[lxc-users] unprivileged nesting possible?

Serge Hallyn serge.hallyn at ubuntu.com
Thu Apr 2 20:04:55 UTC 2015


Quoting marvin at nic.fi (marvin at nic.fi):
> Hi,
> 
> I have not yet managed to create an unprivileged container within a
> container (privileged or unprivileged).
> 
> The only nesting I've been able to do, is to create an privileged
> container within an privileged container.
> 
> I've tried this with ubuntu trusty and vivid. Are there some issues
> or is it possible at all?
> 
> I've followed the instructions on the ubuntu wiki page
> https://help.ubuntu.com/lts/serverguide/lxc.html

It's possible and we've done it, but the trick there is that you have
to make sure that the subuids which you allocate to the unprivileged
user in the first container must exist in that container.  So for instance
if you give your first container 0:100000:65536, then your first
container only has the uids 0-65535 available.

So you might try giving your first unprivileged user 0:200000:200000 (so
container uids 0-199999 are mapped to 200000-399999 on the host), and
then give the nested container 0:100000:65536 (so uids 0-65535 in the
nested container map to 100000-165535 in the first level container, which
are 300000-465535 on the host).


More information about the lxc-users mailing list