[lxc-users] Using LXC as an application container.

Serge Hallyn serge.hallyn at ubuntu.com
Mon Jun 8 15:14:33 UTC 2015


You definately can do that, but there is no automated way (that I know
of) to do that.  That's in part because doing so is quite dependent on
your exact installation.

I'd recommend setting up the container rootfs using a bunch of things
like

# define where rootfs is mounted
lxc.rootfs = /var/lib/lxc/app1/rootfs
# mount host / ro as container root
lxc.mount.entry = / /var/lib/lxc/app1/rootfs none bind,ro 0 0
# mount a writeable space for the application
lxc.mount.entry = /home/user/myapp/home home/myapp none bind,rw 0 0
# mount a writeable /tmp for the application
lxc.mount.entry = /home/user/myapp/tmp tmp none bind,rw 0 0
# (and do the analogous for any other spaces you need writeable)
# mount proc and sys etc
lxc.mount.auto = proc:mixed sys:mixed cgroup:mixed

I would make /home/user/myapp on the host owned by an extra unused
uid (say 2000), use a separate uid range for this than for any other
containers, and make the container mapping something like

lxc.idmap = u 0 200000 1999
lxc.idmap = g 0 200000 1999
lxc.idmap = u 1999 201999 1
lxc.idmap = g 1999 201999 1
lxc.idmap = u 0 202000 63536
lxc.idmap = g 0 202000 63536

then define 'user' or 'myapp' in /etc/passwd and /etc/group in the
container to be uid 2000.  Finally you would need to add an acl
entry to the X socket, and do the equiv for pulseaudio.

-serge

Quoting Brian Allen Vanderburg II (brianvanderburg2 at aim.com):
> Thanks, that looks interesting.  There were some discussion of potential
> security (being recorded by pulse, keys logged).  But other than that it
> seems like it would work.  Now would it be possible to set it up as a
> bare minimum container.  That is, instead of essentially a mimimum OS
> with all the files, could I basically just copy over/extract the main
> executable for the application (/opt/firefox/firefox for example), data
> files, and the needed library files, then make /sbin/init point to or
> launch /opt/firefox/firefox?
> 
> Thanks,
> 
> Brian Allen Vanderburg II
> 
> On 06/05/2015 12:32 AM, Serge Hallyn wrote:
> > See https://www.stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/ as one
> > of many examples.
> >
> > Quoting Brian Allen Vanderburg II (brianvanderburg2 at aim.com):
> >> I'm wondering if LXC could be used to create a generic application
> >> container/sandbox.  I've created similar sandboxes in the past using
> >> chroot, unionfs-fuse, and bind mounts, successfully running applications
> >> such as Firefox, Sauerbraten, etc.  But this was limited and had
> >> drawbacks.  Using chroot requires root, unprivileged containers can be
> >> run without root after everything is properly set up.  Chroot only hides
> >> away parts of the filesystem, a container can also isolate network
> >> namespaces, etc.  Is there a way to achieve similar, with better control
> >> of isolation, using unprivileged containers?
> >>
> >>
> >> Brian Allen Vanderburg II
> >>
> >
> >
> >> _______________________________________________
> >> lxc-users mailing list
> >> lxc-users at lists.linuxcontainers.org
> >> http://lists.linuxcontainers.org/listinfo/lxc-users
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
> 
> 



> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users



More information about the lxc-users mailing list