[lxc-users] Unprivileged container and multiple/external users

[Serge Hallyn]

Quoting Andre Nathan (andre at digirati.com.br):
> Hello
> 
> I'm currently running in production a pre-1.0 LXC version. These run a
> minimum number of processes as root and a bunch of processes running as
> a normal user (eg. apache, cron, syslog-ng). Most container directories
> are bind-mounted from the host in read-only mode, including the
> unprivileged user's home direcory (so /home/user is bind-mounted to
> /var/lib/lxc/mycontainer/rootfs/home/user).
> 
> I'm now trying to increase security by using unprivileged containers in
> LXC 1.0. I've successfuly started a root-owned unprivileged container
> but I'm having some trouble dealing with the extra user. The main
> problem seems to be that everything in the container becomes owned by
> user/group ID 65534 and I can't find a way around that. Therefore the
> user has no rights to access his own files inside the container.
> 
> This is from an lxc-attach session:
> 
> root at mycontainer:/# id user
> uid=1000(user) gid=1000(user) groups=1000(user)
> root at mycontainer:/# ls -ld /home/user
> drwxr-x---+ 7 65534 65534 4096 Jun  4 14:35 /home/user
> root at mycontainer:/# su - user
> Unable to cd to '/home/user'
> 
> Is there any way around that? Maybe some mount option to map the mount
> point's UID and GID to something different inside the container?

Not yet.  We were discussing just that yesterday (on lkml I believe),
but it doesn't yet exist.  For now you must have a separate filesystem
for each unprivileged container (or at least one per uid map).