[lxc-devel] [RFC 0/2] Enabling unprivileged containers

Serge Hallyn serge.hallyn at ubuntu.com
Tue Nov 5 20:12:58 UTC 2013


With this patchset I am able to create and run ubuntu-cloud containers
as non-root user.  Note this requires an uptodate ubuntu trusty host to
get a userns-enabled kernel.  The steps:

1. install uidmap
	sudo apt-get install uidmap
2. make sure to have a range of allocated subuids, i.e.
	sudo usermod -v 100000-199999 -w 100000-199999 serge
3. make sure to allocate some nics
	echo "serge veth lxcbr0 2" | sudo tee -a /etc/lxc/lxc-usernet
4. set yourseulf up in cgroups which you own:
	for c in /sys/fs/cgroup/*; do
		sudo mkdir $c/serge;
		sudo chown -R serge: $c/serge;
		if [ `basename $c` = "cpuset" ]; then
			echo 0 > $c/serge/cpuset.{cpus,mems}
		fi
		echo $$ > $c/serge/tasks;
	done
5. write a lxc.conf
	cat > ~/lxc.conf << EOF
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.id_map = u 0 100000 10000
lxc.id_map = g 0 100000 10000
EOF
6. create an lxcpath for yourself
	mkdir /home/serge/lxcbase
7. you'll need to make lxc-user-nic setuid-root (as Makefile isn't doing that):
	sudo chmod u+s /usr/bin/lxc-user-nic

Now create the container:
	lxc-create -P /home/serge/lxcbase -n a1 -f /home/serge/lxc.conf -t ubuntu-cloud -- -r saucy
and start it:
	lxc-start -P /home/serge/lxcbase -n a1
You can stop it or open a console:
	lxc-console -P /home/serge/lxcbase -n a1
	lxc-stop -P /home/serge/lxcbase -n a1 -k

You can't yet delete such a container very easily.  (sudo and
lxc-usernsexec being the obvious ways)

It's not complete, but it's a start and doesn't (AFAICS) adversely affect
privileged use.

-serge




More information about the lxc-devel mailing list