[lxc-users] Unprivileged containers on Debian Jessie

Serge Hallyn serge.hallyn at ubuntu.com
Mon Feb 9 17:29:51 UTC 2015 

Quoting Xavier Gendre (gendre.reivax at gmail.com):
> Thanks for your answer. Indeed, it only needs to be done at login
> and this is my problem. Your solutions work well but all need to
> login at least one time for each user with unprivileged containers.
> 
> I admit that my question was not clear :-° My goal is to autostart
> the unprivileged containers when the machine starts, i.e. before any
> user can login.
> 
> I have seen solutions based cgm with Ubuntu on internet, maybe it
> works on Debian Jessie too... I have to try harder or change to
> Ubuntu server ;-)

Hm, if you want to autostart unprivileged containers then
switching to ubuntu still may not help.  On my (ubuntu trusty)
server I do autostart userns containers, but they are owned/started
by root, with lxc.id_map entries.  That way root has the rights
to create its cgroups, as well as (more importantly for me) mount
rootfs from lvm devices.

> Xavier
> 
> Le 05/02/2015 16:56, Serge Hallyn a écrit :
> >Quoting Xavier Gendre (gendre.reivax at gmail.com):
> >>Hi,
> >>
> >>following the hints given by Serge Hallyn on the lxc-devel list, I
> >>managed to run an unprivileged container on my Debian Jessie \o/
> >>
> >>Now, I want to avoid handlings and get it works on startup. Thus, I
> >>set permanently kernel.unprivileged_userns_clone to 1 and I create a
> >>systemd service to run the following script:
> >>
> >>#!/bin/bash
> >>
> >>echo 1 > /sys/fs/cgroup/cpuset/cgroup.clone_children
> >>
> >># Allowed users
> >>lxc_users="user1 user2"
> >>
> >>for u in $lxc_users; do
> >>   for d in /sys/fs/cgroup/*; do
> >>     mkdir -p $d/$u
> >>     chown -R $u: $d/$u
> >>   done
> >>done
> >>
> >>The only thing that I need now is to put a 'good' PID in the tasks
> >>files in order to be allowed to start my unprivileged containers. I
> >>can do that by login as an allowed user and by putting the PID of
> >>the current shell in my tasks file. But this solution is volatile
> >>and has to be done on each startup for each container :-/
> >
> >No, it only needs to be done at login right?  You've already chowned
> >the cgroups to your user, so you should be able to just do it from
> >your .bashrc or equivalent.  Or, you could whip up a quick pam module
> >to do it.
> >
> >>Is my approach good? Maybe there is a simpler solution to my
> >>problem... If this is the way, how can I put a valid PID in the
> >>tasks files of the allowed users on startup in order, for example,
> >>to autostart some unprivileged containers?
> >>
> >>Thanks,
> >>Xavier
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

More information about the lxc-users mailing list