[lxc-users] Do nested containers require that unprivileged container creation be supported?
Rami Rosen
roszenrami at gmail.com
Sat Apr 5 22:40:40 UTC 2014
Hi,
First, thanks Michael, for drawing my attention to it. I knew that Fedora
21 is going to enable user namespaces.
Still, I wanted to reiterate my point: with my Fedora 20, where I ran
update a while ago, user namespaces were not available, according to
lxc-checkonfig, and still nesting with a busybox container did work.
Btw, I heard that in the first release of RHEL 7, user namespaces will be
enabled in kernel, for ABI compatibility, but using them will be disabled
in userspace, because of security concerns. Only in later updates it will
be enabled. I hope that this scheme is not used with Fedora 20.
Regards,
Rami Rosen
בתאריך 5 באפר 2014 23:15, "Michael H. Warfield" <mhw at wittsend.com> כתב:
> On Sat, 2014-04-05 at 22:37 +0300, Rami Rosen wrote:
> > Hi, Nels,
> >
> > Regarding you question, as appeared as the subject of your post:
> > "Do nested containers require that unprivileged container creation be
> > supported?"
>
> > Fedora 20 does not support user namespaces, as lxc-checkconfig shows;
> > so it does not support unprivileged containers. However, I had created
> > (with lxc-create) an LXC fedora container under Fedora 20. From within
> > that container I created a nested LXC busybox container, and I could
> > start that nested container successfully.
>
> Time out! Breaking news... Fedora 20 originally did not support user
> namespaces on initial install. Run yum update and reboot... Then...
>
> [root at hydra mhw]# cat /etc/redhat-release
> Fedora release 20 (Heisenbug)
> [root at hydra mhw]# uname -a
> Linux hydra.wittsend.com 3.13.7-200.fc20.x86_64 #1 SMP Mon Mar 24
> 22:01:49 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
> [root at hydra mhw]# lxc-checkconfig
> Kernel configuration not found at /proc/config.gz; searching...
> Kernel configuration found at /boot/config-3.13.7-200.fc20.x86_64
> --- Namespaces ---
> Namespaces: enabled
> Utsname namespace: enabled
> Ipc namespace: enabled
> Pid namespace: enabled
> User namespace: enabled
> Network namespace: enabled
> Multiple /dev/pts instances: enabled
>
> Looks to be enabled to me.
>
> > Best regards,
> > Rami Rosen
> > http://ramirose.wix.com/ramirosen
>
> Always check on the latest update. Things do change in the Fedora
> sphere.
>
> Regards,
> Mike
>
> > On Fri, Apr 4, 2014 at 8:02 PM, Nels Nelson <nels.n.nelson at gmail.com>
> wrote:
> > > Hi, I'm trying to create a container nested within another. I'm sure
> I'm
> > > probably going about it incorrectly. Here's what I have so far:
> > >
> > > https://gist.github.com/nelsnelson/9978457
> > >
> > > The error I encounter seems to be
> > >
> > > lxc-create: No such file or directory - failed to create container
> path
> > > for inner
> > > lxc-create: Error creating container inner
> > >
> > > Is this because the privileges in the outer container are not
> sufficient?
> > >
> > > Thanks,
> > > -Nels
>
> --
> Michael H. Warfield (AI4NB) | (770) 978-7061 | mhw at WittsEnd.com
> /\/\|=mhw=|\/\/ | (678) 463-0932 |
> http://www.wittsend.com/mhw/
> NIC whois: MHW9 | An optimist believes we live in the best of
> all
> PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
>
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140406/b3456430/attachment-0001.html>
More information about the lxc-users
mailing list