[lxc-users] Unprivileged container file permissions

Serge Hallyn serge.hallyn at ubuntu.com
Sat May 24 22:04:06 UTC 2014


Quoting Mahmood (mahmood at circleci.com):
> Hi,
> 
> I'm trying to use unprivileged containers that are inaccessible by
> other user in a shared environment.  Setting container path to 550
> seems to block lxc-start.  What are the minimal permissions that I
> need to set on the directory so lxc-start can start successfully?  Any
> pointers for managing subuid permissions?
> 
> Here is my sample commands transcript:
> 
> ```
> ubuntu at ip-10-65-151-126:~$ chmod o-rx .local/share/lxc/u1
> ubuntu at ip-10-65-151-126:~$ ls -lha .local/share/lxc |grep u1
> drwxr-x--- 3 ubuntu ubuntu 4.0K May 23 23:45 u1

chgrp it to the root gid in your container, while keep it owned
by ubuntu.

Perhaps lxc should be setting it up like that at create...

> ubuntu at ip-10-65-151-126:~$
> ubuntu at ip-10-65-151-126:~$ # Starting a container with no other permission
> ubuntu at ip-10-65-151-126:~$ lxc-start -n u1
> lxc_container: Permission denied - failed to get real path for
> '/home/ubuntu/.local/share/lxc/u1/rootfs'
> lxc_container: failed to mount rootfs
> lxc_container: failed to setup rootfs for 'u1'
> lxc_container: failed to setup the container
> lxc_container: invalid sequence number 1. expected 2
> lxc_container: failed to spawn 'u1'
> ubuntu at ip-10-65-151-126:~$
> ubuntu at ip-10-65-151-126:~$ # Now with other having rx access
> ubuntu at ip-10-65-151-126:~$ chmod o+rx .local/share/lxc/u1
> ubuntu at ip-10-65-151-126:~$ lxc-start -n u1 -d
> ubuntu at ip-10-65-151-126:~$ lxc-attach -n u1
> root at u1:~# It worked
> ```
> 
> Thanks!
> - Mahmood
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users


More information about the lxc-users mailing list