[lxc-users] ID mapping blues (was: Does lxc-execute work with unprivileged containers?)
Patrick Toomey
patrick.toomey at github.com
Thu Feb 26 17:23:03 UTC 2015
> If you want the container to have access to your host uid 1000's
files, then add a second mapping,
Yup. this is what I eventually figured out. Is there a way to get
lxc-execute to not exec the passed in executable as uid 0? This is all just
a total proof of concept, but I was aiming to:
* Map some low privileged user with outside uid (1000) to inside uid (1000)
* Leave all other uids unmapped
* Have the passed in executable execute as uid 1000 inside the container
Here is my current config:
cat default.conf
lxc.id_map = u 1000 1000 1
lxc.id_map = u 0 100000 1
lxc.id_map = g 1000 1000 1
lxc.id_map = g 0 100000 1
I was forced to map inside uid 0 or I get the following error when I run
lxc-execute:
lxc-execute: cgmanager.c: chown_cgroup_wrapper: 424 Invalid argument -
Failed to setgid to 0
lxc-execute: cgmanager.c: chown_cgroup_wrapper: 426 Invalid argument -
Failed to setuid to 0
So, with the above config I do successfully launch bash, but it seems as
though lxc.init always does that as uid 0:
lxc-execute -n blah99 -f test.conf --lxcpath=/home/my_user/containers --
bash
lxc: cgmanager.c: lxc_cgmanager_escape: 329 call to
cgmanager_move_pid_abs_sync(name=systemd) failed: Escape request from
different namespace requires a proxy
bash: /root/.bashrc: Permission denied
root at myhost:/home/my_user#
So, uid 0 is mapped to outside uid 100000 and uid 1000 is mapped to inside
uid 1000, but I'd like to have bash itself launch as uid 1000. But, it
seems like lxc-execute currently forces a switch to uid 0 in the
container. I'm guessing executing the spawned process as the original
parent uid is not possible? In theory I could just map inside uid 0 to
outside uid 1000 get the effective permissions I'd be looking for. But, you
get weird side effects like the "bash: /root/.bashrc: Permission denied"
since bash will believe that /root is the user's home directory.
As an aside, no matter what I do I always get:
"lxc: cgmanager.c: lxc_cgmanager_escape: 329 call to
cgmanager_move_pid_abs_sync(name=systemd) failed: Escape request from
different namespace requires a proxy" error."
The above error doesn't seem to affect the ability to spawn the child
process/container, but I was not sure what was causing it and/or what side
effects may occur because of it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150226/c47f9278/attachment.html>
More information about the lxc-users
mailing list