[lxc-users] ID mapping blues (was: Does lxc-execute work with unprivileged containers?)
Serge Hallyn
serge.hallyn at ubuntu.com
Thu Feb 26 23:10:17 UTC 2015
Quoting Patrick Toomey (patrick.toomey at github.com):
> > Why is that? Are you bind-mounting /usr or / from the host? Generally
> > if you've created a full container, the rootfs should be uid-shifted so that
> > /usr/lib/sudo/sudoers.so should be owned by uid 0 in the container
> >
>
> Yeah, I was using lxc-excute with "default isolation". I fully
> understand/appreciate the downsides of not using a container will a
> full rootfs, but I had a very specific use case in mind.
Sounds like a stackable filesystem that remaps file uids would give
you what you need. (I'm not working on one, but several people have
expressed a desire for it)
> > Ok, so are you actually wanting to run programs on the host, as non-root
> > user, inside a container? Or do you have a full container rootfs under
> > ~/.local/share/lxc/$container/rootfs ?
> >
>
> Yup, my goal was to just launch `some_random_command_line_utility` on
> the host, as non-root, and apply a policy that provides some extra
> assurances above/beyond (seccomp, no other valid uid mappings,
> possibly an apparmor profile, etc) what executing the process as a low
> privilege user would have on its own.
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
More information about the lxc-users
mailing list