[Lxc-users] Launching init in a container as non-root

Serge E. Hallyn serge.hallyn at canonical.com
Tue Oct 18 14:47:09 UTC 2011


Quoting Ryan Campbell (ryan.campbell at gmail.com):
> fedora 13
> lxc 0.7.2-1.fc13
> 
> 
> I've used lxc-setcap to allow non-root to run lxc-start. This seems to
> work OK, until LXC attempts to launch init.  Init fails with "init:
> Need to be root".
> 
> I would expect init to be launched using the 0 UID of the container.
> However, from what I've read, UID namespaces are not complete yet.
> 
> Is this correct? Should one expect that once UID namespaces are
> implemented within lxc, that one should be able to launch processes as
> "root" within the container, but have them run as non-root from the
> perspective of the host?

Yes.

> Is there anywhere I can read more about this?

http://wiki.ubuntu.com/UserNamespace

I've got a few patches to send yet for tightening down some remaining
privilege leaks, then we should be ready to start relaxing things to make
them usable.  This includes Eric's simple implementation of assigning a
superblock to a user namespace.  My current tree is at
http://kernel.ubuntu.com/git?p=serge/linux-2.6.git;a=shortlog;h=refs/heads/userns

(Please feel free to join in!)

thanks,
-serge




More information about the lxc-users mailing list