[lxc-users] Convert LXC Guests from privileged to unprivileged
Wolfgang Bumiller
w.bumiller at proxmox.com
Thu Dec 3 08:11:17 UTC 2015
> fwiw lxd also ships with 'fuidshift' which has the same functionality.
After a quick glance over the code I only see it handling file ownership.
What about ACLs? (And perhaps other extra attributes I'm unaware of.)
I was thinking the most "complete" conversion happens when you tar up the
container in one namespace, with -p --acls --numeric-owner --xattrs etc.
and then unar it in the other namespace. This however fails to extract
device nodes into user namespaces... ;-/
(Offtopic: I'm still puzzled by the fact that mknod doesn't work in a
usernamespace. There's a capability for _just_ _that_ after all, and
there's the devices cgroup. I'd much rather have a rule that a non-zero
user starting a userns doesn't gain CAP_SYS_MKNOD unless it's already
there.)
More information about the lxc-users
mailing list