[lxc-devel] Quick questions and feedback about `lxc-start`
Andrian Nord
nightnord at gmail.com
Sat Jan 9 12:47:51 UTC 2010
On Sat, Jan 09, 2010 at 01:26:09PM +0200, Ciprian Dorin, Craciun wrote:
> Yup, me bothering you guys again! :)
>
> So from what I've seen, `lxc-create` does nothing more than
> copying the rcfile in a place well-known by `lxc-start`. Thus I
> assumed that I could just ignore `lxc-create`, and just call
> `lxc-start` with the `--rcfile` argument. Is my assumption correct?
> (Will the behavior likely change in the future?)
>
> The same for `lxc-delete`, it seems that it only deletes the
> folder for the config and state files.
>
> And one feature request from me: would it be welcomed (I could
> contribute the code if wanted) to allow the `lxc-start` tool to change
> the user and group of the new launched process?
> For now I use `sudo`, and not the file capabilities, to run
> `lxc-start`, and I would like to be able to run the new process as me
> (without requiring a custom launcher inside the container). For
> example: `sudo -- lxc-start --name test --rcfile ./name.conf --uid
> "$UID" --gid "$GID" -- /bin/bash`
>
> (Even if I were using the capabilities, when root wants to run
> `lxc-start` he maybe would like to drop his UID and GID (for example
> starting daemons in a new context).)
Dropping capabilities when starting new container seems for me better
idea, than running container with non-root user, raising capabilities
via file capabitilies - this is far less flexible.
There is at least two patches doing capabilities. I'm waiting some
clarification to update my implemenetation (Daniel? What about
lxc_cap_state?) and then, with any luck, it would be merged into main
tree.
More information about the lxc-devel
mailing list