[lxc-devel] [RFC 0/2] Enabling unprivileged containers

Stéphane Graber stgraber at ubuntu.com
Tue Nov 5 20:17:22 UTC 2013 

On Tue, Nov 05, 2013 at 02:12:58PM -0600, Serge Hallyn wrote:
> With this patchset I am able to create and run ubuntu-cloud containers
> as non-root user.  Note this requires an uptodate ubuntu trusty host to
> get a userns-enabled kernel.  The steps:
> 
> 1. install uidmap
> 	sudo apt-get install uidmap
> 2. make sure to have a range of allocated subuids, i.e.
> 	sudo usermod -v 100000-199999 -w 100000-199999 serge
> 3. make sure to allocate some nics
> 	echo "serge veth lxcbr0 2" | sudo tee -a /etc/lxc/lxc-usernet
> 4. set yourseulf up in cgroups which you own:
> 	for c in /sys/fs/cgroup/*; do
> 		sudo mkdir $c/serge;
> 		sudo chown -R serge: $c/serge;
> 		if [ `basename $c` = "cpuset" ]; then
> 			echo 0 > $c/serge/cpuset.{cpus,mems}
> 		fi
> 		echo $$ > $c/serge/tasks;
> 	done
> 5. write a lxc.conf
> 	cat > ~/lxc.conf << EOF
> lxc.network.type = veth
> lxc.network.link = lxcbr0
> lxc.network.flags = up
> lxc.id_map = u 0 100000 10000
> lxc.id_map = g 0 100000 10000
> EOF
> 6. create an lxcpath for yourself
> 	mkdir /home/serge/lxcbase
> 7. you'll need to make lxc-user-nic setuid-root (as Makefile isn't doing that):
> 	sudo chmod u+s /usr/bin/lxc-user-nic

Why isn't the Makefile doing that?

> 
> Now create the container:
> 	lxc-create -P /home/serge/lxcbase -n a1 -f /home/serge/lxc.conf -t ubuntu-cloud -- -r saucy
> and start it:
> 	lxc-start -P /home/serge/lxcbase -n a1
> You can stop it or open a console:
> 	lxc-console -P /home/serge/lxcbase -n a1
> 	lxc-stop -P /home/serge/lxcbase -n a1 -k
> 
> You can't yet delete such a container very easily.  (sudo and
> lxc-usernsexec being the obvious ways)
> 
> It's not complete, but it's a start and doesn't (AFAICS) adversely affect
> privileged use.
> 
> -serge
> 
> ------------------------------------------------------------------------------
> November Webinars for C, C++, Fortran Developers
> Accelerate application performance with scalable programming models. Explore
> techniques for threading, error checking, porting, and tuning. Get the most 
> from the latest Intel processors and coprocessors. See abstracts and register
> http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
> _______________________________________________
> Lxc-devel mailing list
> Lxc-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20131105/9b78ea88/attachment.pgp>

More information about the lxc-devel mailing list