[lxc-devel] Howto user namespaces?
Serge Hallyn
serge.hallyn at ubuntu.com
Tue Apr 9 13:15:59 UTC 2013
Quoting richard -rw- weinberger (richard.weinberger at gmail.com):
> On Tue, Apr 9, 2013 at 5:28 AM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> > Quoting richard -rw- weinberger (richard.weinberger at gmail.com):
> >> Am I missing something obvious?
> >
> > lxc-create does not yet convert the rootfs to the mapped uids, so you
> > need to do that manually using uidmapshift. Check the
> > container-userns-convert script at
> > https://code.launchpad.net/~serge-hallyn/+junk/nsexec or in the nsexec
> > package at ppa:serge-hallyn/userns-natty.
>
> Hmm, I've fixed the uids already by hand.
> Today I've created a new container and used container-userns-convert
> but with the same results.
>
> What I find very strange is that your script does:
> lxc.id_map = U ${uid} 0 $range
> lxc.id_map = G ${uid} 0 $range
> uid is 100000, range is 10000.
>
> But the lxc docs say:
> Four values must be provided. First a character, either
> 'u', or 'g', to specify whether user or group ids are
> being mapped. Next is the first userid as seen in the
> user namespace of the container. Next is the userid as
> seen on the host. Finally, a range indicating the number
> of consecutive ids to map.
>
> So, this would make more sense: lxc.id_map = u 0 100000 10000
Dwight recently made some changes to the lxc support. I may not have
switched my scripts yet.
> Anyways, mount of tmpfs fails with ENOPERM, is there any debugging
> mechanism to find out why it is failing?
Yeah, get your kernel source and check to see in mm/shmem.c whether
tmpfs's fs_flags is given FS_USERNS_MOUNT
> According to strace some bind mounts before the tmpfs work perfectly fine.
>
> --
> Thanks,
> //richard
More information about the lxc-devel
mailing list