[lxc-users] Unprivileged container and lxc.network.script.up
Serge Hallyn
serge.hallyn at ubuntu.com
Tue Sep 1 05:14:17 UTC 2015
Quoting Benoit GEORGELIN - Association Web4all (benoit.georgelin at web4all.fr):
> I do start them as non-root user because I tough I was the only way to start an unprivileged container on the system.
Ok, that's what I was wondering. In order to start such containers
as root, you only need to make sure that /etc/subuid and /etc/subgid
have entries granting the container's id ranges to root.
But it's still worth imo to make simple ovs installs work for
unprivileged users.
> benoit at lxd-virt-01a:~$ lxc-ls -f
> NAME STATE IPV4 IPV6 GROUPS AUTOSTART
> ------------------------------------------------------
> benoit RUNNING IP_ADDRESS - - NO
> jordan STOPPED - - - NO
>
> benoit at lxd-virt-01a:~$ lxc-start -n jordan
>
> benoit at lxd-virt-01a:~$ /opt/deploy_lxc/add_lxc_flows.sh jordan
> Adding FLOWS for jordan container
> Trafic limited to 10Mb/s
>
>
> benoit at lxd-virt-01a:~$ lxc-info -n jordan
> Name: jordan
> State: RUNNING
> PID: 17994
>
> Process:
>
> benoit 10487 0.0 0.0 43512 3532 ? Ss août31 0:00 [lxc monitor] /LXC_DIR/benoit benoit
> benoit 17982 0.0 0.0 43512 3576 ? Ss 01:53 0:00 [lxc monitor] /LXC_DIR/benoit jordan
>
>
> Each container on the system is a unix user.
> They can all manage their own LXC container. Each one have an [lxc monitor] process
>
> I do the provising as root (LVM storage) , including the mount of the specific rootfs for the container.
> I will share soon all the scripts used . Deployment is automatic
Awesome, thanks.
> The only one program used with an setuid is used to set the network flows. Sudo is an option to allow normal user to use it too.
More information about the lxc-users
mailing list