[lxc-devel] Quick questions and feedback about `lxc-start`

Daniel Lezcano dlezcano at fr.ibm.com
Sun Jan 10 04:02:40 UTC 2010 

Andrian Nord wrote:
> On Sat, Jan 09, 2010 at 01:26:09PM +0200, Ciprian Dorin, Craciun wrote:
>>     Yup, me bothering you guys again! :)
>>
>>     So from what I've seen, `lxc-create` does nothing more than
>> copying the rcfile in a place well-known by `lxc-start`. Thus I
>> assumed that I could just ignore `lxc-create`, and just call
>> `lxc-start` with the `--rcfile` argument. Is my assumption correct?
>> (Will the behavior likely change in the future?)
>>
>>     The same for `lxc-delete`, it seems that it only deletes the
>> folder for the config and state files.
>>
>>     And one feature request from me: would it be welcomed (I could
>> contribute the code if wanted) to allow the `lxc-start` tool to change
>> the user and group of the new launched process?
>>     For now I use `sudo`, and not the file capabilities, to run
>> `lxc-start`, and I would like to be able to run the new process as me
>> (without requiring a custom launcher inside the container). For
>> example: `sudo -- lxc-start --name test --rcfile ./name.conf --uid
>> "$UID" --gid "$GID" -- /bin/bash`
>>
>>     (Even if I were using the capabilities, when root wants to run
>> `lxc-start` he maybe would like to drop his UID and GID (for example
>> starting daemons in a new context).)
> 
> Dropping capabilities when starting new container seems for me better
> idea, than running container with non-root user, raising capabilities
> via file capabitilies - this is far less flexible.

The capabilities is only to be able to unshare the namespace and setup 
the container, letting a non-root user to run an application in a 
container, eg. batch manager, hpc jobs.

> There is at least two patches doing capabilities. I'm waiting some
> clarification to update my implemenetation (Daniel? What about
> lxc_cap_state?) and then, with any luck, it would be merged into main
> tree.

Respin the patchset with or without the lxc_cap_state typedef (as you 
wish), I will check it and merge it. And will do some cleanup later.

Thanks
   -- Daniel

More information about the lxc-devel mailing list