[Lxc-users] Launching init in a container as non-root
ryan.campbell at gmail.com
Tue Oct 18 15:31:36 UTC 2011
On Tue, Oct 18, 2011 at 9:47 AM, Serge E. Hallyn
<serge.hallyn at canonical.com> wrote:
> Quoting Ryan Campbell (ryan.campbell at gmail.com):
>> fedora 13
>> lxc 0.7.2-1.fc13
>> I've used lxc-setcap to allow non-root to run lxc-start. This seems to
>> work OK, until LXC attempts to launch init. Init fails with "init:
>> Need to be root".
>> I would expect init to be launched using the 0 UID of the container.
>> However, from what I've read, UID namespaces are not complete yet.
>> Is this correct? Should one expect that once UID namespaces are
>> implemented within lxc, that one should be able to launch processes as
>> "root" within the container, but have them run as non-root from the
>> perspective of the host?
>> Is there anywhere I can read more about this?
Very informative, thanks.
> I've got a few patches to send yet for tightening down some remaining
> privilege leaks, then we should be ready to start relaxing things to make
> them usable. This includes Eric's simple implementation of assigning a
> superblock to a user namespace. My current tree is at
> (Please feel free to join in!)
More information about the lxc-users