[lxc-users] Convert LXC Guests from privileged to unprivileged
Serge Hallyn
serge.hallyn at ubuntu.com
Thu Dec 3 16:56:37 UTC 2015
Quoting Wolfgang Bumiller (w.bumiller at proxmox.com):
> > fwiw lxd also ships with 'fuidshift' which has the same functionality.
>
> After a quick glance over the code I only see it handling file ownership.
> What about ACLs? (And perhaps other extra attributes I'm unaware of.)
Good point. Patch for lxd's fuidshift appreciated :)
> I was thinking the most "complete" conversion happens when you tar up the
> container in one namespace, with -p --acls --numeric-owner --xattrs etc.
> and then unar it in the other namespace. This however fails to extract
> device nodes into user namespaces... ;-/
>
> (Offtopic: I'm still puzzled by the fact that mknod doesn't work in a
> usernamespace. There's a capability for _just_ _that_ after all, and
Capabilities are targeted at a user namespace, while devices are always
owned by the initial user namespace. (Or put another way that Greg will
appreciate, devices are not namespaced, and "never will be")
So that capability is basically worthless in a userns.
> there's the devices cgroup. I'd much rather have a rule that a non-zero
Devices cgroup was supposed to be a short-term hack until devices namespace
came around. It's not a device ns in itself. (Then it was decreed that
devices ns won't happen, so we still have the devices cgroup)
> user starting a userns doesn't gain CAP_SYS_MKNOD unless it's already
> there.)
More information about the lxc-users
mailing list