[lxc-users] Setting user environment for unprivileged containers

Thu Jul 3 22:24:25 UTC 2014

On 07/03/2014 11:46 PM, Serge Hallyn wrote:
> Quoting Christoph Willing (chris.willing at iinet.net.au):
>> I'm trying to make unprivileged containers work nicely on Slackware
>> - with some success. After some updates (kernel config, latest
>> shadow, latest lxc, install cgmanager) I worked through steps at
>> https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/.
>> I've made a Slackware template with which I can create a working
>> normal privileged container. I then use Serge Hallyn's uidmapshift
>> on it and copy the resulting unprivileged container into
>> $USER/.local/share/lxc/ from where it can be run by the user. It all
>> works fine.
>>
>> The only wrinkle is that before being able to run lxc-start for the
>> first time on an unprivileged container, the user must first run the
>> commands:
>>      sudo cgm create all $USER
>>      sudo cgm chown all $USER $(id -u) $(id -g)
>>      sudo cgm movepid all $USER $$
>> I'd like to avoid that if possible.
>>
>> Interestingly,
>> - those commands only need to be run once in a given terminal
>> session (run lxc-start any number of times after that)
>> - those commands need to be run in any new terminal in which
>> lxc-start is to be run on an unprivileged container i.e. running
>> them in one terminal doesn't bless any new terminal sessions
>> - the commands don't work when executed from a script
>> - the commands don't work if executed by root on the user's behalf
>>
>> Ideally this would be set up either at boot time for "approved"
>> users or whenever the approved users log in to the machine. I have
>> tried chmod'ing cgm to setuid root (not sure that would be a good
>> long term solution anyway) and it succeeded with first and last of
>> those commands but not the second (cgm chown ..).
>>
>> Could someone explain how this is managed in other distros where
>> running unprivileged already works please? I have an uneasy feeling
>
> Yup, it's done via pam_systemd.so
>
>> that its via PAM (the last of the prerequisites mentioned on
>> Stephane's page) but PAM is not used in Slackware and most unlikely
>> to be introduced.
>>
>> BTW, the situation is exactly the same when using the download
>> template to run the available premade containers i.e. I don't
>> believe its a problem with the template I made myself. Anyway, this
>> is surely something to be arranged in the host, not in the container
>> itself.
>>
>> Any description of how the user environment is set up and/or tips
>> about this would be greatly appreciated.
>
> So what is the standard way that slackware does things like chowning
> audio and cdrom devices to the user logging in on console?  I would
> hook that with a script that creates, sets up, and chowns new cgroups
> and moves the new user into it.

Thanks for the response Serge - it must have just crossed my last email 
with a solution I found that is, more or less, what you've suggested.

In Slackware, things like video, audio, cdrom etc., have their own 
groups and when a new user is created on the system, they're optionally 
made member of those groups. I've just made a new group (lxcusers - like 
vboxusers) and when users who are members of that group log in, their 
cgroups are set up. The breakthrough was finding that the cgroup setup 
script (which uses your cgm) should be sourced, not executed.

Its a bit clunky but it works and good enough for now.

chris