[lxc-users] Running docker inside unprivileged LXC containers

Stewart Brodie sbrodie at espial.com
Mon Jun 15 16:10:14 UTC 2015


Serge Hallyn <serge.hallyn at ubuntu.com> wrote:

> Quoting Stewart Brodie (sbrodie at espial.com):

> > I'm attempting to start an unprivileged container and populate the
> > devices using an autodev hook, but that doesn't work, because the user
> > namespace has already been changed.  So I'm stuck with having to bind
> > mount all the devices individually, which would be great - except that
> > the device nodes don't all exist in the host, so I'm having to create
> > them in the host in advance of starting the containers.
> 
> If you are starting this container as root then you can use an
> lxc.hook.pre-start hook to create and chown the devices.

I assume you mean use the pre-start hook to create them in the host's
devtmpfs?  I realise I could create the device nodes in the host's devtmpfs
manually, but it is a requirement for our system that that they must not
exist there - only in the relevant containers' /dev tmpfses.

My current temporary workaround is indeed to create the device nodes in the
host's devtmpfs and bind mount them into containers using lxc.mount.entry
declarations in the configuration files, but I'm looking for a permanent
solution.


> > However, another far neater way of doing this could be to use the
> > freezer instead.  Just give lxc-start a new command-line option to start
> > the container *but* crucially, leave it frozen when lxc-start exits.
> > The caller can then just do lxc-start, lxc-device, lxc-unfreeze.

> > [can you run lxc-device on a frozen container?]

For future reference, this does indeed work.  I like the idea, because it
would allow all sorts of fettling to go on with the new container from the
host side before it really starts executing.


-- 
Stewart Brodie
Senior Software Engineer
Team Leader ANT Galio Browser
Espial UK


More information about the lxc-users mailing list