[lxc-devel] Enabling unprivileged containers on Yocto built Linux

[bogdan.purcareata at freescale.com]

> -----Original Message-----
> From: lxc-devel [mailto:lxc-devel-bounces at lists.linuxcontainers.org] On Behalf
> Of Serge Hallyn
> Sent: Thursday, October 09, 2014 8:48 PM
> To: LXC development mailing-list
> Subject: Re: [lxc-devel] Enabling unprivileged containers on Yocto built Linux
> 
> Quoting bogdan.purcareata at freescale.com (bogdan.purcareata at freescale.com):
> > Hello,
> >
> > I am trying to enable unprivileged containers for a non-standard Linux built
> with Yocto. Some general configuration aspects:
> > Linux: 3.12
> > LXC: 1.0.6
> > shadow: 4.2.1
> >
> > I'm trying to run a Busybox container, and the lxc-busybox template was
> > fairly easy to make work with unpriv lxc-create (I'm planning to upstream
> the
> 
> Did you change the ownership of the rootfs to match the uids in the
> container?  What are the lxc.id_map entries in your container config,
> and what does 'ls -l .local/share/lxc/foo .local/share/lxc/foo/rootfs'
> show?

Indeed, there was a problem with the permissions. The lxc.id_map entries - like the rest of the entire setup - are the ones presented in the tutorial at [1].

I followed the model in lxc-download to change the permissions of the files in .local/share/lxc/foo/, however I missed something. While the config and fstab files must be assigned to 65536:65536 in the userns - correspondent to the unprivileged user in the host - the rootfs must be assigned to root:root in the userns - correspondent to uid 100000 in the host. Which makes sense, and I got it now.

I will send a patch for lxc-busybox to enable use for unprivileged containers.

[1] https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/

Thank you!
Bogdan P.