[lxc-users] Setting user environment for unprivileged containers

[Serge Hallyn]

Quoting Christoph Willing (chris.willing at iinet.net.au):
> I'm trying to make unprivileged containers work nicely on Slackware
> - with some success. After some updates (kernel config, latest
> shadow, latest lxc, install cgmanager) I worked through steps at
> https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/.
> I've made a Slackware template with which I can create a working
> normal privileged container. I then use Serge Hallyn's uidmapshift
> on it and copy the resulting unprivileged container into
> $USER/.local/share/lxc/ from where it can be run by the user. It all
> works fine.
> 
> The only wrinkle is that before being able to run lxc-start for the
> first time on an unprivileged container, the user must first run the
> commands:
>     sudo cgm create all $USER
>     sudo cgm chown all $USER $(id -u) $(id -g)
>     sudo cgm movepid all $USER $$
> I'd like to avoid that if possible.
> 
> Interestingly,
> - those commands only need to be run once in a given terminal
> session (run lxc-start any number of times after that)
> - those commands need to be run in any new terminal in which
> lxc-start is to be run on an unprivileged container i.e. running
> them in one terminal doesn't bless any new terminal sessions
> - the commands don't work when executed from a script
> - the commands don't work if executed by root on the user's behalf
> 
> Ideally this would be set up either at boot time for "approved"
> users or whenever the approved users log in to the machine. I have
> tried chmod'ing cgm to setuid root (not sure that would be a good
> long term solution anyway) and it succeeded with first and last of
> those commands but not the second (cgm chown ..).
> 
> Could someone explain how this is managed in other distros where
> running unprivileged already works please? I have an uneasy feeling

Yup, it's done via pam_systemd.so

> that its via PAM (the last of the prerequisites mentioned on
> Stephane's page) but PAM is not used in Slackware and most unlikely
> to be introduced.
> 
> BTW, the situation is exactly the same when using the download
> template to run the available premade containers i.e. I don't
> believe its a problem with the template I made myself. Anyway, this
> is surely something to be arranged in the host, not in the container
> itself.
> 
> Any description of how the user environment is set up and/or tips
> about this would be greatly appreciated.

So what is the standard way that slackware does things like chowning
audio and cdrom devices to the user logging in on console?  I would
hook that with a script that creates, sets up, and chowns new cgroups
and moves the new user into it.

-serge