[lxc-users] unprivileged containers in RHEL-based OS

Serge Hallyn serge.hallyn at ubuntu.com
Wed Jul 23 15:28:30 UTC 2014


Quoting Christian Evans (frodox at zoho.com):
> Does anybody try to create an unprivileged containers in RHEL/CentOs/Fedora ?
> 
> The main problem -- I can't find a rpm like uidmap for ubuntu to make
> 
> # usermod --add-subuids 100000-165536 $USER
> 
> Should I compile it from src from somewhere..?

Could do worse - you can grab the source from git://github.com/shadow-maint/shadow

> ---
> 
> Also I have a question, that I interested in for a long time. It's about "LXC 1.0: Unprivileged containers [7/10]" article [1].
> There are words:
> 
> > Well, simply put, each user that’s allowed to use them on the system gets assigned a range of unused uids and gids, 
> > ideally a whole 65536 of them. 
> 
> why 65536? 

So that uid nobody gets a mapping.

It's not strictly necessary, I often use containers without it, but some
packages will complain.  Also you could simply map uids 0-2000, and then
map the nobody uid explicitly, to save a lot of subuids.

> AFAIK, UIDs can be much more, and it depends on system limits. Or, is it a limit for containers especially?
> So, what about other uids in container?
> For example, if I have 200 unprivileged containers, should I map 65536 uids of every container
> into *different* area of host uid map? In this case I would need 200*65536 = 13 107 200 of free uids on host...
> I misunderstand this point. Could someone correct me, please? 

Depends on how the containers interrelate.  Any container on which I run an
external facing service would indeed gets a unique mapping, but the containers
I use for development generally share a range.

> ---
> 
> P.s. I have installed lxc-1.0.5 from git on Centos 7.0, 
> ( like 
> ./configure --prefix=/usr --enable-seccomp --enable-capabilities
> make && make install 
> )
> and I can't find lxc's man pages (nothing in /usr/share/man). Looks like they just didn't install. Does anyone have same issues?
> 
> I also installed it on Fedora 20, and there all fine with man pages. 
> There are another issue.. but I need to check it on clean installation first.
> 
> 
> 
> [1]: https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/
> 
> ---
> Regards,
> Christian.
> 
> 
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users


More information about the lxc-users mailing list