[lxc-users] Starting unprivileged containers at boot
Serge Hallyn
serge.hallyn at ubuntu.com
Fri Aug 22 05:24:58 UTC 2014
Quoting Mike Bernson (mike at mlb.org):
> I have user on the server that wants to create container that have services
> running in them. The users need to have the services runing at boot.
>
> I want to keep user out of each other containers.
> If a container is broken out of I would like to limit the damage to the user running the container
>
> The users do not have access /var/lib/lxc. I want to keep
> the users in there own area. I was hoping that the user
> could create the contains under there home dir and use
> the lxc-autostart of unprivileged containers to start them.
>
> This all works when the user is logged in. I was just looking to
> start the containers at boot.
>
> If there is not a easy way to handle this can you give me info
> on what needs to happen with cgroups ?
> I can then write a small set uid c program to setup the cgroups and then run lxc-autostart.
>
> I would also be willing to contribute the back to the lxc project if they find it usefull.
Ok, so (this is all untested, so you may have to tweak0 create a script
/usr/bin/startunprivlxc which does
#!/bin/sh
cgm movepid all $1
sudo -u $2 -- lxc-start -P $2 -n $3 -d
then create yourself a new upstart job which does
description "start unpriv containers"
start on started lxc
script
USERS="user1 user2 user3"
for u in $USERS; do
cgm create all lxc$u
cgm chown all lxc$u $(id -u $u) $(id -g $u)
lxc-autostart -L -P /home/$u/.local/share/lxc | while read line; do
set -- $line
/usr/bin/startunprivlxc lxc$u $u $1
sleep $2
done
done
end script
More information about the lxc-users
mailing list