[lxc-devel] [Not A Patch] [POC] Proof of concept code for using devtmpfs for autodev and more...
Serge Hallyn
serge.hallyn at ubuntu.com
Fri Nov 1 22:25:30 UTC 2013
Quoting Michael H. Warfield (mhw at WittsEnd.com):
> On Fri, 2013-11-01 at 16:30 -0500, Serge Hallyn wrote:
> > Quoting Michael H. Warfield (mhw at WittsEnd.com):
> > > On Fri, 2013-11-01 at 15:03 -0500, Serge Hallyn wrote:
> > > > Quoting Michael H. Warfield (mhw at WittsEnd.com):
> > > > > The only place that's being used is in creating a symlink...
> > > > >
> > > > > /dev/.lxc/$name -> /dev/.lxc/$pathhash
> > > > >
> > > > > I use it for the same reason you wanted the extra bind mounts to
> > > > > $lxcpath/$lxcname.dev. In your case, you wanted to see the dev mappings
> > > >
> > > > Oh - gotcha. Well in that case I'd say just create your own unique
> > > > $name.$index. that should be enough info.
> > >
> > > > Oh now unprivileged container creation of course will not be able
> > > > to do this as I won't be able to create /dev/.lxc/anything as uid
> > > > 1000.
> > >
> > > Oh, we're going to have to look into that then. We're doing other
> > > privileged operations like the bind mounts... Hmmm... It may have to
>
> > bind mounts are ok. we can do this in a private mntns. That's how
> > I currently get around our inability to mknod in a userns - I
> > bind mount devices from the host into the container's /dev.
>
> Ok... How are you handling the creation of objects under $lxc_path
> then? Obviously, I haven't been paying much attention to the unpriv
> user angle of things here. Is it like many of the other virt systems
> where the user needs to be part of a particular group? Could we do
> something similar?
No. I mkdir /home/serge/lxcbase and do
lxc-create -t tarball -n b1 -P /home/serge/lxcbase -f /home/serge/lxc.conf -- -T /home/serge/ubuntu.tgz
(tarball is a special template that just extracts the given tarball.
I'm working on a patch to not need to do that, but I've been very
distracted by other issues)
So the key is the "-P" which specifies that the container lives in a
directory which I own.
Ok, so really to get this to work I first need to:
1. cat > /home/serge/lxc.conf << EOF
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.id_map = u 0 100000 10000
lxc.id_map = g 0 100000 10000
EOF
2. sudo usermod -v 100000-200000 -w 100000-200000 serge
And then if I want to actually start the container (since I specified a
nic) I need to
3. cat >> /etc/lxc/lxc-usernet << EOF
serge veth lxcbr0 2
EOF
More information about the lxc-devel
mailing list