[lxc-users] Does lxc-execute work with unprivileged containers?

Patrick Toomey patrick.toomey at github.com
Wed Feb 25 22:46:55 UTC 2015 

I was wanting to experiment with the idea of running throw away processes
in a low privilege container. In general, I'd want to run something like
this

    lxc-execute -n test1 -f test.conf --lxcpath=/home/my_user/containers
/bin/bash

test.conf contains the unprivileged ID mapping:

    xc.id_map = u 0 100000 65536
    lxc.id_map = g 0 100000 65536

and I have my subordinate ID mapping setup in /etc/subuid:

    my_user:100000:65536

and /etc/subgid:

    my_user:100000:65536

when I run lxc-execute I do get a new bash instance, but it is running as
uid/gid 0 in the new namespace.  And when I do an ls -l on my home
directory I see:

    ls -l
        total 6224
        -rwxrwxr-x  1 nobody nogroup   13832 Feb 12 17:24 test1.txt
        drwxr-xr-x  6 nobody nogroup    4096 Feb  9 10:11 test2.txt

I would have expected that uid/gid mapping to effectively map all container
uids/gids to my hosts "my_user" uid/gid. In effect, no matter what uid I
had inside the container it would have the access granted to "my_user".
So, I'm confused by:

1) Why is bash uid 0 in the container? Since I mapped the container uid
0-65536 to host uid 100000-165536 I would have expected my host uid (1000)
to then map to the container 101000. And, then I would have expected the
subordinate entry to map that to my_user.

2) Why are my home directory files listed as being owned by nobody? I've
seen that when playing with user namespaces (directly calling
CLONE_NEWUSER) when you have no mapping configured in /proc/uid/uid_map.
But, I checked the uid_map of the container process and it all seems to be
setup correctly.

I've tried this on Ubuntu 14.10, 14.04, and 12.04 (with backported lxc,
etc). They all produce the same behavior. So, I'm not sure if I'm
misunderstanding something about the uid/gid mapping or if I'm missing some
config setting to make it work the way I would expect.

Thanks!
Patrick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150225/baf74aae/attachment.html>

More information about the lxc-users mailing list