[lxc-users] Unprivileged container file permissions

Mahmood mahmood at circleci.com
Sat May 24 00:43:27 UTC 2014


Hi,

I'm trying to use unprivileged containers that are inaccessible by
other user in a shared environment.  Setting container path to 550
seems to block lxc-start.  What are the minimal permissions that I
need to set on the directory so lxc-start can start successfully?  Any
pointers for managing subuid permissions?

Here is my sample commands transcript:

```
ubuntu at ip-10-65-151-126:~$ chmod o-rx .local/share/lxc/u1
ubuntu at ip-10-65-151-126:~$ ls -lha .local/share/lxc |grep u1
drwxr-x--- 3 ubuntu ubuntu 4.0K May 23 23:45 u1
ubuntu at ip-10-65-151-126:~$
ubuntu at ip-10-65-151-126:~$ # Starting a container with no other permission
ubuntu at ip-10-65-151-126:~$ lxc-start -n u1
lxc_container: Permission denied - failed to get real path for
'/home/ubuntu/.local/share/lxc/u1/rootfs'
lxc_container: failed to mount rootfs
lxc_container: failed to setup rootfs for 'u1'
lxc_container: failed to setup the container
lxc_container: invalid sequence number 1. expected 2
lxc_container: failed to spawn 'u1'
ubuntu at ip-10-65-151-126:~$
ubuntu at ip-10-65-151-126:~$ # Now with other having rx access
ubuntu at ip-10-65-151-126:~$ chmod o+rx .local/share/lxc/u1
ubuntu at ip-10-65-151-126:~$ lxc-start -n u1 -d
ubuntu at ip-10-65-151-126:~$ lxc-attach -n u1
root at u1:~# It worked
```

Thanks!
- Mahmood


More information about the lxc-users mailing list