[lxc-users] Starting unprivileged containers at boot

Mike Bernson mike at mlb.org
Wed Aug 20 03:12:12 UTC 2014


I have user on the server that wants to create container that have services
running in them. The users need to have the services runing at boot.

I want to keep user out of each other containers.
If a container is broken out of I would like to limit the damage to the user running the container

The users do not have access /var/lib/lxc. I want to keep
the users in there own area. I was hoping that the user
could create the contains under there home dir and use
the lxc-autostart of  unprivileged containers to start them.

This all works when the user is logged in. I was just looking to
start the containers at boot.

If there is not a easy way to handle this can you give me info
on what needs to happen with cgroups ?
  I can then write a small set uid c program to setup the cgroups and then run lxc-autostart.

I would also be willing to contribute the back to the lxc project if they find it usefull.

On 08/19/2014 10:54 PM, Serge Hallyn wrote:
> Right, cronjobs don't get a set of cgroups like a login session does.
>
> Your use case here isn't quite clear to me though.  Is there a good
> reason not to simply use containers under /var/lib/lxc with lxc.id_maps?
> Root can start those just fine and they can be autostarted like normal
> privileged containers.
>
> Otherwise, you'll simply need something with privilege to create and
> chown cgroups for your user containers, and have the user scripts
> which call lxc-autostart move themselves into the cgroups they own
> first.
>
> Quoting Mike Bernson (mike at mlb.org):
>> That did not work.
>>
>> I added the following line into cron for testing:
>> @reboot              lxc-autostart -P /home/mike/.local/share/lxc -o /tmp/out
>>
>> /tmp/out:
>>    lxc-autostart 1408491952.652 ERROR    lxc_cgmanager - call to cgmanager_create_sync failed: invalid request
>>    lxc-autostart 1408491952.652 ERROR    lxc_cgmanager - Failed to create hugetlb:mike-ssh
>>    lxc-autostart 1408491952.652 ERROR    lxc_cgmanager - Error creating cgroup hugetlb:mike-ssh
>>    lxc-autostart 1408491952.653 ERROR    lxc_start - failed creating cgroups
>>    lxc-autostart 1408491952.654 ERROR    lxc_start - failed to spawn 'mike-ssh'
>>
>> On 08/19/2014 06:02 PM, Michael H. Warfield wrote:
>>> On Tue, 2014-08-19 at 16:43 -0400, Mike Bernson wrote:
>>>> I am running ubuntu 14.04 server.
>>>> I have a number of containers that are unprivileged containers for normal users
>>>> on the system. I am looking for a upstart scripts/config to start the containers  on boot.
>>>> The container do autostart correct if the user logs into the account and does lxc-autostart.
>>>> It would ok to list the users or directories where the containers exists in some /etc/defaults
>>>> config files so scripts do not have to search all users on the system.
>>> IMHO, your best option there would be to use a user crontab.
>>>
>>> crontab -e
>>>
>>> @reboot lxc-autostart -P {path to user directory) -g {bootgroups}
>>>
>>> Each user could then setup and control their own.  I would not set up
>>> something on a systemwide basis to scan the user directories.  Here
>>> there be dragons.
>>>
>>> Regards,
>>> Mike
>>>
>>>
>>> _______________________________________________
>>> lxc-users mailing list
>>> lxc-users at lists.linuxcontainers.org
>>> http://lists.linuxcontainers.org/listinfo/lxc-users
>> _______________________________________________
>> lxc-users mailing list
>> lxc-users at lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-users
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users



More information about the lxc-users mailing list