<div dir="ltr">Great thanks to Fajar, Andrey, Jared and all of you.<div><br></div><div>Usually on embedded system our porting/upgrading strategy is as prudent as possible. My previous survey showing that GOLANG is either undone or not popular on embedded. I will survey docs you mentioned and evaluate porting GOLANG and lxd then.</div><div><br></div><div>TC WU</div></div><div class="gmail_extra"><br><div class="gmail_quote">2017-05-10 15:10 GMT+08:00 Fajar A. Nugraha <span dir="ltr"><<a href="mailto:list@fajar.net" target="_blank">list@fajar.net</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><span class="">On Wed, May 10, 2017 at 1:33 PM, T.C 吳天健 <span dir="ltr"><<a href="mailto:tcwu2005@gmail.com" target="_blank">tcwu2005@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><span style="color:rgb(136,136,136);font-size:14px">Fajar and Andrey,</span><br><div><span style="color:rgb(136,136,136);font-size:14px"><br></span></div><div><font color="#888888"><span style="font-size:14px">I run lxc-1.0 on embedded system and I don't have lxd on that platform. (i.e. I cross-compile lxc-1.0 from scratch no prebuild package available). And yes I run container with root privilege .</span></font></div></div></blockquote><div><br></div></span><div>I highly suggest you invest some time to port lxd there. It'd make some things a lot easier.</div><span class=""><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><font color="#888888"><span style="font-size:14px"><br></span></font></div><div><font color="#888888"><span style="font-size:14px">Can I have your mentioned features "</span></font><span style="font-size:14px">use separate u/gid range for each container" and "limits which device nodes (block and char) allowed in the container" without existence of lxd?</span></div><div><span style="font-size:14px"><br></span></div></div></blockquote><div><br></div></span><div>Without LXD? Best docs I can point you to are:</div><div>- <a href="https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html" target="_blank">https://linuxcontainers.org/<wbr>lxc/manpages/man5/lxc.<wbr>container.conf.5.html</a> (for example, find "lxc.cgroup.devices.allow" and "UID MAPPINGS" there)<br>- <a href="https://github.com/lxc/lxc/tree/master/doc" target="_blank">https://github.com/lxc/lxc/<wbr>tree/master/doc</a></div><div>- <a href="https://stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/" target="_blank">https://stgraber.org/2014/<wbr>01/17/lxc-1-0-unprivileged-<wbr>containers/</a></div><div>- <a href="https://help.ubuntu.com/lts/serverguide/lxc.html#lxc-unpriv" target="_blank">https://help.ubuntu.com/lts/<wbr>serverguide/lxc.html#lxc-<wbr>unpriv</a></div><div><br></div><div>A little note about the last two, they guide you to create user-owned unpriv containers. It's usually MUCH easier to manage (including setting autostart behavior) root-owned unpriv containers (which is basically what lxd does). root-owned unpriv containers are similar to privileged container, except that:<br>- it has uid mappings configurations</div><div>- the files in rootfs has its u/gid shifted (e.g. with fuidshift)<br><br><br></div><div>Again, the process is MUCH simpler if you have lxd (e.g. look for "security.idmap.isolated" in <a href="https://github.com/lxc/lxd/blob/master/doc/containers.md" target="_blank">https://github.com/lxc/lxd/<wbr>blob/master/doc/containers.md</a>)</div><span class="HOEnZb"><font color="#888888"><div><br></div><div>-- </div><div>Fajar</div></font></span></div></div></div>
<br>______________________________<wbr>_________________<br>
lxc-users mailing list<br>
<a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.<wbr>linuxcontainers.org</a><br>
<a href="http://lists.linuxcontainers.org/listinfo/lxc-users" rel="noreferrer" target="_blank">http://lists.linuxcontainers.<wbr>org/listinfo/lxc-users</a><br></blockquote></div><br></div>