2.1 uid的映射

不同的 namespace 中用户可以有相同的 UID 和 GID,它们之间互相不影响。父子 namespace 之间可以进行用户映射,如父 namespace (宿主机)的普通用户映射到子 namespace (容器)的 root 用户,以减少子 namespace 的 root 用户操作父 namespace 的风险。user namespace 功能虽然在很早就出现了,但是直到 Linux kernel 3.8之后这个功能才趋于完善。
比如/etc/subuid文件描述了容器内的id和容器外id的对应关系。root:300000:65536的意思
是:root启动的容器,那么容器外是从300000开始到365536的范围对应着容器内0-65535的范围
image.png

2.2 uid的取值范围

每个Linux系统要求的uid可选范围都不一样,但是uid通常是由32位,也就是最大值可以是2^31-2(范围:1~4294967295)。路径/etc/login.defs文件的UID_MIN、UID_MAX限定了用户useradd新用户自己设置uid的最小值和最大值,2^31-1是个无效id,实验测试以下命令不能成功。
useradd -u 4294967296 test
Uid的取值区间范围作了划分,不同发行商的Linux系统有不一样的划分,但是一般是这么约定:

  • 0-99系统用户uid:
  • 100-500:系统管理管理员程序或者安装脚本产生的用户
  • 1000-x:用户uid,系统登录uid限制于了登录uid的最小值和最大值
  • 网络uid:更偏向于高值
  • 6553x:nobody

uid_map

The manpage says

After the creation of a new user namespace, the uid_map file of one of the processes in the namespace may be written to once to define the mapping of user IDs in the new user namespace. An attempt to write more than once to a uid_map file in a user namespace fails with the error EPERM. Similar rules apply for gid_map files.

It takes some measure of reading between the lines, but this is consistent with the fact that all processes in a user namespace share the same user and group mappings.

In detail, the fields are interpreted as follows:
第一列是pid的user id
第二列是修改/proc/pid/uid_map的进程的user id (这个一般是启动容器的进程),或者是parent user namespace的user id
第三列是可用user id的方位

  1.    (1) The start of the range of user IDs in the user namespace of<br />           the process _pid_.
  3.    (2) The start of the range of user IDs to which the user IDs<br />           specified by field one map.  How field two is interpreted<br />           depends on whether the process that opened _uid_map_ and the<br />           process _pid_ are in the same user namespace, as follows:
  5.        a) If the two processes are in different user namespaces:<br />              field two is the start of a range of user IDs in the user<br />              namespace of the process that opened _uid_map_.
  7.        b) If the two processes are in the same user namespace: field<br />              two is the start of the range of user IDs in the parent<br />              user namespace of the process _pid_.  This case enables the<br />              opener of _uid_map_ (the common case here is opening<br />              _/proc/self/uid_map_) to see the mapping of user IDs into<br />              the user namespace of the process that created this user<br />              namespace.
  9.    (3) The length of the range of user IDs that is mapped between<br />           the two user namespaces.