[lxc-users] Creating a container as non root
Serge Hallyn
serge.hallyn at ubuntu.com
Thu Jan 9 16:09:36 UTC 2014
Quoting Michael H. Warfield (mhw at WittsEnd.com):
> On Thu, 2014-01-09 at 08:08 +0200, Kevin Wilson wrote:
> > Hello,
> > I believe that creating a container as non root user should be straight-forward.
>
> Sigh... I'm afraid not...
>
> Funny, Serge and I just had a couple of comments in exchange about this
> very thing with regards to templates. He's been working on getting
> containers to run under unprivileged users and I know the Fedora and
> CentOS templates will not even run under a non-user (they check). His
> remark was that most templates will not and can not, including the
> Ubuntu template. Problem with the Ubuntu template (and, presumably the
> Debian template) is the use of debboot which, in turn, uses mknod to
> create devices for the container - and you're then toast.
>
> The problem there is that there are going to be privileged operations
> (chown, mknod, etc) that are simply going to require privileges in the
> host which are not available to the non-priv user.
Note though that anything that just untars an image will work fine.
This is why ubuntu-cloud works, and cirros should too (I just need
to test it and then presumably do some tweaks).
Main thing is that any image bootstrap mechanism which exits in failure
when it can't create devices is not gonna fly, unless we do some
ld_preload hackery.
-serge
More information about the lxc-users
mailing list