Repost: What’s Next for Containers? User Namespaces
What are user namespaces? Sticking with the apartment complex analogy, the numbering of users and groups have historically been the same in every container and in the underlying host, just like public channel 10 is generally the same in every unit in an apartment building.
But, imagine that people in different apartments are getting their television signal from different cable and satellite companies. Channel 10 is now different for each person. It might be sports for one person, and news for another.
Historically, in the Linux kernel, there was a single data structure which held users and groups. Starting in kernel version 3.8, user namespaces were implemented. Using the clone() system call with the CLONE_NEWUSER flag, a separate user namespace can be created. Think of these as nested data structures within a new namespace. In this new namespace, there is a virtual set of users and groups. These users and groups, beginning with uid/gid 0 are mapped to a non-trusted (not root) uid/gid outside the namespace.
In modern Linux kernels, administrators can create about four billion users, 4,294,967,294 (unsigned 32 bit integer) to be specific. These four billion users can be mapped among each user namespace, giving administrators plenty of scalability.
Read the whole article: What’s Next for Containers? User Namespaces | Red Hat Enterprise Linux Blog.
Join the Red Hat Developer Program (it’s free) and get access to related cheat sheets, books, and product downloads.