[lxc-users] Unprivileged container and multiple/external users
Andre Nathan
andre at digirati.com.br
Wed Jun 4 17:41:46 UTC 2014
Hello
I'm currently running in production a pre-1.0 LXC version. These run a
minimum number of processes as root and a bunch of processes running as
a normal user (eg. apache, cron, syslog-ng). Most container directories
are bind-mounted from the host in read-only mode, including the
unprivileged user's home direcory (so /home/user is bind-mounted to
/var/lib/lxc/mycontainer/rootfs/home/user).
I'm now trying to increase security by using unprivileged containers in
LXC 1.0. I've successfuly started a root-owned unprivileged container
but I'm having some trouble dealing with the extra user. The main
problem seems to be that everything in the container becomes owned by
user/group ID 65534 and I can't find a way around that. Therefore the
user has no rights to access his own files inside the container.
This is from an lxc-attach session:
root at mycontainer:/# id user
uid=1000(user) gid=1000(user) groups=1000(user)
root at mycontainer:/# ls -ld /home/user
drwxr-x---+ 7 65534 65534 4096 Jun 4 14:35 /home/user
root at mycontainer:/# su - user
Unable to cd to '/home/user'
Is there any way around that? Maybe some mount option to map the mount
point's UID and GID to something different inside the container?
Thanks in advance,
Andre
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 538 bytes
Desc: OpenPGP digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140604/d89b88f3/attachment.sig>
More information about the lxc-users
mailing list