<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
one setup of a shared directory would be media files passed through
to a container with samba and one container with mediatomb and one
container with a http server and I would then limit the access to
read-only for the last two.<br>
<br>
<div class="moz-cite-prefix">Am 21.12.2016 um 17:09 schrieb Pavol
Cupka:<br>
</div>
<blockquote
cite="mid:CAH4oapd4j=vPSubyg_9wn-L466sLigXBsKGAr6pnwcYbMDswRA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>these <span class="" style="" id=":282.1" tabindex="-1">subuid</span>
mappings are there for the case that someone compromises your
container and gains root, should he break out of the container
he would have access to all the files that are root owned on
the host machine, when you use these mappings then the uses
get uid + 100000 or whatever is set in the subuid map file and
if they gain root they have uid 1 in container but uid 1000001
on the host that means it can't access any files. that is the
whole purpose of this unprivileged container thing. <br>
</div>
yes you have to create users with corresponding uid on diff
containers to be able to access the files. <br>
<br>
why do you have to export the same path to both containers? you
can export one path for one container and other for the second
one. but your setup will work for media/backup and for other
things<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Dec 21, 2016 at 3:41 PM, John
Gubert <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:john.gubert@web.de" target="_blank">john.gubert@web.de</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> <tt>Hi Pavol,</tt><tt><br>
</tt><tt>thanks for the link, I did some testing with the
out of the box setup (removed root:1000:1) of ubuntu,
created two containers and passed the same host
directory through to both of them, then I created the
same users in the same order on both containers:</tt><tt><br>
</tt><tt>root(1000)</tt><tt><br>
</tt><tt>neuer(1001)</tt><tt><br>
</tt><tt>zweiter(1002)</tt><tt><br>
</tt><tt><br>
</tt><tt>this seems to work, when I create files inside
this folder on one container as neuer, I can only read
them as neuer on the other container and vice versa.</tt><tt><br>
</tt><tt>I would assume, that as soon as I create the
users in a different order, zweiter might become 1001
and neuer 1002 and therefore files created by neuer in
one container would be seen as files created bei zweiter
in the other, right? On the host, all files are seens as
101001 or 101001 anyway.</tt><tt><br>
</tt><tt>I would go ahead and use this setup for my
homeserver to store media/backups and run a fileserver
in one container and other tasks in another, is this
setup stable enough if I set it up as described above?</tt><tt><br>
<br>
this is my lxc config, is there anything I should
change?<br>
<br>
disktest:<br>
path: /testdisk<br>
source: /home/me/testdisk<br>
type: disk<br>
<br>
kind regards,<br>
John<br>
<br>
</tt>
<div>
<div class="h5">
<div class="m_-4685373629848268046moz-cite-prefix">Am
21.12.2016 um 15:04 schrieb Pavol Cupka:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>some of your questions are answered here<br>
<a moz-do-not-send="true"
href="https://wiki.gentoo.org/wiki/LXD#Configure_subuid.2Fsubgid"
target="_blank">https://wiki.gentoo.org/wiki/<wbr>LXD#Configure_subuid.2Fsubgid</a><br>
<br>
</div>
answering to the list is fine<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Dec 21, 2016 at
1:34 PM, John Gubert <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:john.gubert@web.de"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:john.gubert@web.de">john.gubert@web.de</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">Hi Tycho,<br>
<br>
thank you for your fast response.<br>
<br>
My id on the host is indeed 1000. I read your
blog article and then had<br>
a look at /etc/subuid:<br>
<br>
before:<br>
"me@host:~$ cat /etc/subuid<br>
lxd:100000:65536<br>
root:100000:65536<br>
me:165536:65536"<br>
<br>
after:<br>
"me@host:~$ cat /etc/subuid<br>
lxd:100000:65536<br>
root:100000:65536<br>
me:165536:65536<br>
root:1000:1"<br>
<br>
root seems to be already set up, maybe this is
due to lxd being<br>
installed on ubuntu 16.04? It would be really
helpful if you could<br>
explain to me what the mapping defined in this
file really does. Does it<br>
make a difference if I add your line, or use
the one already there? How<br>
does this file use the numbers (100000 and
65536)? Does 1000:1 tell<br>
ubuntu to map the id 1 to 1, if so, what does
100000:65536 mean? Add<br>
65536 to the 100000? If there is a user called
"me" in the conatainer,<br>
does a line "me:1000:1" work as well?<br>
<br>
I appreciate any help.<br>
<br>
with kind regards,<br>
John<br>
<br>
P.S.:<br>
I answered to the mailing list, is this the
right way to do it, or<br>
should I answer to you directly?
<div class="m_-4685373629848268046HOEnZb">
<div class="m_-4685373629848268046h5"><br>
<br>
<br>
Am 20.12.2016 um 22:52 schrieb Tycho
Andersen:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex"> Hi John,<br>
<br>
On Tue, Dec 20, 2016 at 10:39:07PM
+0100, <a moz-do-not-send="true"
class="m_-4685373629848268046moz-txt-link-abbreviated"
href="mailto:john.gubert@web.de"
target="_blank">john.gubert@web.de</a>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex"> Hello,<br>
I have a directory on my host
system and want to create several
containers<br>
with the same users inside. I
would like to pass the directory
through to<br>
each container and allow the users
to write and read on it. The network<br>
connection should be done using
macvlan.<br>
The howtos I have read so far show
how to set up lxd, which works very<br>
well on my 16.04 host. Starting a
container works out of the box as<br>
unpriviliged user as well.<br>
My questions:<br>
Is it even possible to share one
directory on the host with several<br>
container?<br>
All the howtos I could find
mention some commands, that need to be<br>
applied, but they do not tell me
about the commands I need to type in
to<br>
make it work:<br>
<br>
"That means you can create a
container with the following
configuration:<br>
<br>
lxc.id_map = u 0 100000 65536<br>
<br>
lxc.id_map = g 0 100000 65536"<br>
<br>
There is a big list of possible
options on github, but where does it
tell<br>
how to apply them?<br>
Does someone know a detailed
howto, that describes a similiar setup
like<br>
mine?<br>
</blockquote>
<a moz-do-not-send="true"
href="http://tycho.ws/blog/2016/12/uidmap.html"
rel="noreferrer" target="_blank">http://tycho.ws/blog/2016/12/u<wbr>idmap.html</a>
is a blog post I wrote a<br>
while ago talking about how to set this
up with your home directory.<br>
You can mimic the settings for whatever
user map you want, though.<br>
<br>
Cheers,<br>
<br>
Tycho<br>
<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex"> Every
time I read something, I feel like
missing something important,<br>
because I could not find a
coherent compendium of possible
options on how<br>
to do something.<br>
kind regards,<br>
John<br>
______________________________<wbr>_________________<br>
lxc-users mailing list<br>
<a moz-do-not-send="true"
href="mailto:lxc-users@lists.linuxcontainers.org"
target="_blank">lxc-users@lists.linuxcontainer<wbr>s.org</a><br>
<a moz-do-not-send="true"
href="http://lists.linuxcontainers.org/listinfo/lxc-users"
rel="noreferrer" target="_blank">http://lists.linuxcontainers.o<wbr>rg/listinfo/lxc-users</a><br>
</blockquote>
<br>
</blockquote>
<br>
______________________________<wbr>_________________<br>
lxc-users mailing list<br>
<a moz-do-not-send="true"
href="mailto:lxc-users@lists.linuxcontainers.org"
target="_blank">lxc-users@lists.linuxcontainer<wbr>s.org</a><br>
<a moz-do-not-send="true"
href="http://lists.linuxcontainers.org/listinfo/lxc-users"
rel="noreferrer" target="_blank">http://lists.linuxcontainers.o<wbr>rg/listinfo/lxc-users</a></div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset
class="m_-4685373629848268046mimeAttachmentHeader"></fieldset>
<br>
<pre>______________________________<wbr>_________________
lxc-users mailing list
<a moz-do-not-send="true" class="m_-4685373629848268046moz-txt-link-abbreviated" href="mailto:lxc-users@lists.linuxcontainers.org" target="_blank">lxc-users@lists.<wbr>linuxcontainers.org</a>
<a moz-do-not-send="true" class="m_-4685373629848268046moz-txt-link-freetext" href="http://lists.linuxcontainers.org/listinfo/lxc-users" target="_blank">http://lists.linuxcontainers.<wbr>org/listinfo/lxc-users</a></pre>
</blockquote>
</div></div></div>
______________________________<wbr>_________________
lxc-users mailing list
<a moz-do-not-send="true" href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.<wbr>linuxcontainers.org</a>
<a moz-do-not-send="true" href="http://lists.linuxcontainers.org/listinfo/lxc-users" rel="noreferrer" target="_blank">http://lists.linuxcontainers.<wbr>org/listinfo/lxc-users</a>
</blockquote></div>
</div>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre wrap="">_______________________________________________
lxc-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a>
<a class="moz-txt-link-freetext" href="http://lists.linuxcontainers.org/listinfo/lxc-users">http://lists.linuxcontainers.org/listinfo/lxc-users</a></pre>
</blockquote>
</body></html>