[lxc-devel] Last minute template addition - universal image based template

S.Çağlar Onur caglar at 10ur.org
Sat Jan 11 19:21:50 UTC 2014 

Hey Serge,

On Sat, Jan 11, 2014 at 12:55 AM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> Quoting Stéphane Graber (stgraber at ubuntu.com):
>> On Sat, Jan 11, 2014 at 12:18:12AM -0500, S.Çağlar Onur wrote:
>> > Hey Stéphane,
>> >
>> > On Fri, Jan 10, 2014 at 3:10 PM, Stéphane Graber <stgraber at ubuntu.com> wrote:
>> > > Hey everyone,
>> > >
>> > > First of all, sorry for coming up with that so late in the 1.0
>> > > development cycle. I tried to convince myself for a long time that this
>> > > wasn't necessary but reality is that with unprivileged containers, we
>> > > need to start thinking about new ways to let our users create
>> > > containers.
>> >
>> > Not an objection but a question to understand more. I'm assuming the
>> > problem is the tools that used for bootstrapping (like
>> > debootstrap/febootstrap etc.) requiring some privileges. If that's the
>> > case, can't we write something (like setting suid bit or giving
>> > required capabilities via libcap) to make unprivileged user to create
>> > the container using regular templates?
>>
>> The main problem we have at the moment is anything attempting to mknod.
>> Then we have some templates like fedora which use loop mounts and other
>> similar restricted kernel features.
>
> And to be clear, adding suid bits won't help as the templates run in a
> user namespace.  Mounting block filesystems and creating devices are not
> allowed there for now, period.

I knew the lxc-create story, in fact I believe you explained that part
to me last week or so :) What I suggested was writing something else
(like lxc-user-create with enough capabilities) to call/drive the
templates as a user but after sleeping over it, I realized that that's
no different than calling "sudo lxc-create" as a user.


> -serge
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
S.Çağlar Onur <caglar at 10ur.org>

More information about the lxc-devel mailing list