[lxc-users] Semi unprivileged containers
Fajar A. Nugraha
list at fajar.net
Sun Nov 22 22:47:32 UTC 2015
On Sun, Nov 22, 2015 at 9:30 PM, MonkZ <i at monkz.de> wrote:
> Hi,
>
> I try to replicate the commands and results of this HowTo:
>
> http://crashcourse.housegordon.org/LXC-semi-unprivileged-containers.html
>
> I'm on Ubuntu 15.10 (LXC 1.1.4) and want to create a semi unprivileged
> container also with Ubuntu 15.10 amd64 (via download).
>
why would you use a debian howto when your OS is ubuntu, and ubuntu already
have a good documentation?
https://help.ubuntu.com/lts/serverguide/lxc.html
>
> Instead of using 2 users on the host i want to try to assign just a
> range of uids/gids.
> Starting as root but running mapped to an other user.
>
>
Why?
You'd still need to start as root if you use a block device (e.g. LVM for
container storage). Otherwise just use plain unpriv containers.
> # cat /etc/sub*
> lxc-ldap01:100000:65536
> lxc-ldap01:100000:65536
>
>
A working /etc/subuid and subguid should already be setup by default for
your user when you install ubuntu. Did you try with the default user?
>
> Is the Howto simply outdated
most likely.
> / my LXC-version not fitting or is there a
> other problem with my setup?
>
>
I don't know. Not without knowing the details of your setup. It could be
something as simple as permission problems:
lxc-start 1448197242.984 ERROR lxc_cgmanager -
cgmanager.c:chown_cgroup:490 - Error requesting cgroup chown in new
namespace
lxc-start 1448197242.984 WARN lxc_cgmanager -
cgmanager.c:cgm_chown:1419 - Failed to chown lxc/ldap01 to container
root
This is a working unpriv container on my working system:
$ ls -la .local/share/lxc/trusty/
total 59
drwxrwx--- 3 100000000 user 5 Sep 10 10:02 .
drwxr-xr-x 4 user user 5 Sep 10 09:48 ..
-rw-rw-r-- 1 user user 666 Sep 10 09:58 config
drwxr-xr-x 21 100000000 100000000 21 Sep 9 10:53 rootfs
-rw-rw-r-- 1 user user 0 Sep 10 09:50 trusty.log
"100000000" is the uid of unpriv root. Note the ownership and permisson of
the container directory and rootfs there? Does yours look anything like
that, or is still owned by root:root?
I really suggest you simply create an unpriv container as a regular user
first, following ubuntu docs, and see if it works. THEN modify to suit your
needs.
--
Fajar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20151123/45eacf32/attachment.html>
More information about the lxc-users
mailing list