[lxc-users] Unprivileged containers on Debian Jessie
Xavier Gendre
gendre.reivax at gmail.com
Tue Feb 17 10:08:05 UTC 2015
Hi Serge,
I did some tries with Ubuntu 14.04 and you are right, this does not make
things easier. Thus, I came back to Debian Jessie and I have written a
small tool to automate the configuration tweaks, create the useful
cgroups and autostart the unprivileged containers on boot.
This is a very basic script but it does the job for what I need and I
think this is sufficient for classical use.
To remain in the maritime vocabulary, I called it Mithlond and it can be
downloaded from GitHub:
https://github.com/Meseira/mithlond
I hope this can help.
Xavier
Le 09/02/2015 18:29, Serge Hallyn a écrit :
> Quoting Xavier Gendre (gendre.reivax at gmail.com):
>> Thanks for your answer. Indeed, it only needs to be done at login
>> and this is my problem. Your solutions work well but all need to
>> login at least one time for each user with unprivileged containers.
>>
>> I admit that my question was not clear :-° My goal is to autostart
>> the unprivileged containers when the machine starts, i.e. before any
>> user can login.
>>
>> I have seen solutions based cgm with Ubuntu on internet, maybe it
>> works on Debian Jessie too... I have to try harder or change to
>> Ubuntu server ;-)
>
> Hm, if you want to autostart unprivileged containers then
> switching to ubuntu still may not help. On my (ubuntu trusty)
> server I do autostart userns containers, but they are owned/started
> by root, with lxc.id_map entries. That way root has the rights
> to create its cgroups, as well as (more importantly for me) mount
> rootfs from lvm devices.
>
>> Xavier
>>
>> Le 05/02/2015 16:56, Serge Hallyn a écrit :
>>> Quoting Xavier Gendre (gendre.reivax at gmail.com):
>>>> Hi,
>>>>
>>>> following the hints given by Serge Hallyn on the lxc-devel list, I
>>>> managed to run an unprivileged container on my Debian Jessie \o/
>>>>
>>>> Now, I want to avoid handlings and get it works on startup. Thus, I
>>>> set permanently kernel.unprivileged_userns_clone to 1 and I create a
>>>> systemd service to run the following script:
>>>>
>>>> #!/bin/bash
>>>>
>>>> echo 1 > /sys/fs/cgroup/cpuset/cgroup.clone_children
>>>>
>>>> # Allowed users
>>>> lxc_users="user1 user2"
>>>>
>>>> for u in $lxc_users; do
>>>> for d in /sys/fs/cgroup/*; do
>>>> mkdir -p $d/$u
>>>> chown -R $u: $d/$u
>>>> done
>>>> done
>>>>
>>>> The only thing that I need now is to put a 'good' PID in the tasks
>>>> files in order to be allowed to start my unprivileged containers. I
>>>> can do that by login as an allowed user and by putting the PID of
>>>> the current shell in my tasks file. But this solution is volatile
>>>> and has to be done on each startup for each container :-/
>>>
>>> No, it only needs to be done at login right? You've already chowned
>>> the cgroups to your user, so you should be able to just do it from
>>> your .bashrc or equivalent. Or, you could whip up a quick pam module
>>> to do it.
>>>
>>>> Is my approach good? Maybe there is a simpler solution to my
>>>> problem... If this is the way, how can I put a valid PID in the
>>>> tasks files of the allowed users on startup in order, for example,
>>>> to autostart some unprivileged containers?
>>>>
>>>> Thanks,
>>>> Xavier
>> _______________________________________________
>> lxc-users mailing list
>> lxc-users at lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-users
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
More information about the lxc-users
mailing list