the system's NSS database via the User/Group Record
       Lookup API via Varlink[1].

       Currently, only UID/GID ranges consisting of either exactly 1 or
       exactly 65536 UIDs/GIDs can be registered with this service. Moreover,
       UIDs and GIDs are always allocated together, and symmetrically.

       The service provides API calls to allowlist mounts (referenced via
       their mount file descriptors as per Linux fsmount() API), to pass
       ownership of a cgroup subtree to the user namespace and to delegate a
       virtual Ethernet device pair to the user namespace. When used in
       combination this is sufficient to implement fully unprivileged
       container environments, as implemented by systemd-nspawn(1), fully
       unprivileged RootImage= (see systemd.exec(5)) or fully unprivileged
       disk image tools such as systemd-dissect(1).

       This service provides one Varlink[2] service:
       io.systemd.NamespaceResource allows registering user namespaces, and
       assign mounts, cgroups and network interfaces to it.

SEE ALSO
       systemd(1), systemd-mountfsd.service(8), systemd-nspawn(1),
       systemd.exec(5), systemd-dissect(1), user_namespaces(7)

NOTES
	1. User/Group Record Lookup API via Varlink
	   https://systemd.io/USER_GROUP_API

	2. Varlink
	   https://varlink.org/

systemd 258					SYSTEMD-NSRESOURCED.SERVICE(8)

systemd-nsresourced(8)

systemdnsresourced.service, systemdnsresourced \- User Namespace Resource Delegation Service

0popularity

System Information

systemd 258 1.0.0
Updated
Maintained by Unknown

Actions