[lxc-users] How to apply commands in howtos - macvlan and disk passthrough
John Gubert
john.gubert at web.de
Wed Dec 21 16:17:28 UTC 2016
one setup of a shared directory would be media files passed through to a
container with samba and one container with mediatomb and one container
with a http server and I would then limit the access to read-only for
the last two.
Am 21.12.2016 um 17:09 schrieb Pavol Cupka:
> these subuid mappings are there for the case that someone compromises
> your container and gains root, should he break out of the container he
> would have access to all the files that are root owned on the host
> machine, when you use these mappings then the uses get uid + 100000 or
> whatever is set in the subuid map file and if they gain root they have
> uid 1 in container but uid 1000001 on the host that means it can't
> access any files. that is the whole purpose of this unprivileged
> container thing.
> yes you have to create users with corresponding uid on diff containers
> to be able to access the files.
>
> why do you have to export the same path to both containers? you can
> export one path for one container and other for the second one. but
> your setup will work for media/backup and for other things
>
> On Wed, Dec 21, 2016 at 3:41 PM, John Gubert <john.gubert at web.de
> <mailto:john.gubert at web.de>> wrote:
>
> Hi Pavol,
> thanks for the link, I did some testing with the out of the box
> setup (removed root:1000:1) of ubuntu, created two containers and
> passed the same host directory through to both of them, then I
> created the same users in the same order on both containers:
> root(1000)
> neuer(1001)
> zweiter(1002)
>
> this seems to work, when I create files inside this folder on one
> container as neuer, I can only read them as neuer on the other
> container and vice versa.
> I would assume, that as soon as I create the users in a different
> order, zweiter might become 1001 and neuer 1002 and therefore
> files created by neuer in one container would be seen as files
> created bei zweiter in the other, right? On the host, all files
> are seens as 101001 or 101001 anyway.
> I would go ahead and use this setup for my homeserver to store
> media/backups and run a fileserver in one container and other
> tasks in another, is this setup stable enough if I set it up as
> described above?
>
> this is my lxc config, is there anything I should change?
>
> disktest:
> path: /testdisk
> source: /home/me/testdisk
> type: disk
>
> kind regards,
> John
>
> Am 21.12.2016 um 15:04 schrieb Pavol Cupka:
>> some of your questions are answered here
>> https://wiki.gentoo.org/wiki/LXD#Configure_subuid.2Fsubgid
>> <https://wiki.gentoo.org/wiki/LXD#Configure_subuid.2Fsubgid>
>>
>> answering to the list is fine
>>
>> On Wed, Dec 21, 2016 at 1:34 PM, John Gubert <john.gubert at web.de
>> <mailto:john.gubert at web.de>> wrote:
>>
>> Hi Tycho,
>>
>> thank you for your fast response.
>>
>> My id on the host is indeed 1000. I read your blog article
>> and then had
>> a look at /etc/subuid:
>>
>> before:
>> "me at host:~$ cat /etc/subuid
>> lxd:100000:65536
>> root:100000:65536
>> me:165536:65536"
>>
>> after:
>> "me at host:~$ cat /etc/subuid
>> lxd:100000:65536
>> root:100000:65536
>> me:165536:65536
>> root:1000:1"
>>
>> root seems to be already set up, maybe this is due to lxd being
>> installed on ubuntu 16.04? It would be really helpful if you
>> could
>> explain to me what the mapping defined in this file really
>> does. Does it
>> make a difference if I add your line, or use the one already
>> there? How
>> does this file use the numbers (100000 and 65536)? Does
>> 1000:1 tell
>> ubuntu to map the id 1 to 1, if so, what does 100000:65536
>> mean? Add
>> 65536 to the 100000? If there is a user called "me" in the
>> conatainer,
>> does a line "me:1000:1" work as well?
>>
>> I appreciate any help.
>>
>> with kind regards,
>> John
>>
>> P.S.:
>> I answered to the mailing list, is this the right way to do
>> it, or
>> should I answer to you directly?
>>
>>
>>
>> Am 20.12.2016 um 22:52 schrieb Tycho Andersen:
>>
>> Hi John,
>>
>> On Tue, Dec 20, 2016 at 10:39:07PM +0100,
>> john.gubert at web.de <mailto:john.gubert at web.de> wrote:
>>
>> Hello,
>> I have a directory on my host system and
>> want to create several containers
>> with the same users inside. I would like to pass
>> the directory through to
>> each container and allow the users to write and
>> read on it. The network
>> connection should be done using macvlan.
>> The howtos I have read so far show how to set up
>> lxd, which works very
>> well on my 16.04 host. Starting a container works
>> out of the box as
>> unpriviliged user as well.
>> My questions:
>> Is it even possible to share one directory on the
>> host with several
>> container?
>> All the howtos I could find mention some
>> commands, that need to be
>> applied, but they do not tell me about the
>> commands I need to type in to
>> make it work:
>>
>> "That means you can create a container with the
>> following configuration:
>>
>> lxc.id_map = u 0 100000 65536
>>
>> lxc.id_map = g 0 100000 65536"
>>
>> There is a big list of possible options on
>> github, but where does it tell
>> how to apply them?
>> Does someone know a detailed howto, that
>> describes a similiar setup like
>> mine?
>>
>> http://tycho.ws/blog/2016/12/uidmap.html
>> <http://tycho.ws/blog/2016/12/uidmap.html> is a blog post
>> I wrote a
>> while ago talking about how to set this up with your home
>> directory.
>> You can mimic the settings for whatever user map you
>> want, though.
>>
>> Cheers,
>>
>> Tycho
>>
>> Every time I read something, I feel like missing
>> something important,
>> because I could not find a coherent compendium of
>> possible options on how
>> to do something.
>> kind regards,
>> John
>> _______________________________________________
>> lxc-users mailing list
>> lxc-users at lists.linuxcontainers.org
>> <mailto:lxc-users at lists.linuxcontainers.org>
>> http://lists.linuxcontainers.org/listinfo/lxc-users
>> <http://lists.linuxcontainers.org/listinfo/lxc-users>
>>
>>
>>
>> _______________________________________________
>> lxc-users mailing list
>> lxc-users at lists.linuxcontainers.org
>> <mailto:lxc-users at lists.linuxcontainers.org>
>> http://lists.linuxcontainers.org/listinfo/lxc-users
>> <http://lists.linuxcontainers.org/listinfo/lxc-users>
>>
>>
>>
>>
>> _______________________________________________
>> lxc-users mailing list
>> lxc-users at lists.linuxcontainers.org
>> <mailto:lxc-users at lists.linuxcontainers.org>
>> http://lists.linuxcontainers.org/listinfo/lxc-users
>> <http://lists.linuxcontainers.org/listinfo/lxc-users>
> _______________________________________________ lxc-users mailing
> list lxc-users at lists.linuxcontainers.org
> <mailto:lxc-users at lists.linuxcontainers.org>
> http://lists.linuxcontainers.org/listinfo/lxc-users
> <http://lists.linuxcontainers.org/listinfo/lxc-users>
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20161221/790bb7f7/attachment-0001.html>
More information about the lxc-users
mailing list