[Lxc-users] Launching init in a container as non-root

Ryan Campbell ryan.campbell at gmail.com
Tue Oct 18 15:31:36 UTC 2011

On Tue, Oct 18, 2011 at 9:47 AM, Serge E. Hallyn
<serge.hallyn at canonical.com> wrote:
> Quoting Ryan Campbell (ryan.campbell at gmail.com):
>> fedora 13
>> lxc 0.7.2-1.fc13
>> I've used lxc-setcap to allow non-root to run lxc-start. This seems to
>> work OK, until LXC attempts to launch init.  Init fails with "init:
>> Need to be root".
>> I would expect init to be launched using the 0 UID of the container.
>> However, from what I've read, UID namespaces are not complete yet.
>> Is this correct? Should one expect that once UID namespaces are
>> implemented within lxc, that one should be able to launch processes as
>> "root" within the container, but have them run as non-root from the
>> perspective of the host?
> Yes.
>> Is there anywhere I can read more about this?
> http://wiki.ubuntu.com/UserNamespace

Very informative, thanks.

> I've got a few patches to send yet for tightening down some remaining
> privilege leaks, then we should be ready to start relaxing things to make
> them usable.  This includes Eric's simple implementation of assigning a
> superblock to a user namespace.  My current tree is at
> http://kernel.ubuntu.com/git?p=serge/linux-2.6.git;a=shortlog;h=refs/heads/userns
> (Please feel free to join in!)
> thanks,
> -serge

More information about the lxc-users mailing list