[lxc-users] Unprivileged containers on Debian Jessie

Serge Hallyn serge.hallyn at ubuntu.com
Thu Feb 5 15:56:40 UTC 2015


Quoting Xavier Gendre (gendre.reivax at gmail.com):
> Hi,
> 
> following the hints given by Serge Hallyn on the lxc-devel list, I
> managed to run an unprivileged container on my Debian Jessie \o/
> 
> Now, I want to avoid handlings and get it works on startup. Thus, I
> set permanently kernel.unprivileged_userns_clone to 1 and I create a
> systemd service to run the following script:
> 
> #!/bin/bash
> 
> echo 1 > /sys/fs/cgroup/cpuset/cgroup.clone_children
> 
> # Allowed users
> lxc_users="user1 user2"
> 
> for u in $lxc_users; do
>   for d in /sys/fs/cgroup/*; do
>     mkdir -p $d/$u
>     chown -R $u: $d/$u
>   done
> done
> 
> The only thing that I need now is to put a 'good' PID in the tasks
> files in order to be allowed to start my unprivileged containers. I
> can do that by login as an allowed user and by putting the PID of
> the current shell in my tasks file. But this solution is volatile
> and has to be done on each startup for each container :-/

No, it only needs to be done at login right?  You've already chowned
the cgroups to your user, so you should be able to just do it from
your .bashrc or equivalent.  Or, you could whip up a quick pam module
to do it.

> Is my approach good? Maybe there is a simpler solution to my
> problem... If this is the way, how can I put a valid PID in the
> tasks files of the allowed users on startup in order, for example,
> to autostart some unprivileged containers?
> 
> Thanks,
> Xavier
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users


More information about the lxc-users mailing list