概述

User namespace 主要是隔离用户的用户组ID。

源码

package main

import (
    "os/exec"
    "syscall"
    "os"
    "log"
)

func main() {
    cmd := exec.Command("sh")
    cmd.SysProcAttr = &syscall.SysProcAttr{
        Cloneflags: syscall.CLONE_NEWUTS | syscall.CLONE_NEWIPC | syscall.CLONE_NEWPID | syscall.CLONE_NEWNS | syscall.CLONE_NEWUSER, 

    }
   cmd.SysProcAttr.Credential = &syscall.Credential{Uid: uint32(1), Gid: uint32(1)}
    cmd.Stdin = os.Stdin
    cmd.Stdout = os.Stdout
    cmd.Stderr = os.Stderr

    if err := cmd.Run(); err != nil {
        log.Fatal(err)
    }
    os.Exit(-1)
}

package main

import (
"fmt"
"os"
"os/exec"
"syscall"
)

func main() {
        cmd := exec.Command("sh")

        //set identify for this demo
        cmd.Env = []string{"PS1=-[namespace-process]-# "}
        cmd.Stdin = os.Stdin
        cmd.Stdout = os.Stdout
        cmd.Stderr = os.Stderr

        cmd.SysProcAttr = &syscall.SysProcAttr{
                Cloneflags: syscall.CLONE_NEWNS |
                syscall.CLONE_NEWUTS |
                syscall.CLONE_NEWUSER,
                UidMappings: []syscall.SysProcIDMap{
                {
                ContainerID: 0,
                HostID: os.Getuid(),
                Size: 1,
                },
                },
                GidMappings: []syscall.SysProcIDMap{
                {
                ContainerID: 0,
                HostID: os.Getgid(),
                Size: 1,
                },
                },
        }

        if err := cmd.Run(); err != nil {
                fmt.Printf("Error running the /bin/sh command - %s\n", err)
                os.Exit(1)
        }
}

测试

查看宿主机的当前用户和用户组

ubuntu@VM-0-10-ubuntu:~/ux-dev$ id
uid=500(ubuntu) gid=500(ubuntu) groups=500(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),111(lpadmin),112(sambashare)

运行程序，看一下user namespace的用户和用户组

ubuntu@VM-0-10-ubuntu:~/ux-dev$ go run user.go
-[namespace-process]-# id
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)