[lxc-users] Unprivileged containers on Debian Jessie
Xavier Gendre
gendre.reivax at gmail.com
Wed Feb 4 09:34:07 UTC 2015
Hi,
following the hints given by Serge Hallyn on the lxc-devel list, I
managed to run an unprivileged container on my Debian Jessie \o/
Now, I want to avoid handlings and get it works on startup. Thus, I set
permanently kernel.unprivileged_userns_clone to 1 and I create a systemd
service to run the following script:
#!/bin/bash
echo 1 > /sys/fs/cgroup/cpuset/cgroup.clone_children
# Allowed users
lxc_users="user1 user2"
for u in $lxc_users; do
for d in /sys/fs/cgroup/*; do
mkdir -p $d/$u
chown -R $u: $d/$u
done
done
The only thing that I need now is to put a 'good' PID in the tasks files
in order to be allowed to start my unprivileged containers. I can do
that by login as an allowed user and by putting the PID of the current
shell in my tasks file. But this solution is volatile and has to be done
on each startup for each container :-/
Is my approach good? Maybe there is a simpler solution to my problem...
If this is the way, how can I put a valid PID in the tasks files of the
allowed users on startup in order, for example, to autostart some
unprivileged containers?
Thanks,
Xavier
More information about the lxc-users
mailing list