[lxc-users] Unprivileged container and lxc.network.script.up
Benoit GEORGELIN - Association Web4all
benoit.georgelin at web4all.fr
Mon Aug 31 17:25:29 UTC 2015
unfortunately, it's the only way to allow custom network configuration from an unprivileged exactly how lxc add the network interface into the Ovs switch .
My design is this one , I use openvswitch for the newtorking
log on the system as user : non-root
start your container: lxc-start -n unpriv-ubuntu
- VethXXX is added to the bridge "br-container"
The configuration of the virtual switch is blocking everything BUT what you allow with Openflows rules.
So, to get a working network connection from the new container , I have to add some flows to openvswitch.
The big thing is here, every time you shutdown the container, two things changes all the time :
- veth name (vethxxxxx)
- port number in openvswitch
And, openflows rules are based on ... in_port
This bring a lot of challenges that others people than me will get soon :
- allow root setuid script that can be used by any lxc users to bring up the OpenFlow rules (every time I start a container)
- script the cleanup of vethXXX in openvswitch because LXC add it but is not able to remove it (every time I stop a container)
- script the cleanup of flow rules in openvswitch because the in_port previously used by the vethXXXX has been delete and will not be the same at a new boot. (every time I stop the container)
This can be handle by hand if you start / stop container using the command line lxc tools : lxc-stop, lxc-start
But there is no way a container will have its network back with an init 6 command witch generate a new vethXXXX , a new port AND it leave the other interface UP on the HOST ...
So, I'm not saying there is a simple solution here.. but I think we should make those things much more easier for people who wants to have more complex configuration .
Unprivileged containers are amazing, technology is great , but to me, the work I did for the past two weeks is insane to have a fully working (and secure) LXC environment to brings up containers
Maybe I'm totally wrong, or I'm missing something :)
I don't know how software like Openstack or Proxmox are integrating LXC Unprivileged container but they should talk/share more about it ^^
Regards,
Cordialement,
Benoît Georgelin
De: "Serge Hallyn" <serge.hallyn at ubuntu.com>
À: "lxc-users" <lxc-users at lists.linuxcontainers.org>
Envoyé: Lundi 31 Août 2015 09:39:01
Objet: Re: [lxc-users] Unprivileged container and lxc.network.script.up
Quoting Benoit GEORGELIN - Association Web4all (benoit.georgelin at web4all.fr):
> Hi,
>
> I would like to know if there is an alternative option of lxc.network.script.up with an unprivileged containter.
No. You'll need to start the container as root to do that - else you're
allowing an unprivileged user to specify a script to run as root in the
initial network namespace.
-serge
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150831/a40e255f/attachment.html>
More information about the lxc-users
mailing list