[lxc-devel] Quick questions and feedback about `lxc-start`

Ciprian Dorin, Craciun ciprian.craciun at gmail.com
Sat Jan 9 14:25:11 UTC 2010 

On Sat, Jan 9, 2010 at 2:47 PM, Andrian Nord <nightnord at gmail.com> wrote:
> On Sat, Jan 09, 2010 at 01:26:09PM +0200, Ciprian Dorin, Craciun wrote:
>>     Yup, me bothering you guys again! :)
>>
>>     So from what I've seen, `lxc-create` does nothing more than
>> copying the rcfile in a place well-known by `lxc-start`. Thus I
>> assumed that I could just ignore `lxc-create`, and just call
>> `lxc-start` with the `--rcfile` argument. Is my assumption correct?
>> (Will the behavior likely change in the future?)
>>
>>     The same for `lxc-delete`, it seems that it only deletes the
>> folder for the config and state files.
>>
>>     And one feature request from me: would it be welcomed (I could
>> contribute the code if wanted) to allow the `lxc-start` tool to change
>> the user and group of the new launched process?
>>     For now I use `sudo`, and not the file capabilities, to run
>> `lxc-start`, and I would like to be able to run the new process as me
>> (without requiring a custom launcher inside the container). For
>> example: `sudo -- lxc-start --name test --rcfile ./name.conf --uid
>> "$UID" --gid "$GID" -- /bin/bash`
>>
>>     (Even if I were using the capabilities, when root wants to run
>> `lxc-start` he maybe would like to drop his UID and GID (for example
>> starting daemons in a new context).)
>
> Dropping capabilities when starting new container seems for me better
> idea, than running container with non-root user, raising capabilities
> via file capabitilies - this is far less flexible.

    By "dropping capabilities" you actually mean capabilities like the
ones from POSIX file capabilities? Or you mean dropping the
"privileges of a root user" to a non-root user? (I would guess that
its the later (dropping to a non-root user after initialization)...)


> There is at least two patches doing capabilities. I'm waiting some
> clarification to update my implemenetation (Daniel? What about
> lxc_cap_state?) and then, with any luck, it would be merged into main
> tree.

    It's not very clear to me if the new patches would provide
something like I have proposed:
    sudo -- lxc-start --name test --rcfile ./name.conf --uid "$UID"
--gid "$GID" -- /bin/bash

    Sorry, I'm a bit fuzzy today. :)

More information about the lxc-devel mailing list