2️⃣0️⃣ Here's the 20th post highlighting key new features of the recently published v260 release of systemd.
-
2️⃣0️⃣ Here's the 20th post highlighting key new features of the recently published v260 release of systemd. #systemd260 #systemd
One ongoing project inside of systemd is to rework systemd-nspawn to not do its own namespacing/sandboxing but make it mostly just a frontend to systemd's own namespacing/sandboxing that is implemented for system services. The goal is to make it play a role similar to systemd-run: i.e. a command line tool that just allocates a transient service, and thus simplify…
-
2️⃣0️⃣ Here's the 20th post highlighting key new features of the recently published v260 release of systemd. #systemd260 #systemd
One ongoing project inside of systemd is to rework systemd-nspawn to not do its own namespacing/sandboxing but make it mostly just a frontend to systemd's own namespacing/sandboxing that is implemented for system services. The goal is to make it play a role similar to systemd-run: i.e. a command line tool that just allocates a transient service, and thus simplify…
…and unify currently distinct but similar codepaths in systemd's service management and systemd-nspawn's codebase.
With v260 we filled in one major gap to get there: the existing PrivateUsers= setting for services now supports a new value "managed". If selected then a new delegated user namespace UID range is allocated dynamically via systemd-nsresourced, and assigned to the service. Or in other words: there's now a way to spawn a service with a full set of private, transient, 64K UIDs…
-
…and unify currently distinct but similar codepaths in systemd's service management and systemd-nspawn's codebase.
With v260 we filled in one major gap to get there: the existing PrivateUsers= setting for services now supports a new value "managed". If selected then a new delegated user namespace UID range is allocated dynamically via systemd-nsresourced, and assigned to the service. Or in other words: there's now a way to spawn a service with a full set of private, transient, 64K UIDs…
…which is enough to run a full OS inside a system service. Yay!
And not just that: it also works unprivileged, i.e. it's enough to also run a full OS with 64K UIDs from a user controlled directory tree. Yippieh yay!
-
R relay@relay.infosec.exchange shared this topic
