[lxc-users] Running docker inside unprivileged LXC containers

Serge Hallyn serge.hallyn at ubuntu.com
Mon Jun 15 17:39:52 UTC 2015 

Quoting Stewart Brodie (sbrodie at espial.com):
> Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> 
> > Quoting Stewart Brodie (sbrodie at espial.com):
> 
> > > I'm attempting to start an unprivileged container and populate the
> > > devices using an autodev hook, but that doesn't work, because the user
> > > namespace has already been changed.  So I'm stuck with having to bind
> > > mount all the devices individually, which would be great - except that
> > > the device nodes don't all exist in the host, so I'm having to create
> > > them in the host in advance of starting the containers.
> > 
> > If you are starting this container as root then you can use an
> > lxc.hook.pre-start hook to create and chown the devices.
> 
> I assume you mean use the pre-start hook to create them in the host's
> devtmpfs?  I realise I could create the device nodes in the host's devtmpfs
> manually, but it is a requirement for our system that that they must not
> exist there - only in the relevant containers' /dev tmpfses.
> 
> My current temporary workaround is indeed to create the device nodes in the
> host's devtmpfs and bind mount them into containers using lxc.mount.entry
> declarations in the configuration files, but I'm looking for a permanent
> solution.

You could create a 'permdev' or somesuch directory under the container's
dir (i.e. /var/lib/lxc/$c/permdev or $HOME/.local/share/lxc/$c/permdev)
and create them there, then bind mount them from there?

> > > However, another far neater way of doing this could be to use the
> > > freezer instead.  Just give lxc-start a new command-line option to start
> > > the container *but* crucially, leave it frozen when lxc-start exits.
> > > The caller can then just do lxc-start, lxc-device, lxc-unfreeze.
> 
> > > [can you run lxc-device on a frozen container?]
> 
> For future reference, this does indeed work.  I like the idea, because it
> would allow all sorts of fettling to go on with the new container from the
> host side before it really starts executing.
> 
> 
> -- 
> Stewart Brodie
> Senior Software Engineer
> Team Leader ANT Galio Browser
> Espial UK
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

More information about the lxc-users mailing list