[lxc-users] Running docker inside unprivileged LXC containers

Serge Hallyn serge.hallyn at ubuntu.com
Tue Jun 16 19:24:44 UTC 2015


Hi,

the inability to create devices in an unprivileged container actually
is unrelated to the devices cgroup.  It's probably best to just check
/proc/self/uid_map.  If it reads

         0          0 4294967295

then you are (most likely) in the initial user namespace.  You won't
be able to create devices then even if devices cgroup is not in use.

So I guess you'll probably want to check for both.

-serge

Quoting Akshay Karle (akshay.a.karle at gmail.com):
> Hi,
> 
> After the comments here, I had a look closer look at the docker code. The
> problem was that it would always try to create some default devices
> <https://github.com/docker/libcontainer/blob/master/configs/device_defaults.go>
> without
> it checking if it had the permissions to do so. For now, I've created a
> fork of docker and added a fix to create the devices only if the devices
> cgroup is present
> <https://github.com/akshaykarle/docker/commit/0299d2c2084d7f42e7c2c433fca7f5ab3066d2be>.
> This seems to work and I'm now able to run docker inside unprivileged LXC
> containers.
> 
> But I don't know if just checking for the devices cgroup mountpoint is the
> right fix. I feel the right way would be to create only those devices that
> are allowed by lxc.cgroup.devices.allow, but I don't know how I can check
> the devices enabled in the unprivileged lxc container itself. Any way to do
> so?
> 
> On Mon, Jun 15, 2015 at 2:42 PM Serge Hallyn <serge.hallyn at ubuntu.com>
> wrote:
> 
> > Quoting Stewart Brodie (sbrodie at espial.com):
> > > Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> > >
> > > > Quoting Stewart Brodie (sbrodie at espial.com):
> >
> > > > > However, another far neater way of doing this could be to use the
> > > > > freezer instead.  Just give lxc-start a new command-line option to
> > start
> > > > > the container *but* crucially, leave it frozen when lxc-start exits.
> > > > > The caller can then just do lxc-start, lxc-device, lxc-unfreeze.
> > >
> > > > > [can you run lxc-device on a frozen container?]
> > >
> > > For future reference, this does indeed work.  I like the idea, because it
> > > would allow all sorts of fettling to go on with the new container from
> > the
> > > host side before it really starts executing.
> >
> > fwiw I'm not opposed to this if someone wants to code it up.  Basically
> > right before exec(2)ing /sbin/init, the task would freeze itself.
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users

> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users



More information about the lxc-users mailing list