[lxc-users] ID mapping blues (was: Does lxc-execute work with unprivileged containers?)

Serge Hallyn serge.hallyn at ubuntu.com
Thu Feb 26 23:10:17 UTC 2015


Quoting Patrick Toomey (patrick.toomey at github.com):
> > Why is that?  Are you bind-mounting /usr or / from the host?  Generally
> > if you've created a full container, the rootfs should be uid-shifted so that
> > /usr/lib/sudo/sudoers.so should be owned by uid 0 in the container
> >
> 
> Yeah, I was using lxc-excute with "default isolation". I fully
> understand/appreciate the downsides of not using a container will a
> full rootfs, but I had a very specific use case in mind.

Sounds like a stackable filesystem that remaps file uids would give
you what you need.  (I'm not working on one, but several people have
expressed a desire for it)

> > Ok, so are you actually wanting to run programs on the host, as non-root
> > user, inside a container?  Or do you have a full container rootfs under
> > ~/.local/share/lxc/$container/rootfs ?
> >
> 
> Yup, my goal was to just launch `some_random_command_line_utility` on
> the host, as non-root, and apply a policy that provides some extra
> assurances above/beyond (seccomp, no other valid uid mappings,
> possibly an apparmor profile, etc) what executing the process as a low
> privilege user would have on its own.
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users


More information about the lxc-users mailing list