[lxc-users] pre-mount hook namespace
Serge Hallyn
serge.hallyn at ubuntu.com
Wed Nov 11 16:07:33 UTC 2015
Quoting Wolfgang Bumiller (w.bumiller at proxmox.com):
> Thanks for the reply.
>
> > On November 11, 2015 at 4:40 PM Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> > > This puts us in a bit of a pickle as we'd like to setup mountpoints
> > > for an unprivileged container without giving it access to more than it
> > > needs (in particular, the storage configuration and processes involved
> > > in managing and activating them.)
> >
> > Please give a specific example of what you want.
>
> Mount a filesystem for the unprivileged user which the they cannot
> mount by themselves due to a lack of permissions.
> # mount -o loop /path/you/don't/have/access/to.img /the/container
A few things,
1.
If you just want this to be a container in a user namespace, you could
pre-mount it to a path where the user does have access so they can use
a regular lxc.mount.entry.
2.
If you are just using unpriv containers to use user namespaces, you can
actually have the container be owned/started by root. That's what I do
for some containers where their rootfs is a dmcrypt device which I
couldn't mount as an unpriv user.
3.
Seth Forshee is working on support for several things that would help you
here - in particular unprivileged users mounting ext4, using loop devices,
and fuse. Doesn't help you right now, but soon it might.
-serge
More information about the lxc-users
mailing list