[lxc-users] Unprivileged container and multiple/external users

Serge Hallyn serge.hallyn at ubuntu.com
Wed Jun 25 14:41:28 UTC 2014


Quoting Andre Nathan (andre at digirati.com.br):
> Serge,
> 
> On 06/04/2014 05:54 PM, Serge Hallyn wrote:
> >Quoting Andre Nathan (andre at digirati.com.br):
> >>Is there any way around that? Maybe some mount option to map the mount
> >>point's UID and GID to something different inside the container?
> >
> >Not yet.  We were discussing just that yesterday (on lkml I believe),
> >but it doesn't yet exist.
> 
> Was the discussion "friendly" towards supporting UID shifts for bind mounts?
> 
> >For now you must have a separate filesystem
> >for each unprivileged container (or at least one per uid map).

Sorry, I meant a separate rootfs.

> Does a btrfs subvolume count as a filesystem here?

That would work, and with btrfs' metadata COW that should be very
space-efficient.

> With multiple root-owned unprivileged containers, do I still need
> one filesystem for each container or would one be enough given
> they're all owned by the same user?

Depending on what you're running in the containers you'll still want
to use separate uid ranges for some of them, so for those, yes.

-serge


More information about the lxc-users mailing list