[lxc-users] unprivileged containers in RHEL-based OS
Serge Hallyn
serge.hallyn at ubuntu.com
Wed Jul 23 15:28:30 UTC 2014
Quoting Christian Evans (frodox at zoho.com):
> Does anybody try to create an unprivileged containers in RHEL/CentOs/Fedora ?
>
> The main problem -- I can't find a rpm like uidmap for ubuntu to make
>
> # usermod --add-subuids 100000-165536 $USER
>
> Should I compile it from src from somewhere..?
Could do worse - you can grab the source from git://github.com/shadow-maint/shadow
> ---
>
> Also I have a question, that I interested in for a long time. It's about "LXC 1.0: Unprivileged containers [7/10]" article [1].
> There are words:
>
> > Well, simply put, each user that’s allowed to use them on the system gets assigned a range of unused uids and gids,
> > ideally a whole 65536 of them.
>
> why 65536?
So that uid nobody gets a mapping.
It's not strictly necessary, I often use containers without it, but some
packages will complain. Also you could simply map uids 0-2000, and then
map the nobody uid explicitly, to save a lot of subuids.
> AFAIK, UIDs can be much more, and it depends on system limits. Or, is it a limit for containers especially?
> So, what about other uids in container?
> For example, if I have 200 unprivileged containers, should I map 65536 uids of every container
> into *different* area of host uid map? In this case I would need 200*65536 = 13 107 200 of free uids on host...
> I misunderstand this point. Could someone correct me, please?
Depends on how the containers interrelate. Any container on which I run an
external facing service would indeed gets a unique mapping, but the containers
I use for development generally share a range.
> ---
>
> P.s. I have installed lxc-1.0.5 from git on Centos 7.0,
> ( like
> ./configure --prefix=/usr --enable-seccomp --enable-capabilities
> make && make install
> )
> and I can't find lxc's man pages (nothing in /usr/share/man). Looks like they just didn't install. Does anyone have same issues?
>
> I also installed it on Fedora 20, and there all fine with man pages.
> There are another issue.. but I need to check it on clean installation first.
>
>
>
> [1]: https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/
>
> ---
> Regards,
> Christian.
>
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
More information about the lxc-users
mailing list