[lxc-devel] [RFC 0/8] Unprivileged container creation and use
Serge Hallyn
serge.hallyn at ubuntu.com
Mon Jul 22 15:07:29 UTC 2013
Quoting Stéphane Graber (stgraber at ubuntu.com):
> On Fri, Jul 19, 2013 at 02:26:47PM +0000, Serge Hallyn wrote:
> > With this patchset, I am able to create and start an ubuntu-cloud
> > container completely as an unprivileged user, on an ubuntu saucy
> > host with the kernel from ppa:ubuntu-lxc/kernel and the nsexec
> > package from ppa:serge-hallyn/userns-natty.
>
> That's great! We're definetely getting close to having really useful
> unprivileged containers!
>
> >
> > The one thing still completely unimplemented is networking. I am
> > creating containers with lxc.network.type=empty to work around this.
> > Once the rest of this settles down, I'll address that.
> >
> > lxc-destroy has not yet been updated, so right now the easiest way
> > to delete these containers is as root. lxc-console and lxc-stop do
> > work as expected.
> >
> > ====================
> > Prerequisities:
> > ====================
> >
> > 1. A privileged user or init script needs to create
> > /run/lock/lxc/$HOME
> > and set perms so $USER can create locks there.
>
> I have a feeling we already talked about this but my memory needs to be
> refreshed, why can't we use XDG_RUNTIME_DIR for that instead of
> requiring a privileged process to create a directory under
> /run/lock/lxc?
I forget (but do recall you mentioned this before), I'll have to read up
on that again.
Right now lxclock.c defaults to using /run/lock/lxc/$lxcpath/
You're suggesting using XDG_RUNTIME_DIR which becomes /run/user/$dir.
Perhaps I should simply check getuid() - if 0, use /run/lock/lxc,
otherwise use $XDG_RUNTIME_DIR/lxc/$lxcpath ?
> Was that only for the corner case where multiple users may have write
> access and uid/gid mapping to a shared container? Is that actually
Yes.
> likely to happen (you'd need the same uid/gid allocation for both users
> and have the container on a shared path for it to be a problem).
But it *is* likely to happen with root owned containers. The same
code is handling both. But geteuid() == 0 is probably a decent way to
guess what's going on.
> > 2. Before starting the container you'll need to be in a cgroup you
> > can manipulate. I do this with:
> >
> > #!/bin/sh
> > name=`whoami`
> > for d in /sys/fs/cgroup/*; do
> > sudo mkdir $d/$name
> > sudo chown -R $name $d/$name
> > done
> > echo 0 | sudo tee -a /sys/fs/cgroup/cpuset/$name/cpuset.cpus
> > echo 0 | sudo tee -a /sys/fs/cgroup/cpuset/$name/cpuset.mems
> >
> > followed by:
> >
> > cgroup_enter() {
> > name=`whoami`
> > for d in /sys/fs/cgroup/*; do
> > echo $$ > $d/$name/cgroup.procs
> > done
> > }
> >
> > 3. You need to give your user some subuids. If you're creating a
> > new saucy system to use this on, then you already have some - check
> > /etc/subuids. If not, then add some using "usermod -w 100000-299999
> > -v 100000-299999 $user"
>
> I'm assuming you mean /etc/subuid and /etc/subgid?
yeah.
> On up to date saucy, those two files are empty but I guess we may be
> getting some allocation for new users or on new installs?
yes /etc/login.defs specifies default allocations for new users. I
*thought* we were by default allocating some number but maybe not.
-serge
More information about the lxc-devel
mailing list