Provided by: systemd-container_256.4-2ubuntu1_amd64 bug

NAME
       systemd-nsresourced.service, systemd-nsresourced - User Namespace Resource Delegation
       Service


SYNOPSIS
       systemd-nsresourced.service

       /usr/lib/systemd/systemd-nsresourced


DESCRIPTION
       systemd-nsresourced is a system service that permits transient delegation of a a UID/GID
       range to a user namespace (see user_namespaces(7)) allocated by a client, via a Varlink
       IPC API.

       Unprivileged clients may allocate a user namespace, and then request a UID/GID range to be
       assigned to it via this service. The user namespace may then be used to run containers and
       other sandboxes, and/or apply it to an id-mapped mount.

       Allocations of UIDs/GIDs this way are transient: when a user namespace goes away, its
       UID/GID range is returned to the pool of available ranges. In order to ensure that clients
       cannot gain persistency in their transient UID/GID range a BPF-LSM based policy is
       enforced that ensures that user namespaces set up this way can only write to file systems
       they allocate themselves or that are explicitly allowlisted via systemd-nsresourced.

       systemd-nsresourced automatically ensures that any registered UID ranges show up in the
       system's NSS database via the User/Group Record Lookup API via Varlink[1].

       Currently, only UID/GID ranges consisting of either exactly 1 or exactly 65536 UIDs/GIDs
       can be registered with this service. Moreover, UIDs and GIDs are always allocated
       together, and symmetrically.

       The service provides API calls to allowlist mounts (referenced via their mount file
       descriptors as per Linux fsmount() API), to pass ownership of a cgroup subtree to the user
       namespace and to delegate a virtual Ethernet device pair to the user namespace. When used
       in combination this is sufficient to implement fully unprivileged container environments,
       as implemented by systemd-nspawn(1), fully unprivileged RootImage= (see systemd.exec(5))
       or fully unprivileged disk image tools such as systemd-dissect(1).

       This service provides one Varlink[2] service: io.systemd.NamespaceResource allows
       registering user namespaces, and assign mounts, cgroups and network interfaces to it.


SEE ALSO
       systemd(1), systemd-mountfsd.service(8), systemd-nspawn(1), systemd.exec(5), systemd-
       dissect(1), user_namespaces(7)


NOTES
        1. User/Group Record Lookup API via Varlink
           https://systemd.io/USER_GROUP_API

        2. Varlink
           https://varlink.org/