<div dir="auto">I use setfacl/getfacl to change permissions on host files so they are accessible to container's users. I am doing only basic stuff with very few users so not sure how that approach scales.<div dir="auto"><br></div><div dir="auto">Of course anything you do open up what the container can do will reduce the security of using containers.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Dec 11, 2019, 8:19 AM Justus Schubert <<a href="mailto:justus.schubert@web.de">justus.schubert@web.de</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi everyone, <br>
<br>
I'm trying the first time lxc. something I do not understand is the shared use <br>
of resources. This seems to be a problem especially with unprivileged <br>
containers.<br>
My first thought was to have a shared folder with custom user/group mapping in <br>
unprivileged LXC container for (user)mount<br>
<br>
I set up a LCX Container. My hostsystem is ArchLinux and the Container use <br>
Debian. I start the container as root and use user/group mapping so the <br>
container run 'unprivileged'. <br>
>> my /etc/lxc/default.conf:<br>
>> lxc.idmap = u 0 100000 65536<br>
>> lxc.idmap = g 0 100000 65536<br>
<br>
>> my /etc/subuid & /etc/subgid:<br>
>> root:100000:65536<br>
<br>
Now i like to share my homedir within the container.<br>
>> my /var/lib/lxc/<lxc-name>/config:<br>
>> lxc.mount.entry = /home/<user> /var/lib/lxc/<lxc-name>/rootfs/mnt/share <br>
none bind 0 0<br>
<br>
Because of the mapping described above rights of the shared folder are set to <br>
nobody nogroup. <br>
<br>
After some research, I came to the idea that there are certainly other ways to <br>
solve the problem. Maybe SSHfs, NFS or SAMBA? something that the 'usermapping' <br>
can implement in the protocol?<br>
can someone tell me his experiences or show ways of solution?<br>
in concrete terms, I am looking for ideas for the realization:<br>
1) How can I share rights among 'unprivileged' users from the host to the <br>
container? User1 from host shares a folder to user1 from the container-os. <br>
both are not root. How can I achieve this?<br>
2) sharing files between unprivileged lxc containers<br>
<br>
I can imagine that such questions are asked frequently. but unfortunately I <br>
have not found a simple and consistent solution. <br>
<br>
Thanks in advance for your help!<br>
<br>
-- <br>
<br>
Justus Schubert<br>
01099 Dresden_______________________________________________<br>
lxc-users mailing list<br>
<a href="mailto:lxc-users@lists.linuxcontainers.org" target="_blank" rel="noreferrer">lxc-users@lists.linuxcontainers.org</a><br>
<a href="http://lists.linuxcontainers.org/listinfo/lxc-users" rel="noreferrer noreferrer" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a><br>
</blockquote></div>