<div dir="ltr"><br><div class="gmail_extra">Thanks for the quick response. I am particularly interested in the shiftfs and may try to patch that in. A single followup question below.</div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jul 6, 2016 at 2:03 PM, Serge E. Hallyn <span dir="ltr"><<a href="mailto:serge@hallyn.com" target="_blank">serge@hallyn.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">There are several things under way which will help with this,<br>
<br>
1. unprivileged mounting of squashfs will allow you to just mount it<br>
in the container<br></blockquote><div> </div><div>I also have the setup working using the lxc.rootfs and lxc.rootfs.mount to mount the squashfs as a loop device. Doing it this way, I can avoid the pre-start hook to mount. The results within the container are still the same. Is this the unprivileged mounting you are talking about?</div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
2. Djalal Harouni is working on a feature to allow shifting uids into<br>
a container as a mount option.<br>
3. jbottomley is working on shiftfs which is a stackable fs which lets<br>
you shift the uids<br>
<br>
But for now, you'd need to chmod the files in the fs into the range<br>
of the containers.<br>
<div><div class="h5"><br>
Quoting Judd Meinders (<a href="mailto:judd.meinders@rockwellcollins.com">judd.meinders@rockwellcollins.com</a>):<br>
> Hello all,<br>
><br>
> I am attempting to run a custom created unprivileged container on ubuntu<br>
> 16.04. It is started from the root user using lxc-start and is configured<br>
> with lxc.id_map to assign unprivileged UID/GID for users.<br>
><br>
> The root file system I am trying to use is squashfs, and it has been<br>
> created with UID/GID starting at 0. The user and group ownership of files<br>
> within the squashfs is not modifiable due to squashfs being read only.<br>
><br>
> I am using a pre-start hook to mount the squashfs in a location that is<br>
> accessible by the unprivileged users in lxc.idmap. Everything seems to<br>
> work properly at this point.<br>
><br>
> When I attach to the container after starting, all the files are owned by<br>
> 65534:65534. When I inspect on the host, they are all owned by UID/GID 0.<br>
> This isn't a problem for anything running as root in the container of<br>
> course, but if I tried to run something in the container as another user, I<br>
> will have problems.<br>
><br>
> My question is: How can I correct this? Does anyone know what causes it?<br>
> Is there an alternate way of mounting the rootfs so that the ownership of<br>
> the files makes sense in the container?<br>
><br>
> My config:<br>
><br>
> lxc.network.type = veth<br>
> lxc.network.link = lxcbr0<br>
> lxc.network.flags = up<br>
> lxc.network.ipv4 = <a href="http://10.0.3.2/24" rel="noreferrer" target="_blank">10.0.3.2/24</a><br>
> lxc.network.hwaddr = 00:16:3e:xx:xx:xx<br>
> lxc.rootfs =/var/lib/lxc/lxc1/rootfs<br>
> lxc.haltsignal = SIGUSR1<br>
> lxc.utsname = lxc1<br>
> lxc.tty = 1<br>
> lxc.pts = 1<br>
> lxc.id_map = u 0 100000 10000<br>
> lxc.id_map = g 0 100000 10000<br>
> lxc.cgroup.cpuset.cpus = 0<br>
> lxc.cgroup.cpu.shares = 179<br>
> lxc.cgroup.memory.limit_in_bytes = 25600000<br>
> lxc.cgroup.devices.deny = a<br>
> lxc.cgroup.devices.allow = c 1:3 rw<br>
> lxc.cgroup.devices.allow = c 1:8 r<br>
> lxc.cgroup.devices.allow = c 1:9 r<br>
> lxc.cap.keep = none<br>
> lxc.mount.entry = tmpfs /var/lib/lxc/lxc1/rootfs/tmp tmpfs<br>
> nodev,nosuid,size=3M 0 0<br>
> lxc.mount.auto = proc:mixed<br>
> lxc.hook.pre-start = /usr/share/lxc/hooks/mount<br>
> lxc.aa_profile = unconfined<br>
><br>
> File ownership after attaching:<br>
><br>
> root@user-VirtualBox:/var/lib/lxc/lxc1# lxc-attach -n lxc1<br>
> / # ls -la<br>
> total 2<br>
> drwxrwxr-x 16 65534 65534 261 Jul 5 19:25 .<br>
> drwxrwxr-x 16 65534 65534 261 Jul 5 19:25 ..<br>
> drwxr-xr-x 2 65534 65534 980 Jul 6 16:09 bin<br>
> drwxr-xr-x 4 root root 360 Jul 6 18:22 dev<br>
> drwxr-xr-x 10 65534 65534 406 Jul 6 16:09 etc<br>
> drwxr-xr-x 2 65534 65534 737 Jul 6 16:09 lib<br>
> lrwxrwxrwx 1 65534 65534 3 Jul 6 16:48 lib32 -> lib<br>
> lrwxrwxrwx 1 65534 65534 11 Jul 6 16:48 linuxrc -><br>
> bin/busybox<br>
> drwxr-xr-x 2 65534 65534 3 Jan 29 14:00 media<br>
> drwxr-xr-x 2 65534 65534 3 Jan 29 14:00 mnt<br>
> drwxr-xr-x 2 65534 65534 3 Jan 29 14:00 opt<br>
> dr-xr-xr-x 222 65534 65534 0 Jul 6 18:22 proc<br>
> drwx------ 2 65534 65534 3 Jan 29 14:13 root<br>
> lrwxrwxrwx 1 65534 65534 3 Jul 6 16:48 run -> tmp<br>
> drwxr-xr-x 2 65534 65534 963 Jul 6 16:09 sbin<br>
> drwxr-xr-x 2 65534 65534 3 Jan 29 14:00 sys<br>
> drwxrwxrwt 2 65534 65534 3 Jan 29 14:00 tmp<br>
> drwxr-xr-x 7 65534 65534 102 Jul 5 16:51 usr<br>
> drwxr-xr-x 5 65534 65534 121 Jul 6 16:09 var<br>
> -rw-r--r-- 1 65534 65534 1266 Jul 6 16:09 version.platform<br>
><br>
><br>
><br>
><br>
> --<br>
> Judd Meinders<br>
<br>
</div></div>> _______________________________________________<br>
> lxc-users mailing list<br>
> <a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a><br>
> <a href="http://lists.linuxcontainers.org/listinfo/lxc-users" rel="noreferrer" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a><br>
<br>
_______________________________________________<br>
lxc-users mailing list<br>
<a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a><br>
<a href="http://lists.linuxcontainers.org/listinfo/lxc-users" rel="noreferrer" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div style="text-align:left"><div style="text-align:left"><div style="font-size:small">Judd Meinders<br></div><div style="font-size:small">Sr. Software Security Engineer</div><div style="font-size:small">e. <a href="mailto:judd.meinders@rockwellcollins.com" target="_blank">judd.meinders@rockwellcollins.com</a></div><div style="font-size:small">p. 319-263-1875</div></div></div></div></div></div></div>
</div></div>