[lxc-users] Unprivileged container and multiple/external users

Serge Hallyn serge.hallyn at ubuntu.com
Thu Jun 5 15:22:23 UTC 2014


Quoting Andre Nathan (andre at digirati.com.br):
> Hi Serge
> 
> On 06/04/2014 05:54 PM, Serge Hallyn wrote:
> > For now you must have a separate filesystem
> > for each unprivileged container (or at least one per uid map).
> 
> Do you have an example of how this would be done? I created a filesystem
> for /home/local (ext4 FS over an LVM logical volume) and bind-mount it
> into the container when it starts. Should that work? I'm not seeing any
> changes (files still have uid/gid 65534).

The files need to be chowned to the mapped uid/gids.  lxc-create can do
it automatically for you, or you can do it manually.  There is a program
called uidmapshift at lp:~serge-hallyn/+junk/nsexec which will do it for
you (might be worth putting into linux-utils or something), or if you
have a tarball you can simply extract it in the target user namespace
using lxc-usernsexec.  For instance if your container will map uids and
gids 0-70000 to 100000-170000, you can

	lxc-usernsexec -m b:0:100000:70001 -- tar zxvf -C rootfs/ rootfs.tar.gz

-serge


More information about the lxc-users mailing list