[lxc-users] Unprivileged container and multiple/external users
Serge Hallyn
serge.hallyn at ubuntu.com
Wed Jun 25 14:41:28 UTC 2014
Quoting Andre Nathan (andre at digirati.com.br):
> Serge,
>
> On 06/04/2014 05:54 PM, Serge Hallyn wrote:
> >Quoting Andre Nathan (andre at digirati.com.br):
> >>Is there any way around that? Maybe some mount option to map the mount
> >>point's UID and GID to something different inside the container?
> >
> >Not yet. We were discussing just that yesterday (on lkml I believe),
> >but it doesn't yet exist.
>
> Was the discussion "friendly" towards supporting UID shifts for bind mounts?
>
> >For now you must have a separate filesystem
> >for each unprivileged container (or at least one per uid map).
Sorry, I meant a separate rootfs.
> Does a btrfs subvolume count as a filesystem here?
That would work, and with btrfs' metadata COW that should be very
space-efficient.
> With multiple root-owned unprivileged containers, do I still need
> one filesystem for each container or would one be enough given
> they're all owned by the same user?
Depending on what you're running in the containers you'll still want
to use separate uid ranges for some of them, so for those, yes.
-serge
More information about the lxc-users
mailing list