[lxc-users] Setting user environment for unprivileged containers

Wed Jul 2 10:08:42 UTC 2014

I'm trying to make unprivileged containers work nicely on Slackware - 
with some success. After some updates (kernel config, latest shadow, 
latest lxc, install cgmanager) I worked through steps at 
https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/. 
I've made a Slackware template with which I can create a working normal 
privileged container. I then use Serge Hallyn's uidmapshift on it and 
copy the resulting unprivileged container into $USER/.local/share/lxc/ 
from where it can be run by the user. It all works fine.

The only wrinkle is that before being able to run lxc-start for the 
first time on an unprivileged container, the user must first run the 
commands:
     sudo cgm create all $USER
     sudo cgm chown all $USER $(id -u) $(id -g)
     sudo cgm movepid all $USER $$
I'd like to avoid that if possible.

Interestingly,
- those commands only need to be run once in a given terminal session 
(run lxc-start any number of times after that)
- those commands need to be run in any new terminal in which lxc-start 
is to be run on an unprivileged container i.e. running them in one 
terminal doesn't bless any new terminal sessions
- the commands don't work when executed from a script
- the commands don't work if executed by root on the user's behalf

Ideally this would be set up either at boot time for "approved" users or 
whenever the approved users log in to the machine. I have tried 
chmod'ing cgm to setuid root (not sure that would be a good long term 
solution anyway) and it succeeded with first and last of those commands 
but not the second (cgm chown ..).

Could someone explain how this is managed in other distros where running 
unprivileged already works please? I have an uneasy feeling that its via 
PAM (the last of the prerequisites mentioned on Stephane's page) but PAM 
is not used in Slackware and most unlikely to be introduced.

BTW, the situation is exactly the same when using the download template 
to run the available premade containers i.e. I don't believe its a 
problem with the template I made myself. Anyway, this is surely 
something to be arranged in the host, not in the container itself.

Any description of how the user environment is set up and/or tips about 
this would be greatly appreciated.

chris