[lxc-users] ID mapping blues (was: Does lxc-execute work with unprivileged containers?)

Serge Hallyn serge.hallyn at ubuntu.com
Thu Feb 26 21:53:10 UTC 2015 

Quoting Patrick Toomey (patrick.toomey at github.com):
> >
> > Hm, yes, because 'lxc-execute' starts the container with "lxc-init" as
> > the pid 1, which then executes the program you requested.  You could
> >
> > 1. do something like lxc-execute -- sudo --user \#1000 bash
> 
> 
> I thought of that, but it seems sudo won't work since sudo/suid root
> binaries won't work from the container (part of the goal). I get the
> following error
> 
>   sudo: error in /etc/sudo.conf, line 0 while loading plugin `sudoers_policy'
>   sudo: /usr/lib/sudo/sudoers.so must be owned by uid 0
> 
> The above makes sense because /usr/lib/sudo/sudoers.so is owned by
> nobody/nogroup since those uids are not mapped inside the container.

Why is that?  Are you bind-mounting /usr or / from the host?  Generally
if you've created a full container, the rootfs should be uid-shifted so that
/usr/lib/sudo/sudoers.so should be owned by uid 0 in the container

> > > 2. actually start the full container using lxc-start, then ssh in as your
> > user.
> 
> 
> Yeah, this is an option..but was hoping to have something with less
> configuration overhead for running trivial executables from the host
> system.

Ok, so are you actually wanting to run programs on the host, as non-root
user, inside a container?  Or do you have a full container rootfs under
~/.local/share/lxc/$container/rootfs ?

> > Hm, are you doing this nested, i.e. from inside a container?  For some
> > reason you are in a network namespace different from cgmanager's.  You
> > can confirm this by doing
> >
> >         ls -li /proc/self/ns/pid
> >         ls -li /proc/`pidof cgmanager`/ns/pid
> >
> 
> I'm running this from an ubuntu 14.10 install on vmware. It looks like
> they are in the same namespace:
> 
>   my_user at ubuntu:~$ ls -li /proc/self/ns/pid
>     32153 lrwxrwxrwx 1 my_user my_user 0 Feb 26 00:21
> /proc/self/ns/pid -> pid:[4026531836]
>   my_user at ubuntu:~$ sudo  ls -li /proc/`pidof cgmanager`/ns/pid
>     10252 lrwxrwxrwx 1 root root 0 Feb 25 16:42 /proc/620/ns/pid ->
> pid:[4026531836]
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

More information about the lxc-users mailing list