[lxc-users] Does lxc-execute work with unprivileged containers?

Serge Hallyn serge.hallyn at ubuntu.com
Thu Feb 26 15:51:13 UTC 2015 

Quoting Patrick Toomey (patrick.toomey at github.com):
> I was wanting to experiment with the idea of running throw away processes
> in a low privilege container. In general, I'd want to run something like
> this
> 
>     lxc-execute -n test1 -f test.conf --lxcpath=/home/my_user/containers
> /bin/bash
> 
> test.conf contains the unprivileged ID mapping:
> 
>     xc.id_map = u 0 100000 65536
>     lxc.id_map = g 0 100000 65536
> 
> and I have my subordinate ID mapping setup in /etc/subuid:
> 
>     my_user:100000:65536
> 
> and /etc/subgid:
> 
>     my_user:100000:65536
> 
> when I run lxc-execute I do get a new bash instance, but it is running as
> uid/gid 0 in the new namespace.  And when I do an ls -l on my home
> directory I see:
> 
>     ls -l
>         total 6224
>         -rwxrwxr-x  1 nobody nogroup   13832 Feb 12 17:24 test1.txt
>         drwxr-xr-x  6 nobody nogroup    4096 Feb  9 10:11 test2.txt
> 
> I would have expected that uid/gid mapping to effectively map all container
> uids/gids to my hosts "my_user" uid/gid. In effect, no matter what uid I
> had inside the container it would have the access granted to "my_user".
> So, I'm confused by:
> 
> 1) Why is bash uid 0 in the container? Since I mapped the container uid
> 0-65536 to host uid 100000-165536 I would have expected my host uid (1000)
> to then map to the container 101000. And, then I would have expected the

?  If host uid 100000-165536 maps to container uid 0-65536, then host
uid 1000 is not mapped.

> subordinate entry to map that to my_user.
> 
> 2) Why are my home directory files listed as being owned by nobody? I've
> seen that when playing with user namespaces (directly calling
> CLONE_NEWUSER) when you have no mapping configured in /proc/uid/uid_map.
> But, I checked the uid_map of the container process and it all seems to be
> setup correctly.
> 
> I've tried this on Ubuntu 14.10, 14.04, and 12.04 (with backported lxc,
> etc). They all produce the same behavior. So, I'm not sure if I'm
> misunderstanding something about the uid/gid mapping or if I'm missing some
> config setting to make it work the way I would expect.
> 
> Thanks!
> Patrick

> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

More information about the lxc-users mailing list