[Lxc-users] Launching init in a container as non-root
Ryan Campbell
ryan.campbell at gmail.com
Tue Oct 18 15:31:36 UTC 2011
On Tue, Oct 18, 2011 at 9:47 AM, Serge E. Hallyn
<serge.hallyn at canonical.com> wrote:
> Quoting Ryan Campbell (ryan.campbell at gmail.com):
>> fedora 13
>> lxc 0.7.2-1.fc13
>>
>>
>> I've used lxc-setcap to allow non-root to run lxc-start. This seems to
>> work OK, until LXC attempts to launch init. Init fails with "init:
>> Need to be root".
>>
>> I would expect init to be launched using the 0 UID of the container.
>> However, from what I've read, UID namespaces are not complete yet.
>>
>> Is this correct? Should one expect that once UID namespaces are
>> implemented within lxc, that one should be able to launch processes as
>> "root" within the container, but have them run as non-root from the
>> perspective of the host?
>
> Yes.
>
>> Is there anywhere I can read more about this?
>
> http://wiki.ubuntu.com/UserNamespace
Very informative, thanks.
>
> I've got a few patches to send yet for tightening down some remaining
> privilege leaks, then we should be ready to start relaxing things to make
> them usable. This includes Eric's simple implementation of assigning a
> superblock to a user namespace. My current tree is at
> http://kernel.ubuntu.com/git?p=serge/linux-2.6.git;a=shortlog;h=refs/heads/userns
>
> (Please feel free to join in!)
>
> thanks,
> -serge
>
More information about the lxc-users
mailing list