[lxc-users] Creating a container as non root

Michael H. Warfield mhw at WittsEnd.com
Thu Jan 9 15:39:48 UTC 2014 

On Thu, 2014-01-09 at 08:08 +0200, Kevin Wilson wrote: 
> Hello,
> I believe that creating a container as non root user should be straight-forward.

Sigh...  I'm afraid not...

Funny, Serge and I just had a couple of comments in exchange about this
very thing with regards to templates.  He's been working on getting
containers to run under unprivileged users and I know the Fedora and
CentOS templates will not even run under a non-user (they check).  His
remark was that most templates will not and can not, including the
Ubuntu template.  Problem with the Ubuntu template (and, presumably the
Debian template) is the use of debboot which, in turn, uses mknod to
create devices for the container - and you're then toast.

The problem there is that there are going to be privileged operations
(chown, mknod, etc) that are simply going to require privileges in the
host which are not available to the non-priv user.

I'm not so sure about the busybox template but I wouldn't be optimistic.
It does look like it checks to see if it's in a user namespace and uses
mknod if not and does something else if it is.  So, it looks like it
SHOULD work.  But you have to have user namespaces set up to work.

Once a container is created, it should be possible to run it under a
non-priv user if you have a recent enough kernel along with the latest
lxc tools.  But it seems likely we could ever navigate the morass of
creating a template using lxc-create as a non-priv user.

> I added a user named "test" and I am trying to create a container (see
> below the sequence). I am running latest lxc git
> (built from source, as root)  on Fedora 20.

> useradd test
> su test
> 
> lxc-create -t busybox -n busyboxTest
> I get:
> 
> You lack access to /home/test/.local/share/lxc/
> I ran;
> mkdir -p /home/test/.local/share/lxc/
> 
> Then again:
> lxc-create -t busybox -n busyboxTest
> lxc-create: Permission denied - failed to create directory '/run/user/0/lock/'
> 
> failed to create lock
> System error loading container
> 
> What should I do ?
> 
> Regards,
> Kevin

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 465 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140109/c2a55811/attachment.pgp>

More information about the lxc-users mailing list