[lxc-users] Semi unprivileged containers

MonkZ i at monkz.de
Mon Nov 23 10:58:42 UTC 2015 


Am 22.11.2015 um 23:47 schrieb Fajar A. Nugraha:
> On Sun, Nov 22, 2015 at 9:30 PM, MonkZ <i at monkz.de <mailto:i at monkz.de>>
> wrote:
> 
>     Hi,
> 
>     I try to replicate the commands and results of this HowTo:
> 
>     http://crashcourse.housegordon.org/LXC-semi-unprivileged-containers.html
> 
>     I'm on Ubuntu 15.10 (LXC 1.1.4) and want to create a semi unprivileged
>     container also with Ubuntu 15.10 amd64 (via download).
> 
> 
> 
> why would you use a debian howto when your OS is ubuntu, and ubuntu
> already have a good documentation?
> 
> https://help.ubuntu.com/lts/serverguide/lxc.html

Because i hoped, there wouldn't be much difference - or at least ubuntu
with a little more recent packages.
>  
> 
> 
>     Instead of using 2 users on the host i want to try to assign just a
>     range of uids/gids.
>     Starting as root but running mapped to an other user.
> 
> 
> Why?

Autostart and block device usage, but with some kind of privilege drop
and different file ownership attributition (if i use writetrough).

> 
> You'd still need to start as root if you use a block device (e.g. LVM
> for container storage). Otherwise just use plain unpriv containers.
> 
>  
> 
>     # cat /etc/sub*
>     lxc-ldap01:100000:65536
>     lxc-ldap01:100000:65536
> 
> 
> A working /etc/subuid and subguid should already be setup by default for
> your user when you install ubuntu. Did you try with the default user

I work on a Ubuntu server minimal Installation (headless). I added the
lxc-ldap01 user to populate /etc/sub*.

>  
> 
> 
>     Is the Howto simply outdated 
> 
> 
> most likely.


Damn it ;)


> 
>  
> 
>     / my LXC-version not fitting or is there a
>     other problem with my setup?
> 
> 
> 
> I don't know. Not without knowing the details of your setup. It could be
> something as simple as permission problems:
> 
>       lxc-start 1448197242.984 ERROR    lxc_cgmanager - cgmanager.c:chown_cgroup:490 - Error requesting cgroup chown in new namespace
>       lxc-start 1448197242.984 WARN     lxc_cgmanager - cgmanager.c:cgm_chown:1419 - Failed to chown lxc/ldap01 to container root
> 
> 
> This is a working unpriv container on my working system:
> 
> $ ls -la .local/share/lxc/trusty/
> total 59
> drwxrwx---  3 100000000 user        5 Sep 10 10:02 .
> drwxr-xr-x  4 user      user        5 Sep 10 09:48 ..
> -rw-rw-r--  1 user      user      666 Sep 10 09:58 config
> drwxr-xr-x 21 100000000 100000000  21 Sep  9 10:53 rootfs
> -rw-rw-r--  1 user      user        0 Sep 10 09:50 trusty.log
> 
> "100000000" is the uid of unpriv root.  Note the ownership and permisson
> of the container directory and rootfs there? Does yours look anything
> like that, or is still owned by root:root?

Was initially owned by root:root, but i chownd . and rootfs according to
the howto.

> 
> I really suggest you simply create an unpriv container as a regular user
> first, following ubuntu docs, and see if it works. THEN modify to suit
> your needs.

Will try - thanks.

> 
> -- 
> Fajar

Greetings
MonkZ

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20151123/0ad5dfd0/attachment.sig>

More information about the lxc-users mailing list