[lxc-devel] unprivileged create/start
Serge Hallyn
serge at mail.hallyn.com
Wed Oct 23 01:02:56 UTC 2013
These patches address a few of the issues with creating and running
containers without privilege. They are only a start.
On an ubuntu trusty system (with a device_cgroup kernel patch) I can
now do the following:
# one-time system setup
sudo apt-get -y install uidmap
sudo usermod -v 100000-199999 -w 100000-199999 serge
mkdir ~/lxcbase
cat > lxc.conf << EOF
lxc.network.type = empty
lxc.id_map = u 0 100000 10000
lxc.id_map = g 0 100000 10000
#EOF
# per-boot setup
echo 1 | sudo tee -a /sys/fs/cgroup/cpuset/cgroup.clone_children
for d in /sys/fs/cgroup/*; do
sudo mkdir $d/serge
chown serge: $d/serge
done
# login setup
for d in /sys/fs/cgroup/*; do
echo $$ | sudo tee -a $d/serge/tasks
done
# create a busybox container
lxc-create -P /home/serge/lxcbase -t busybox -n b1 -f lxc.conf
# run it
lxc-start -P /home/serge/lxcbase -n b1
# or run it in the background
lxc-start -P /home/serge/lxcbase -n b1 -d
# attach a console
lxc-console -P /home/serge/lxcbase -n b1
# kill it
lxc-stop -P /home/serge/lxcbase -n b1
TO DO:
1. get the ubuntu-cloud template working.
a. To avoid tar failing due to devices, we can simply require
root to create new cloud image tarballs with no devices
(mkdir x; cd x; sudo tar zxf /var/cache/lxc/cloud-saucy/*;
sudo rm -rf dev/*; sudo mkdir dev/pts;
sudo tar pzcf ../cloud.tar.gz .)
or we can do '|| true' after the tar. Are there any other
good options?
b. fix assumptions in the template that we can write to
@LOCALESTATEDIR@
2. implement networking using lxc-user-nic
More information about the lxc-devel
mailing list