[lxc-users] ID mapping blues (was: Does lxc-execute work with unprivileged containers?)
Patrick Toomey
patrick.toomey at github.com
Thu Feb 26 22:16:53 UTC 2015
> Why is that? Are you bind-mounting /usr or / from the host? Generally
> if you've created a full container, the rootfs should be uid-shifted so that
> /usr/lib/sudo/sudoers.so should be owned by uid 0 in the container
>
Yeah, I was using lxc-excute with "default isolation". I fully
understand/appreciate the downsides of not using a container will a
full rootfs, but I had a very specific use case in mind.
> Ok, so are you actually wanting to run programs on the host, as non-root
> user, inside a container? Or do you have a full container rootfs under
> ~/.local/share/lxc/$container/rootfs ?
>
Yup, my goal was to just launch `some_random_command_line_utility` on
the host, as non-root, and apply a policy that provides some extra
assurances above/beyond (seccomp, no other valid uid mappings,
possibly an apparmor profile, etc) what executing the process as a low
privilege user would have on its own.
More information about the lxc-users
mailing list