[lxc-users] Unprivileged containers on Debian Jessie

Xavier Gendre gendre.reivax at gmail.com
Wed Feb 4 09:34:07 UTC 2015


Hi,

following the hints given by Serge Hallyn on the lxc-devel list, I 
managed to run an unprivileged container on my Debian Jessie \o/

Now, I want to avoid handlings and get it works on startup. Thus, I set 
permanently kernel.unprivileged_userns_clone to 1 and I create a systemd 
service to run the following script:

#!/bin/bash

echo 1 > /sys/fs/cgroup/cpuset/cgroup.clone_children

# Allowed users
lxc_users="user1 user2"

for u in $lxc_users; do
   for d in /sys/fs/cgroup/*; do
     mkdir -p $d/$u
     chown -R $u: $d/$u
   done
done

The only thing that I need now is to put a 'good' PID in the tasks files 
in order to be allowed to start my unprivileged containers. I can do 
that by login as an allowed user and by putting the PID of the current 
shell in my tasks file. But this solution is volatile and has to be done 
on each startup for each container :-/

Is my approach good? Maybe there is a simpler solution to my problem... 
If this is the way, how can I put a valid PID in the tasks files of the 
allowed users on startup in order, for example, to autostart some 
unprivileged containers?

Thanks,
Xavier


More information about the lxc-users mailing list