[lxc-users] Setting user environment for unprivileged containers

Thu Jul 3 13:21:24 UTC 2014

On 07/02/2014 08:08 PM, Christoph Willing wrote:
> I'm trying to make unprivileged containers work nicely on Slackware -
> with some success. After some updates (kernel config, latest shadow,
> latest lxc, install cgmanager) I worked through steps at
> https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/.
> I've made a Slackware template with which I can create a working normal
> privileged container. I then use Serge Hallyn's uidmapshift on it and
> copy the resulting unprivileged container into $USER/.local/share/lxc/
> from where it can be run by the user. It all works fine.
>
> The only wrinkle is that before being able to run lxc-start for the
> first time on an unprivileged container, the user must first run the
> commands:
>      sudo cgm create all $USER
>      sudo cgm chown all $USER $(id -u) $(id -g)
>      sudo cgm movepid all $USER $$
> I'd like to avoid that if possible.
>
> Interestingly,
> - those commands only need to be run once in a given terminal session
> (run lxc-start any number of times after that)
> - those commands need to be run in any new terminal in which lxc-start
> is to be run on an unprivileged container i.e. running them in one
> terminal doesn't bless any new terminal sessions
> - the commands don't work when executed from a script
> - the commands don't work if executed by root on the user's behalf
>
> Ideally this would be set up either at boot time for "approved" users or
> whenever the approved users log in to the machine. I have tried
> chmod'ing cgm to setuid root (not sure that would be a good long term
> solution anyway) and it succeeded with first and last of those commands
> but not the second (cgm chown ..).
>
> Could someone explain how this is managed in other distros where running
> unprivileged already works please? I have an uneasy feeling that its via
> PAM (the last of the prerequisites mentioned on Stephane's page) but PAM
> is not used in Slackware and most unlikely to be introduced.
>
> BTW, the situation is exactly the same when using the download template
> to run the available premade containers i.e. I don't believe its a
> problem with the template I made myself. Anyway, this is surely
> something to be arranged in the host, not in the container itself.
>
> Any description of how the user environment is set up and/or tips about
> this would be greatly appreciated.

After some fiddling I discovered that, although running the cgm commands 
from a script did not set up the user environment correctly, it did work 
if I sourced the script rather than executed it.

Using that fact, my solution is to have an entry in /etc/profile.d which 
is run whenever a user logs in. That entry checks whether the user is in 
the "lxcusers" group (a group for users permitted to run unprivileged 
containers). If so, then the script containing the cgm commands is 
sourced. Although that script does a series of "sudo cgm .." commands, 
I've made the script itself the object of a command alias in 
/etc/sudoers so that it can be run (sourced) without password by members 
of the lxcusers group.

Now the authorised user can run lxc-start on unprivileged containers 
without further tricks - just logging in sets them up.

chris