[lxc-users] Convert LXC Guests from privileged to unprivileged
Serge Hallyn
serge.hallyn at ubuntu.com
Thu Dec 3 05:56:41 UTC 2015
Quoting Christoph Willing (chris.willing at iinet.net.au):
> On 12/03/2015 12:40 PM, Mark Chaney wrote:
> >I have an Ubuntu Trusty system with about 10 linux containers on it that
> >were created by root using the normal "lxc-create -t ubuntu -n git".
> >Nothing custom was setup for these guests that I can think of besides
> >the network bridges and a few are mounting a directory from the host
> >like so "lxc.mount.entry = /backups/r1soft backups none bind.rw 0.0". I
> >do see that some of the older containers that were created do have the
> >following in their containername/config files:
> >
> >lxc.cgroup.devices.deny = alxc.cgroup.devices.allow = c *:* m
> >lxc.cgroup.devices.allow = b *:* m
> >lxc.cgroup.devices.allow = c 1:3 rwm
> >lxc.cgroup.devices.allow = c 1:5 rwm
> >lxc.cgroup.devices.allow = c 5:1 rwm
> >lxc.cgroup.devices.allow = c 5:0 rwm
> >lxc.cgroup.devices.allow = c 1:9 rwm
> >lxc.cgroup.devices.allow = c 1:8 rwm
> >lxc.cgroup.devices.allow = c 136:* rwm
> >lxc.cgroup.devices.allow = c 5:2 rwm
> >lxc.cgroup.devices.allow = c 254:0 rwm
> >lxc.cgroup.devices.allow = c 10:229 rwm
> >lxc.cgroup.devices.allow = c 10:200 rwm
> >lxc.cgroup.devices.allow = c 1:7 rwm
> >lxc.cgroup.devices.allow = c 10:228 rwm
> >lxc.cgroup.devices.allow = c 10:232 rwm
> >
> >But a majority do not and I am not aware of any special cgroup settings
> >that I might have setup.
> >
> >With all of that said, I am wanting to better isolate these containers
> >from the host and was told that doing unprivileged was the way to go. A
> >couple quick questions:
> >
> >1) With all the information posted above, do you foresee any issues with
> >them running as unprivileged?
> >2) How can I easily convert them to unprivileged containers (I have
> >installed LXD, but done nothing else)
>
> After setting up approriate /etc/{subuid,subgid}, I've been using
> uidmapshift from
> http://bazaar.launchpad.net/%7Eserge-hallyn/+junk/nsexec/files on
> the stopped container. Then move the container directory from out of
> /var/lib/lxc into ~/.local/share/lxc/. There are some ownerships &
> permissions to change for the container directory and its config
> file; also the config file's lxc.rootfs entry need updating to the
> new location. Seems to work OK as unprivileged after that.
fwiw lxd also ships with 'fuidshift' which has the same functionality.
More information about the lxc-users
mailing list