systemd-nsresourced.service(8) - Man pages

dwww Home | Manual pages | Find package
SYSTEMD-NS...D.SERVICE(8) systemd-nsresourced.service SYSTEMD-NS...D.SERVICE(8)

NAME
       systemd-nsresourced.service, systemd-nsresourced - User Namespace
       Resource Delegation Service

SYNOPSIS
       systemd-nsresourced.service

       /usr/lib/systemd/systemd-nsresourced

DESCRIPTION
       systemd-nsresourced is a system service that permits transient
       delegation of a UID/GID range to a user namespace (see
       user_namespaces(7)) allocated by a client, via a Varlink IPC API.

       Unprivileged clients may allocate a user namespace, and then request a
       UID/GID range to be assigned to it via this service. The user namespace
       may then be used to run containers and other sandboxes, and/or apply it
       to an id-mapped mount.

       Allocations of UIDs/GIDs this way are transient: when a user namespace
       goes away, its UID/GID range is returned to the pool of available
       ranges. In order to ensure that clients cannot gain persistency in their
       transient UID/GID range a BPF-LSM based policy is enforced that ensures
       that user namespaces set up this way can only write to file systems they
       allocate themselves or that are explicitly allowlisted via
       systemd-nsresourced.

       systemd-nsresourced automatically ensures that any registered UID ranges
       show up in the system's NSS database via the User/Group Record Lookup
       API via Varlink[1].

       Currently, only UID/GID ranges consisting of either exactly 1 or exactly
       65536 UIDs/GIDs can be registered with this service. Moreover, UIDs and
       GIDs are always allocated together, and symmetrically.

       The service provides API calls to allowlist mounts (referenced via their
       mount file descriptors as per Linux fsmount() API), to pass ownership of
       a cgroup subtree to the user namespace and to delegate a virtual
       Ethernet device pair to the user namespace. When used in combination
       this is sufficient to implement fully unprivileged container
       environments, as implemented by systemd-nspawn(1), fully unprivileged
       RootImage= (see systemd.exec(5)) or fully unprivileged disk image tools
       such as systemd-dissect(1).

       This service provides one Varlink[2] service:
       io.systemd.NamespaceResource allows registering user namespaces, and
       assign mounts, cgroups and network interfaces to it.

SEE ALSO
       systemd(1), systemd-mountfsd.service(8), systemd-nspawn(1),
       systemd.exec(5), systemd-dissect(1), user_namespaces(7)

NOTES
        1. User/Group Record Lookup API via Varlink
           https://systemd.io/USER_GROUP_API

        2. Varlink
           https://varlink.org/

systemd 257.9                                         SYSTEMD-NS...D.SERVICE(8)
Generated by dwww version 1.16 on Tue Dec 16 04:00:34 CET 2025.