[lxc-devel] [RFC] Unprivileged aufs container
KATOH Yasufumi
karma at jazz.email.ne.jp
Sat Apr 25 02:18:35 UTC 2015
>>> On Fri, 24 Apr 2015 15:51:30 +0000
in message "Re: [lxc-devel] [RFC] Unprivileged aufs container"
Serge Hallyn-san wrote:
> Quoting KATOH Yasufumi (karma at jazz.email.ne.jp):
> > Hi,
> >
> > Current aufs supports FS_USERNS_MOUNT by using module parameter
> > 'allow_userns'. So we can start an unprivileged container using
> > aufs. (But ubuntu kernel do not support it?)
> > https://github.com/sfjro/aufs3-linux/commit/548fa48dbf52ad80e55deb8ca945c4f7814dbf94
> >
> > How about support unprivileged aufs container?
> >
> > I tried creating the patch. (but I have not done enough test.)
> >
> > This moves the place of xino file to /dev/shm, because get_rundir
> > always return '/run' when mount aufs, so unpriv container can't
> > write. This idea is from
> > docker(https://github.com/docker/docker/pull/826).
> What if root starts a container, creates root-owned /dev/shm/lxc,
> and then unpriv user tries to start a container?
Oops! It's my mistake. I will re-send the patch. (and do more test)
Thanks!
(snip)
More information about the lxc-devel
mailing list