<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Wed, Feb 4, 2015 at 6:01 PM, Fajar A. Nugraha <span dir="ltr"><<a href="mailto:list@fajar.net" target="_blank">list@fajar.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><span class="">On Wed, Feb 4, 2015 at 5:46 PM, Adam Gold <span dir="ltr"><<a href="mailto:awg1@gmx.com" target="_blank">awg1@gmx.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br></blockquote></span><span class=""><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> If so, what's the best way to manually create a template in<br>
unprivileged mode to ensure all the subuids and subgids are assigned<br>
correctly.<br></blockquote><div><br></div></span><div>Create it using any normal method known to work. It should be OK when .local/share/lxc is on the same filesystem as $HOME, right?</div><div>After that, copy it manually to your template dataset (<span style="font-size:12.8000001907349px">zfs/lxc/containers/template ?) using "rsync -avP" or whatever tool of your choice. When you clone the template to a new directory, don't forget to change these settings manually in the new container config:</span></div><div><span style="font-size:12.8000001907349px"><br></span></div><div><span style="font-size:12.8000001907349px"></span></div></div></div></div></blockquote><div><br></div><div><br></div><div>This is what I just tested. Environment:</div><div>- there's a system container called "template"</div><div>- user "user" is allowed to create its own container (including setting /etc/subuid)</div><div>- I want to copy the system container to user container</div><div><br></div><div>Current permissions:</div><div><div># grep user /etc/subuid</div><div>user:100000:65537<br></div><div><br></div><div># grep user /etc/subgid</div><div>user:100000:65537<br></div></div><div><br></div><div><div># ls -la /var/lib/lxc/template/</div><div>total 6</div><div>drwxr-xr-x 3 root root 4 Jul 10 2014 .</div><div>drwxr-xr-x 4 root root 4 Jan 22 19:26 ..</div><div>-rw-r--r-- 1 root root 691 Jul 10 2014 config</div><div>drwxr-xr-x 21 root root 21 Feb 4 18:32 rootfs</div></div><div><br></div><div><div># ls -la /home/user/.local/share/lxc/template/</div><div>total 6</div><div>drwxr-xr-x 3 user user 4 Feb 4 18:39 .</div><div>drwxr-xr-x 3 user user 4 Feb 4 18:37 ..</div><div>drwxr-xr-x 21 100000 100000 21 Feb 4 18:32 rootfs<br></div></div><div><br></div><div><div># df -h /home/user/.local/share/lxc/template/</div><div>Filesystem Size Used Avail Use% Mounted on</div><div>rpool/lxc/user/template 46G 164M 46G 1% /home/user/.local/share/lxc/template</div></div><div><br></div><div>Note that /home/user/.local/share/lxc/template/rootfs is EMPTY. The zfs datasets, owner, and permission were created/set by root.</div><div>I can then run this command to copy system's rootfs to users's rootfs, with the correct permissions:<br></div><div><br></div><div><div># tar -C /var/lib/lxc/template/rootfs -cf - . | su - user -c "lxc-usernsexec -- tar -C /home/user/.local/share/lxc/template/rootfs -xf - --exclude ./dev/*"</div><div><br></div><div>WARN: could not reopen tty: No such file or directory</div><div>tar: ./dev/log: socket ignored</div></div><div><br></div><div>Ignore the warning messages. Next step is to create /home/user/.local/share/lxc/template/config, like so:</div><div>###</div><div><div># Template used to create this container: /usr/share/lxc/templates/lxc-download</div><div># Parameters passed to the template: -d ubuntu -r trusty -a amd64</div><div># For additional config options, please look at lxc.conf(5)</div><div><br></div><div># Distribution configuration</div><div>lxc.include = /usr/share/lxc/config/ubuntu.common.conf</div><div>lxc.include = /usr/share/lxc/config/ubuntu.userns.conf</div><div>lxc.arch = x86_64</div><div><br></div><div># Container specific configuration</div><div>lxc.id_map = u 0 100000 65536</div><div>lxc.id_map = g 0 100000 65536</div><div>lxc.rootfs = /home/user/.local/share/lxc/template/rootfs</div><div>lxc.utsname = template</div><div><br></div><div># Network configuration</div><div>lxc.network.type = veth</div><div>lxc.network.veth.pair = veth-u-te-0</div><div>lxc.network.flags = up</div><div>lxc.network.link = br0</div><div>lxc.network.hwaddr = 00:16:3E:3A:53:E7</div></div><div>###</div><div><br></div><div>Note that I use br0, where the default bridge created by lxc is lxcbr0, so you need to make sure it's correct.</div><div><br></div><div>When creating another container for the same user "user", I can simply use zfs clone rpool/lxc/user/template. If I wanted to create container for another user (e.g. "user2"), then I need to repeat the "tar" method above as a different user (e.g. "| su - user2 -c ...")</div><div> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><span class=""><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
Also, for the additional containers that I get from zfs cloning, will<br>
they be recognised by 'lxc-* -n' commands?<br>
<br></blockquote><div><br></div></span><div>AFAIK most lxc commands simply reads whatever is under the directory, and doesn't really care what fs they are on.</div><span class=""><font color="#888888"><div><br></div></font></span></div></div></div></blockquote><div><br></div><div><br></div><div>After doing the above steps I can do this:</div><div><br></div><div><div>$ id</div><div>uid=1000(user) gid=1000(user) groups=1000(user),4(adm),6(disk),27(sudo)</div><div><br></div><div>$ lxc-ls -f</div><div>NAME STATE IPV4 IPV6 GROUPS AUTOSTART </div><div>------------------------------------------------</div><div>template STOPPED - - - NO </div><div><br></div><div>$ lxc-start -d -n template</div><div><br></div><div>$ lxc-ls -f</div><div>NAME STATE IPV4 IPV6 GROUPS AUTOSTART </div><div>-----------------------------------------------------------</div><div>template RUNNING 192.168.124.104 - - NO </div><div><br></div><div><div>$ lxc-attach -n template id</div><div>uid=0(root) gid=0(root) groups=0(root)</div></div><div><br></div><div>$ lxc-attach -n template ip ad li eth0<br></div><div>25: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000</div><div> link/ether 00:16:3e:3a:53:e7 brd ff:ff:ff:ff:ff:ff</div><div> inet <a href="http://192.168.124.104/24">192.168.124.104/24</a> brd 192.168.124.255 scope global eth0</div><div> valid_lft forever preferred_lft forever</div><div> inet6 fe80::216:3eff:fe3a:53e7/64 scope link </div><div> valid_lft forever preferred_lft forever</div><div><br></div><div>$ lxc-stop -n template</div><div><br></div><div>$ lxc-ls -f<br></div><div>NAME STATE IPV4 IPV6 GROUPS AUTOSTART </div><div>------------------------------------------------</div><div>template STOPPED - - - NO </div></div><div><br></div><div>-- </div><div>Fajar</div></div></div></div>