[lxc-devel] Last minute template addition - universal image based template
Serge Hallyn
serge.hallyn at ubuntu.com
Sat Jan 11 05:55:00 UTC 2014
Quoting Stéphane Graber (stgraber at ubuntu.com):
> On Sat, Jan 11, 2014 at 12:18:12AM -0500, S.Çağlar Onur wrote:
> > Hey Stéphane,
> >
> > On Fri, Jan 10, 2014 at 3:10 PM, Stéphane Graber <stgraber at ubuntu.com> wrote:
> > > Hey everyone,
> > >
> > > First of all, sorry for coming up with that so late in the 1.0
> > > development cycle. I tried to convince myself for a long time that this
> > > wasn't necessary but reality is that with unprivileged containers, we
> > > need to start thinking about new ways to let our users create
> > > containers.
> >
> > Not an objection but a question to understand more. I'm assuming the
> > problem is the tools that used for bootstrapping (like
> > debootstrap/febootstrap etc.) requiring some privileges. If that's the
> > case, can't we write something (like setting suid bit or giving
> > required capabilities via libcap) to make unprivileged user to create
> > the container using regular templates?
>
> The main problem we have at the moment is anything attempting to mknod.
> Then we have some templates like fedora which use loop mounts and other
> similar restricted kernel features.
And to be clear, adding suid bits won't help as the templates run in a
user namespace. Mounting block filesystems and creating devices are not
allowed there for now, period.
-serge
More information about the lxc-devel
mailing list