[lxc-devel] Last minute template addition - universal image based template
Dwight Engen
dwight.engen at oracle.com
Tue Jan 14 23:38:43 UTC 2014
On Mon, 13 Jan 2014 20:56:23 -0500
Stéphane Graber <stgraber at ubuntu.com> wrote:
[...]
>
> Yeah, I did a few last-minute changes.
>
> fstab is no longer required (only copied over if it's there).
>
> If the expiry file is messing, it's simply assumed that the container
> won't expire.
Nice, that makes sense.
[...]
> Now for Oracle, I guess it depends what's most useful for your users.
>
> Is there actually still a demand for 4.x? I thought at least RHEL 4.x
> went out of support last year.
>
> In any case, I suspect that starting with the latest of each supported
> release on i386 and amd64 is probably a good start.
> We can then expand that to include popular minor releases, possibly
> the last few 6.x?
Yeah I think it makes sense to start with just x86_64 6.latest, and
we'll see how it goes from there.
> > One question I have on this is that the rootfs (at least that the
> > Oracle template makes, not sure about others) isn't quite right
> > since the host name will have already been injected into config
> > files (for example /etc/hosts), but lxc-download wants to template
> > them itself. Should we add a switch to the distro template so it
> > knows when its being called to create a rootfs for lxc-download to
> > put LXC_NAME in there instead the --name it was passed?
>
> So currently my build script (Jenkins job) will call the template
> with:
> - --rootfs=/build-lxc/container/LXC_NAME/rootfs
> - --path=/build-lxc/container/LXC_NAME
> - --name=LXC_NAME
Oh yeah, doh! Clever, that should make it work fine.
[...]
> > I have not tried from a normal user account yet. Is it basically
> > that you expect the template to be run by a normal user, but be
> > running in a userns? Can you describe how mapped_uid is supposed to
> > be set? Thanks!
> -d oracle -r 6.5 -a x86_64 --server phocis/lxc-images --no-validate
> Yeah, lxc-create basically does all the magic we need there.
> When run as a user, it'll run the template in a userns mapped with the
> container's range.
>
> $mapped_uid appears to be set to the uid in the userns which maps back
> to the user's own uid outside of it and makes it possible to chown
> files back to the actual user.
So I had to dig into the source to see how I could get this to work,
and tried passing a line like:
lxc-create -P /home/dengen/ct -f /home/dengen/ct/dengen_id_map.conf -n ol65 -t download -- -d oracle -r 6.5 -a x86_64 --server lxchttp/lxc-images --no-validate
where /home/dengen/ct/dengen_id_map.conf just has:
lxc.id_map = u 0 100000 10000
lxc.id_map = g 0 100000 10000
in order to get mapped_uid in lxc-create to kick in. Sadly this didn't
work because lxc.spec is still installing lxc-create (and a lot more)
setuid, so the geteuid() check in create_run_template() isn't firing.
So my question is: which lxc binaries are supposed to be installed
setuid these days? Is it just lxc-user-nic? Once I know, I can go ahead
and fixup lxc.spec. Thanks.
More information about the lxc-devel
mailing list