[Lxc-users] Start a container /sbin/init as user
Serge Hallyn
serge.hallyn at canonical.com
Mon Aug 6 15:35:11 UTC 2012
Quoting Antoine Catton (acatton at tiolive.com):
> Hi everybody,
>
>
> I'm trying to start a container as user. After some patches, I managed
> to have something working.
>
> lxc-start exec /sbin/init inside the container as expected. (My
> container is a debian one, but it doesn't matter I think), since
> sysvinit check if the current uid is root, it doesn't work. I get :
> > $ lxc-start […]
> > init: must be superuser.
>
> If I run :
> > lxc-start […] /usr/bin/whoami
> I get :
> > /usr/bin/whoami: cannot find name for user ID [my user id]
>
> A successful workaround is to put a suid on /sbin/init inside the
> container. But I would like to avoid it. Because, besides being dirty,
> it allows anyone inside the container to run /sbin/init as root.
>
> I read lxc code, I didn't find any place where lxc-start used setuid(),
> or changed uid before exec'ing. (Maybe I just didn't see it.)
>
> This makes me wondering two things…
> – Is it possible to start/stop a container as user ? How'd you do it ?
> – Do you use the kernel's user namespace ? How do you change user uid
> before starting a container ?
The kernel's user namespace support is'nt quite sufficient yet (I will
be checking later this week with a new version), but the patch I have
for lxc will, if lxc.uidmap is specified in the config file, cause your
container's /sbin/init to start as uid 0 in the container (mapped to
uid whatever on the host).
Hopefully a proof of concept will be working in the next few weeks, or
at least before winter.
More information about the lxc-users
mailing list