[lxc-users] Unprivileged container and multiple/external users
Serge Hallyn
serge.hallyn at ubuntu.com
Thu Jun 5 15:22:23 UTC 2014
Quoting Andre Nathan (andre at digirati.com.br):
> Hi Serge
>
> On 06/04/2014 05:54 PM, Serge Hallyn wrote:
> > For now you must have a separate filesystem
> > for each unprivileged container (or at least one per uid map).
>
> Do you have an example of how this would be done? I created a filesystem
> for /home/local (ext4 FS over an LVM logical volume) and bind-mount it
> into the container when it starts. Should that work? I'm not seeing any
> changes (files still have uid/gid 65534).
The files need to be chowned to the mapped uid/gids. lxc-create can do
it automatically for you, or you can do it manually. There is a program
called uidmapshift at lp:~serge-hallyn/+junk/nsexec which will do it for
you (might be worth putting into linux-utils or something), or if you
have a tarball you can simply extract it in the target user namespace
using lxc-usernsexec. For instance if your container will map uids and
gids 0-70000 to 100000-170000, you can
lxc-usernsexec -m b:0:100000:70001 -- tar zxvf -C rootfs/ rootfs.tar.gz
-serge
More information about the lxc-users
mailing list