[lxc-users] Unprivileged container file permissions
Serge Hallyn
serge.hallyn at ubuntu.com
Sat May 24 22:04:06 UTC 2014
Quoting Mahmood (mahmood at circleci.com):
> Hi,
>
> I'm trying to use unprivileged containers that are inaccessible by
> other user in a shared environment. Setting container path to 550
> seems to block lxc-start. What are the minimal permissions that I
> need to set on the directory so lxc-start can start successfully? Any
> pointers for managing subuid permissions?
>
> Here is my sample commands transcript:
>
> ```
> ubuntu at ip-10-65-151-126:~$ chmod o-rx .local/share/lxc/u1
> ubuntu at ip-10-65-151-126:~$ ls -lha .local/share/lxc |grep u1
> drwxr-x--- 3 ubuntu ubuntu 4.0K May 23 23:45 u1
chgrp it to the root gid in your container, while keep it owned
by ubuntu.
Perhaps lxc should be setting it up like that at create...
> ubuntu at ip-10-65-151-126:~$
> ubuntu at ip-10-65-151-126:~$ # Starting a container with no other permission
> ubuntu at ip-10-65-151-126:~$ lxc-start -n u1
> lxc_container: Permission denied - failed to get real path for
> '/home/ubuntu/.local/share/lxc/u1/rootfs'
> lxc_container: failed to mount rootfs
> lxc_container: failed to setup rootfs for 'u1'
> lxc_container: failed to setup the container
> lxc_container: invalid sequence number 1. expected 2
> lxc_container: failed to spawn 'u1'
> ubuntu at ip-10-65-151-126:~$
> ubuntu at ip-10-65-151-126:~$ # Now with other having rx access
> ubuntu at ip-10-65-151-126:~$ chmod o+rx .local/share/lxc/u1
> ubuntu at ip-10-65-151-126:~$ lxc-start -n u1 -d
> ubuntu at ip-10-65-151-126:~$ lxc-attach -n u1
> root at u1:~# It worked
> ```
>
> Thanks!
> - Mahmood
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
More information about the lxc-users
mailing list