[lxc-users] Starting unprivileged containers at boot

Mike Bernson mike at mlb.org
Mon Aug 25 02:13:15 UTC 2014 

That was very close
/I am putting it here so that search might find it/

Thanks for the help it was just what I needed.

Here is what I got to work

  /usr/local/bin/startunprivlxc:
#!/bin/sh
cgm movepid all $1 $$
sudo -iH -u $2 -- lxc-start -n $3 -d

/etc/init/lxc-user.conf:
description "start unpriv containers"

start on started lxc

script
     USERS="user1 user2 user3"

     for u in $USERS; do
         cgm create all lxc$u
         cgm chown all lxc$u $(id -u $u) $(id -g $u)
         lxc-autostart -L -P /home/$u/.local/share/lxc | while read line;
  do
             set -- $line
             /usr/local/bin/startunprivlxc lxc$u $u $1
             sleep $2
         done
     done
end script



:
On 08/22/2014 01:24 AM, Serge Hallyn wrote:
> Quoting Mike Bernson (mike at mlb.org):
>> I have user on the server that wants to create container that have services
>> running in them. The users need to have the services runing at boot.
>>
>> I want to keep user out of each other containers.
>> If a container is broken out of I would like to limit the damage to the user running the container
>>
>> The users do not have access /var/lib/lxc. I want to keep
>> the users in there own area. I was hoping that the user
>> could create the contains under there home dir and use
>> the lxc-autostart of  unprivileged containers to start them.
>>
>> This all works when the user is logged in. I was just looking to
>> start the containers at boot.
>>
>> If there is not a easy way to handle this can you give me info
>> on what needs to happen with cgroups ?
>>   I can then write a small set uid c program to setup the cgroups and then run lxc-autostart.
>>
>> I would also be willing to contribute the back to the lxc project if they find it usefull.
> Ok, so (this is all untested, so you may have to tweak0 create a script
> /usr/bin/startunprivlxc which does
>
> #!/bin/sh
> cgm movepid all $1
> sudo -u $2 -- lxc-start -P $2 -n $3 -d
>
> then create yourself a new upstart job which does
>
> description "start unpriv containers"
>
> start on started lxc
>
> script
> 	USERS="user1 user2 user3"
>
> 	for u in $USERS; do
> 		cgm create all lxc$u
> 		cgm chown all lxc$u $(id -u $u) $(id -g $u)
> 		lxc-autostart -L -P /home/$u/.local/share/lxc | while read line; do
> 			set -- $line
> 			/usr/bin/startunprivlxc lxc$u $u $1
> 			sleep $2
> 		done
> 	done
> end script
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140824/e5712dc7/attachment.html>

More information about the lxc-users mailing list