[lxc-users] Unprivileged container and multiple/external users

Andre Nathan andre at digirati.com.br
Wed Jun 4 17:41:46 UTC 2014


Hello

I'm currently running in production a pre-1.0 LXC version. These run a
minimum number of processes as root and a bunch of processes running as
a normal user (eg. apache, cron, syslog-ng). Most container directories
are bind-mounted from the host in read-only mode, including the
unprivileged user's home direcory (so /home/user is bind-mounted to
/var/lib/lxc/mycontainer/rootfs/home/user).

I'm now trying to increase security by using unprivileged containers in
LXC 1.0. I've successfuly started a root-owned unprivileged container
but I'm having some trouble dealing with the extra user. The main
problem seems to be that everything in the container becomes owned by
user/group ID 65534 and I can't find a way around that. Therefore the
user has no rights to access his own files inside the container.

This is from an lxc-attach session:

root at mycontainer:/# id user
uid=1000(user) gid=1000(user) groups=1000(user)
root at mycontainer:/# ls -ld /home/user
drwxr-x---+ 7 65534 65534 4096 Jun  4 14:35 /home/user
root at mycontainer:/# su - user
Unable to cd to '/home/user'

Is there any way around that? Maybe some mount option to map the mount
point's UID and GID to something different inside the container?

Thanks in advance,
Andre

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 538 bytes
Desc: OpenPGP digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140604/d89b88f3/attachment.sig>


More information about the lxc-users mailing list