[lxc-devel] [RFC 0/2] Enabling unprivileged containers
Serge Hallyn
serge.hallyn at ubuntu.com
Tue Nov 5 20:12:58 UTC 2013
With this patchset I am able to create and run ubuntu-cloud containers
as non-root user. Note this requires an uptodate ubuntu trusty host to
get a userns-enabled kernel. The steps:
1. install uidmap
sudo apt-get install uidmap
2. make sure to have a range of allocated subuids, i.e.
sudo usermod -v 100000-199999 -w 100000-199999 serge
3. make sure to allocate some nics
echo "serge veth lxcbr0 2" | sudo tee -a /etc/lxc/lxc-usernet
4. set yourseulf up in cgroups which you own:
for c in /sys/fs/cgroup/*; do
sudo mkdir $c/serge;
sudo chown -R serge: $c/serge;
if [ `basename $c` = "cpuset" ]; then
echo 0 > $c/serge/cpuset.{cpus,mems}
fi
echo $$ > $c/serge/tasks;
done
5. write a lxc.conf
cat > ~/lxc.conf << EOF
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.id_map = u 0 100000 10000
lxc.id_map = g 0 100000 10000
EOF
6. create an lxcpath for yourself
mkdir /home/serge/lxcbase
7. you'll need to make lxc-user-nic setuid-root (as Makefile isn't doing that):
sudo chmod u+s /usr/bin/lxc-user-nic
Now create the container:
lxc-create -P /home/serge/lxcbase -n a1 -f /home/serge/lxc.conf -t ubuntu-cloud -- -r saucy
and start it:
lxc-start -P /home/serge/lxcbase -n a1
You can stop it or open a console:
lxc-console -P /home/serge/lxcbase -n a1
lxc-stop -P /home/serge/lxcbase -n a1 -k
You can't yet delete such a container very easily. (sudo and
lxc-usernsexec being the obvious ways)
It's not complete, but it's a start and doesn't (AFAICS) adversely affect
privileged use.
-serge
More information about the lxc-devel
mailing list