[lxc-users] Unprivileged containers on Debian Jessie

Serge Hallyn serge.hallyn at ubuntu.com
Tue Feb 17 14:53:04 UTC 2015


Cool, thanks, that is very nicely done :)

I'll leave it to you and Stéphane to decide whether this ought to be
integrated with the config scripts shipped in lxc or not.  The
way you have it set up doesn't appear to lose any of the protections
for the host from the unprivileged users, so I'd be all for it.

Quoting Xavier Gendre (gendre.reivax at gmail.com):
> Hi Serge,
> 
> I did some tries with Ubuntu 14.04 and you are right, this does not
> make things easier. Thus, I came back to Debian Jessie and I have
> written a small tool to automate the configuration tweaks, create
> the useful cgroups and autostart the unprivileged containers on
> boot.
> 
> This is a very basic script but it does the job for what I need and
> I think this is sufficient for classical use.
> 
> To remain in the maritime vocabulary, I called it Mithlond and it
> can be downloaded from GitHub:
> 
> https://github.com/Meseira/mithlond
> 
> I hope this can help.
> 
> Xavier
> 
> Le 09/02/2015 18:29, Serge Hallyn a écrit :
> >Quoting Xavier Gendre (gendre.reivax at gmail.com):
> >>Thanks for your answer. Indeed, it only needs to be done at login
> >>and this is my problem. Your solutions work well but all need to
> >>login at least one time for each user with unprivileged containers.
> >>
> >>I admit that my question was not clear :-° My goal is to autostart
> >>the unprivileged containers when the machine starts, i.e. before any
> >>user can login.
> >>
> >>I have seen solutions based cgm with Ubuntu on internet, maybe it
> >>works on Debian Jessie too... I have to try harder or change to
> >>Ubuntu server ;-)
> >
> >Hm, if you want to autostart unprivileged containers then
> >switching to ubuntu still may not help.  On my (ubuntu trusty)
> >server I do autostart userns containers, but they are owned/started
> >by root, with lxc.id_map entries.  That way root has the rights
> >to create its cgroups, as well as (more importantly for me) mount
> >rootfs from lvm devices.
> >
> >>Xavier
> >>
> >>Le 05/02/2015 16:56, Serge Hallyn a écrit :
> >>>Quoting Xavier Gendre (gendre.reivax at gmail.com):
> >>>>Hi,
> >>>>
> >>>>following the hints given by Serge Hallyn on the lxc-devel list, I
> >>>>managed to run an unprivileged container on my Debian Jessie \o/
> >>>>
> >>>>Now, I want to avoid handlings and get it works on startup. Thus, I
> >>>>set permanently kernel.unprivileged_userns_clone to 1 and I create a
> >>>>systemd service to run the following script:
> >>>>
> >>>>#!/bin/bash
> >>>>
> >>>>echo 1 > /sys/fs/cgroup/cpuset/cgroup.clone_children
> >>>>
> >>>># Allowed users
> >>>>lxc_users="user1 user2"
> >>>>
> >>>>for u in $lxc_users; do
> >>>>   for d in /sys/fs/cgroup/*; do
> >>>>     mkdir -p $d/$u
> >>>>     chown -R $u: $d/$u
> >>>>   done
> >>>>done
> >>>>
> >>>>The only thing that I need now is to put a 'good' PID in the tasks
> >>>>files in order to be allowed to start my unprivileged containers. I
> >>>>can do that by login as an allowed user and by putting the PID of
> >>>>the current shell in my tasks file. But this solution is volatile
> >>>>and has to be done on each startup for each container :-/
> >>>
> >>>No, it only needs to be done at login right?  You've already chowned
> >>>the cgroups to your user, so you should be able to just do it from
> >>>your .bashrc or equivalent.  Or, you could whip up a quick pam module
> >>>to do it.
> >>>
> >>>>Is my approach good? Maybe there is a simpler solution to my
> >>>>problem... If this is the way, how can I put a valid PID in the
> >>>>tasks files of the allowed users on startup in order, for example,
> >>>>to autostart some unprivileged containers?
> >>>>
> >>>>Thanks,
> >>>>Xavier
> >>_______________________________________________
> >>lxc-users mailing list
> >>lxc-users at lists.linuxcontainers.org
> >>http://lists.linuxcontainers.org/listinfo/lxc-users
> >_______________________________________________
> >lxc-users mailing list
> >lxc-users at lists.linuxcontainers.org
> >http://lists.linuxcontainers.org/listinfo/lxc-users
> >
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users


More information about the lxc-users mailing list