[lxc-users] Using LXC as an application container.
Serge Hallyn
serge.hallyn at ubuntu.com
Mon Jun 8 15:14:33 UTC 2015
You definately can do that, but there is no automated way (that I know
of) to do that. That's in part because doing so is quite dependent on
your exact installation.
I'd recommend setting up the container rootfs using a bunch of things
like
# define where rootfs is mounted
lxc.rootfs = /var/lib/lxc/app1/rootfs
# mount host / ro as container root
lxc.mount.entry = / /var/lib/lxc/app1/rootfs none bind,ro 0 0
# mount a writeable space for the application
lxc.mount.entry = /home/user/myapp/home home/myapp none bind,rw 0 0
# mount a writeable /tmp for the application
lxc.mount.entry = /home/user/myapp/tmp tmp none bind,rw 0 0
# (and do the analogous for any other spaces you need writeable)
# mount proc and sys etc
lxc.mount.auto = proc:mixed sys:mixed cgroup:mixed
I would make /home/user/myapp on the host owned by an extra unused
uid (say 2000), use a separate uid range for this than for any other
containers, and make the container mapping something like
lxc.idmap = u 0 200000 1999
lxc.idmap = g 0 200000 1999
lxc.idmap = u 1999 201999 1
lxc.idmap = g 1999 201999 1
lxc.idmap = u 0 202000 63536
lxc.idmap = g 0 202000 63536
then define 'user' or 'myapp' in /etc/passwd and /etc/group in the
container to be uid 2000. Finally you would need to add an acl
entry to the X socket, and do the equiv for pulseaudio.
-serge
Quoting Brian Allen Vanderburg II (brianvanderburg2 at aim.com):
> Thanks, that looks interesting. There were some discussion of potential
> security (being recorded by pulse, keys logged). But other than that it
> seems like it would work. Now would it be possible to set it up as a
> bare minimum container. That is, instead of essentially a mimimum OS
> with all the files, could I basically just copy over/extract the main
> executable for the application (/opt/firefox/firefox for example), data
> files, and the needed library files, then make /sbin/init point to or
> launch /opt/firefox/firefox?
>
> Thanks,
>
> Brian Allen Vanderburg II
>
> On 06/05/2015 12:32 AM, Serge Hallyn wrote:
> > See https://www.stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/ as one
> > of many examples.
> >
> > Quoting Brian Allen Vanderburg II (brianvanderburg2 at aim.com):
> >> I'm wondering if LXC could be used to create a generic application
> >> container/sandbox. I've created similar sandboxes in the past using
> >> chroot, unionfs-fuse, and bind mounts, successfully running applications
> >> such as Firefox, Sauerbraten, etc. But this was limited and had
> >> drawbacks. Using chroot requires root, unprivileged containers can be
> >> run without root after everything is properly set up. Chroot only hides
> >> away parts of the filesystem, a container can also isolate network
> >> namespaces, etc. Is there a way to achieve similar, with better control
> >> of isolation, using unprivileged containers?
> >>
> >>
> >> Brian Allen Vanderburg II
> >>
> >
> >
> >> _______________________________________________
> >> lxc-users mailing list
> >> lxc-users at lists.linuxcontainers.org
> >> http://lists.linuxcontainers.org/listinfo/lxc-users
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
>
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
More information about the lxc-users
mailing list