[lxc-users] Can I, or should I, "lxc.id_map = u 250 250 1"?

Jäkel, Guido G.Jaekel at dnb.de
Wed Jul 13 11:26:53 UTC 2016


As said: You don't need write access to the portage tree, but at the distfiles cache holding the fetches source tarballs . And the package repository, if you let build bin packages (, and you want this, if you use more than a few Gentoo instances). But you may configure other locations or it outside the portage tree with the ebuild receipts.


BTW: Instead of mapping the uid/gid for portage, you may be also change it inside the containers password/group files to the shifted one. It's depend on your policy of the "border of the container", if this is a proper way to handle the clash to offer a outerworld-shared resource inside an restricted environment of a unprivileged container.

Guido

>-----Original Message-----
>From: lxc-users [mailto:lxc-users-bounces at lists.linuxcontainers.org] On Behalf Of Fog_Watch
>Sent: Wednesday, July 13, 2016 12:35 PM
>To: lxc-users at lists.linuxcontainers.org
>Subject: Re: [lxc-users] Can I, or should I, "lxc.id_map = u 250 250 1"?
>
>On Wed, 13 Jul 2016 12:36:07 +0700
>"Fajar A. Nugraha" <list at fajar.net> wrote:
>
>>
>> I don't think you can use overlapping id_map. Example on
>> https://www.stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/
>>
>
>Fajar, how is the following an overlapping id_map:
>lxc.id_map = u 250 250 1
>lxc.id_map = g 250 250 1
>lxc.id_map = u 0 100000 1000
>lxc.id_map = g 0 100000 1000
>?
>
>
>
>On Wed, 13 Jul 2016 07:58:21 +0200
>Guido J__kel <G.Jaekel at DNB.DE> wrote:
>>
>> But don't think that Gentoo need to have the user/group of the
>> portage tree to be "portage:portage" for the purpose to run a ebuild.
>> This will be a requirement for portage sync operations, of corse. But
>> this ones, you probably want to run on the host, i think. Maybe you
>> should even bind-mount it read-only to your containers.
>>
>
>Guido, if I use the following:
>lxc.id_map = u 1000 250 1
>lxc.id_map = g 1000 250 1
>lxc.id_map = u 0 100000 1000
>lxc.id_map = g 0 100000 1000
>Container uid=1000 can create files in distfiles that end up as
>uid=portage files in the tree, but uid=1000 can't run emerge.  Or, a
>container root emerge terminates with the following chown yuck:
>
> * tail -f /var/log/emerge-fetch.log
>bash: /usr/portage/distfiles/.__portage_test_write__: Permission denied
>[Errno 1] Operation not permitted:
>   b'/usr/portage/distfiles/.Net-Daemon-0.48.tar.gz.portage_lockfile':
>   chown('/usr/portage/distfiles/.Net-Daemon-0.48.tar.gz.portage_lockfile',
>   -1, 250) Cannot chown a lockfile:
>   '/usr/portage/distfiles/.Net-Daemon-0.48.tar.gz.portage_lockfile'
>   Group IDs of current user: 1000 0 1 2 3 4 6 10 11 26 27
>>>> Downloading
>>>>    'http://distfiles.gentoo.org/distfiles/Net-Daemon-0.48.tar.gz'
>/usr/portage/distfiles/Net-Daemon-0.48.tar.gz: Permission denied
>>>> Downloading
>>>>    'http://search.cpan.org/CPAN/authors/id/M/MN/MNOONING/Net-Daemon-0.48.tar.gz'
>/usr/portage/distfiles/Net-Daemon-0.48.tar.gz: Permission denied
>>>> Downloading
>>>>    'http://www.cpan.org/authors/id/M/MN/MNOONING/Net-Daemon-0.48.tar.gz'
>/usr/portage/distfiles/Net-Daemon-0.48.tar.gz: Permission denied
>>>> Downloading
>>>>    'http://cpan.metacpan.org/authors/id/M/MN/MNOONING/Net-Daemon-0.48.tar.gz'
>/usr/portage/distfiles/Net-Daemon-0.48.tar.gz: Permission denied
>!!! Couldn't download 'Net-Daemon-0.48.tar.gz'. Aborting.
> * Fetch failed for 'dev-perl/Net-Daemon-0.480.0-r1', Log file:
> *  '/var/tmp/portage/dev-perl/Net-Daemon-0.480.0-r1/temp/build.log'
>_______________________________________________
>lxc-users mailing list
>lxc-users at lists.linuxcontainers.org
>http://lists.linuxcontainers.org/listinfo/lxc-users


More information about the lxc-users mailing list