[lxc-devel] Howto user namespaces?
richard -rw- weinberger
richard.weinberger at gmail.com
Tue Apr 9 07:58:08 UTC 2013
On Tue, Apr 9, 2013 at 5:28 AM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> Quoting richard -rw- weinberger (richard.weinberger at gmail.com):
>> Am I missing something obvious?
>
> lxc-create does not yet convert the rootfs to the mapped uids, so you
> need to do that manually using uidmapshift. Check the
> container-userns-convert script at
> https://code.launchpad.net/~serge-hallyn/+junk/nsexec or in the nsexec
> package at ppa:serge-hallyn/userns-natty.
Hmm, I've fixed the uids already by hand.
Today I've created a new container and used container-userns-convert
but with the same results.
What I find very strange is that your script does:
lxc.id_map = U ${uid} 0 $range
lxc.id_map = G ${uid} 0 $range
uid is 100000, range is 10000.
But the lxc docs say:
Four values must be provided. First a character, either
'u', or 'g', to specify whether user or group ids are
being mapped. Next is the first userid as seen in the
user namespace of the container. Next is the userid as
seen on the host. Finally, a range indicating the number
of consecutive ids to map.
So, this would make more sense: lxc.id_map = u 0 100000 10000
Anyways, mount of tmpfs fails with ENOPERM, is there any debugging
mechanism to find out why it is failing?
According to strace some bind mounts before the tmpfs work perfectly fine.
--
Thanks,
//richard
More information about the lxc-devel
mailing list