[lxc-users] ID mapping blues (was: Does lxc-execute work with unprivileged containers?)
Patrick Toomey
patrick.toomey at github.com
Thu Feb 26 20:16:04 UTC 2015
>
> Hm, yes, because 'lxc-execute' starts the container with "lxc-init" as
> the pid 1, which then executes the program you requested. You could
>
> 1. do something like lxc-execute -- sudo --user \#1000 bash
I thought of that, but it seems sudo won't work since sudo/suid root
binaries won't work from the container (part of the goal). I get the
following error
sudo: error in /etc/sudo.conf, line 0 while loading plugin `sudoers_policy'
sudo: /usr/lib/sudo/sudoers.so must be owned by uid 0
The above makes sense because /usr/lib/sudo/sudoers.so is owned by
nobody/nogroup since those uids are not mapped inside the container.
>
>
> > 2. actually start the full container using lxc-start, then ssh in as your
> user.
Yeah, this is an option..but was hoping to have something with less
configuration overhead for running trivial executables from the host
system.
>
>
> Hm, are you doing this nested, i.e. from inside a container? For some
> reason you are in a network namespace different from cgmanager's. You
> can confirm this by doing
>
> ls -li /proc/self/ns/pid
> ls -li /proc/`pidof cgmanager`/ns/pid
>
I'm running this from an ubuntu 14.10 install on vmware. It looks like
they are in the same namespace:
my_user at ubuntu:~$ ls -li /proc/self/ns/pid
32153 lrwxrwxrwx 1 my_user my_user 0 Feb 26 00:21
/proc/self/ns/pid -> pid:[4026531836]
my_user at ubuntu:~$ sudo ls -li /proc/`pidof cgmanager`/ns/pid
10252 lrwxrwxrwx 1 root root 0 Feb 25 16:42 /proc/620/ns/pid ->
pid:[4026531836]
More information about the lxc-users
mailing list