[lxc-devel] [linuxcontainers.org/master] revises getting-started.md;

Mon Jun 8 21:46:35 UTC 2020

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 333 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20200608/c74be4a5/attachment.bin>
-------------- next part --------------
From 0dd6b8aac1ef59b41962286a9c4c5714f9d24dee Mon Sep 17 00:00:00 2001
From: eunosm3 <m3.lawson.ml at gmail.com>
Date: Mon, 8 Jun 2020 17:42:58 -0400
Subject: [PATCH] revises getting-started.md; closes Issue #409

---
 content/lxc/getting-started.md | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/content/lxc/getting-started.md b/content/lxc/getting-started.md
index 0cbc29a..78fa1b3 100644
--- a/content/lxc/getting-started.md
+++ b/content/lxc/getting-started.md
@@ -11,7 +11,7 @@ Extra dependencies for lxc-attach:
 
 Extra dependencies for unprivileged containers:
 
- * libpam-cgfs, cgmanager or another CGroup manager configuring your system for unprivileged CGroups operation
+ * libpam-cgfs configuring your system for unprivileged CGroups operation
  * A recent version of shadow including newuidmap and newgidmap
  * Linux kernel >= 3.12
 
@@ -71,8 +71,9 @@ Because of that, most distribution templates simply won't work with those.
 Instead you should use the "download" template which will provide you with pre-built images
 of the distributions that are known to work in such an environment.
 
-Now, everything below assumes a recent Ubuntu system or another Linux distribution which offers
-a similar experience (recent kernel, recent version of shadow, cgmanager and default uid/gid allocation).
+The following instructions assume the use of a recent Ubuntu system or an alternate Linux 
+distribution offering a similar experience, i.e., a recent kernel and a recent version of 
+shadow, as well as libpam-cgfs and default uid/gid allocation.
 
 First of all, you need to make sure your user has a uid and gid map defined in /etc/subuid and /etc/subgid.
 On Ubuntu systems, a default allocation of 65536 uids and gids is given to every new user on the system,
@@ -97,10 +98,15 @@ With that done, the last step is to create an LXC configuration file.
 Those values should match those found in /etc/subuid and /etc/subgid, the values above are those expected
 for the first user on a standard Ubuntu system.
 
-Just before you create your first container, you probably should logout and login again,
-or even reboot your machine to make sure that your user is placed in the right cgroups.
-(This is only required if cgmanager wasn't installed on your machine prior to you installing LXC.)
+Running unprivileged containers as an unprivileged user only works if you delegate a cgroup in 
+advance (the cgroup2 delegation model enforces this restriction, not liblxc). Use the following 
+systemd command to delegate the cgroup:
 
+    systemd-run --unit=myshell --user --scope -p "Delegate=yes" lxc-start <container-name>
+
+NOTE: If libpam-cgfs was not installed on the host machine prior to installing LXC, you need to 
+ensure your user belongs to the right cgroups before creating your first container. You can accomplish 
+this by logging out and logging back in, or by rebooting the host machine.
 
 And now, create your first container with:
 
