[lxc-users] How to apply commands in howtos - macvlan and disk passthrough

John Gubert john.gubert at web.de
Wed Dec 21 16:17:28 UTC 2016


one setup of a shared directory would be media files passed through to a 
container with samba and one container with mediatomb and one container 
with a http server and I would then limit the access to read-only for 
the last two.

Am 21.12.2016 um 17:09 schrieb Pavol Cupka:
> these subuid mappings are there for the case that someone compromises 
> your container and gains root, should he break out of the container he 
> would have access to all the files that are root owned on the host 
> machine, when you use these mappings then the uses get uid + 100000 or 
> whatever is set in the subuid map file and if they gain root they have 
> uid 1 in container but uid 1000001 on the host that means it can't 
> access any files. that is the whole purpose of this unprivileged 
> container thing.
> yes you have to create users with corresponding uid on diff containers 
> to be able to access the files.
>
> why do you have to export the same path to both containers? you can 
> export one path for one container and other for the second one. but 
> your setup will work for media/backup and for other things
>
> On Wed, Dec 21, 2016 at 3:41 PM, John Gubert <john.gubert at web.de 
> <mailto:john.gubert at web.de>> wrote:
>
>     Hi Pavol,
>     thanks for the link, I did some testing with the out of the box
>     setup (removed root:1000:1) of ubuntu, created two containers and
>     passed the same host directory through to both of them, then I
>     created the same users in the same order on both containers:
>     root(1000)
>     neuer(1001)
>     zweiter(1002)
>
>     this seems to work, when I create files inside this folder on one
>     container as neuer, I can only read them as neuer on the other
>     container and vice versa.
>     I would assume, that as soon as I create the users in a different
>     order, zweiter might become 1001 and neuer 1002 and therefore
>     files created by neuer in one container would be seen as files
>     created bei zweiter in the other, right? On the host, all files
>     are seens as 101001 or 101001 anyway.
>     I would go ahead and use this setup for my homeserver to store
>     media/backups and run a fileserver in one container and other
>     tasks in another, is this setup stable enough if I set it up as
>     described above?
>
>     this is my lxc config, is there anything I should change?
>
>       disktest:
>         path: /testdisk
>         source: /home/me/testdisk
>         type: disk
>
>     kind regards,
>     John
>
>     Am 21.12.2016 um 15:04 schrieb Pavol Cupka:
>>     some of your questions are answered here
>>     https://wiki.gentoo.org/wiki/LXD#Configure_subuid.2Fsubgid
>>     <https://wiki.gentoo.org/wiki/LXD#Configure_subuid.2Fsubgid>
>>
>>     answering to the list is fine
>>
>>     On Wed, Dec 21, 2016 at 1:34 PM, John Gubert <john.gubert at web.de
>>     <mailto:john.gubert at web.de>> wrote:
>>
>>         Hi Tycho,
>>
>>         thank you for your fast response.
>>
>>         My id on the host is indeed 1000. I read your blog article
>>         and then had
>>         a look at /etc/subuid:
>>
>>         before:
>>         "me at host:~$ cat /etc/subuid
>>         lxd:100000:65536
>>         root:100000:65536
>>         me:165536:65536"
>>
>>         after:
>>         "me at host:~$ cat /etc/subuid
>>         lxd:100000:65536
>>         root:100000:65536
>>         me:165536:65536
>>         root:1000:1"
>>
>>         root seems to be already set up, maybe this is due to lxd being
>>         installed on ubuntu 16.04? It would be really helpful if you
>>         could
>>         explain to me what the mapping defined in this file really
>>         does. Does it
>>         make a difference if I add your line, or use the one already
>>         there? How
>>         does this file use the numbers (100000 and 65536)? Does
>>         1000:1 tell
>>         ubuntu to map the id 1 to 1, if so, what does 100000:65536
>>         mean? Add
>>         65536 to the 100000? If there is a user called "me" in the
>>         conatainer,
>>         does a line "me:1000:1" work as well?
>>
>>         I appreciate any help.
>>
>>         with kind regards,
>>         John
>>
>>         P.S.:
>>         I answered to the mailing list, is this the right way to do
>>         it, or
>>         should I answer to you directly?
>>
>>
>>
>>         Am 20.12.2016 um 22:52 schrieb Tycho Andersen:
>>
>>             Hi John,
>>
>>             On Tue, Dec 20, 2016 at 10:39:07PM +0100,
>>             john.gubert at web.de <mailto:john.gubert at web.de> wrote:
>>
>>                     Hello,
>>                          I have a directory on my host system and
>>                 want to create several containers
>>                     with the same users inside. I would like to pass
>>                 the directory through to
>>                     each container and allow the users to write and
>>                 read on it. The network
>>                     connection should be done using macvlan.
>>                     The howtos I have read so far show how to set up
>>                 lxd, which works very
>>                     well on my 16.04 host. Starting a container works
>>                 out of the box as
>>                     unpriviliged user as well.
>>                          My questions:
>>                     Is it even possible to share one directory on the
>>                 host with several
>>                     container?
>>                     All the howtos I could find mention some
>>                 commands, that need to be
>>                     applied, but they do not tell me about the
>>                 commands I need to type in to
>>                     make it work:
>>
>>                     "That means you can create a container with the
>>                 following configuration:
>>
>>                     lxc.id_map = u 0 100000 65536
>>
>>                   lxc.id_map = g 0 100000 65536"
>>
>>                     There is a big list of possible options on
>>                 github, but where does it tell
>>                     how to apply them?
>>                          Does someone know a detailed howto, that
>>                 describes a similiar setup like
>>                     mine?
>>
>>             http://tycho.ws/blog/2016/12/uidmap.html
>>             <http://tycho.ws/blog/2016/12/uidmap.html> is a blog post
>>             I wrote a
>>             while ago talking about how to set this up with your home
>>             directory.
>>             You can mimic the settings for whatever user map you
>>             want, though.
>>
>>             Cheers,
>>
>>             Tycho
>>
>>                     Every time I read something, I feel like missing
>>                 something important,
>>                     because I could not find a coherent compendium of
>>                 possible options on how
>>                     to do something.
>>                          kind regards,
>>                     John
>>                 _______________________________________________
>>                 lxc-users mailing list
>>                 lxc-users at lists.linuxcontainers.org
>>                 <mailto:lxc-users at lists.linuxcontainers.org>
>>                 http://lists.linuxcontainers.org/listinfo/lxc-users
>>                 <http://lists.linuxcontainers.org/listinfo/lxc-users>
>>
>>
>>
>>         _______________________________________________
>>         lxc-users mailing list
>>         lxc-users at lists.linuxcontainers.org
>>         <mailto:lxc-users at lists.linuxcontainers.org>
>>         http://lists.linuxcontainers.org/listinfo/lxc-users
>>         <http://lists.linuxcontainers.org/listinfo/lxc-users>
>>
>>
>>
>>
>>     _______________________________________________
>>     lxc-users mailing list
>>     lxc-users at lists.linuxcontainers.org
>>     <mailto:lxc-users at lists.linuxcontainers.org>
>>     http://lists.linuxcontainers.org/listinfo/lxc-users
>>     <http://lists.linuxcontainers.org/listinfo/lxc-users>
>     _______________________________________________ lxc-users mailing
>     list lxc-users at lists.linuxcontainers.org
>     <mailto:lxc-users at lists.linuxcontainers.org>
>     http://lists.linuxcontainers.org/listinfo/lxc-users
>     <http://lists.linuxcontainers.org/listinfo/lxc-users> 
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20161221/790bb7f7/attachment-0001.html>


More information about the lxc-users mailing list