[lxc-users] Can I, or should I, "lxc.id_map = u 250 250 1"?
Fog_Watch
db5 at exemail.com.au
Thu Jul 14 06:57:47 UTC 2016
On Wed, 13 Jul 2016 17:41:25 +0700
"Fajar A. Nugraha" <list at fajar.net> wrote:
> Did you read the link? Relevant part pasted here (shift uid/gids,
> EXCEPT for uid 1000)
>
> lxc.id_map = u 0 100000 1000
> lxc.id_map = g 0 100000 1000
> lxc.id_map = u 1000 1000 1
> lxc.id_map = g 1000 1000 1
> lxc.id_map = u 1001 101001 64535
> lxc.id_map = g 1001 101001 64535
>
>
> what you did was "map uid 250 as is", but then also "map uid 0-999
> (which obviously include 250) to 1000000-1000999"
Well, I thought I read the link, but then reading and understanding
are apparently different. Yes, this is the correct answer. I'll end
up using something like the following:
lxc.id_map = u 0 100000 250
lxc.id_map = g 0 100000 250
lxc.id_map = u 250 250 1
lxc.id_map = g 250 250 1
lxc.id_map = u 251 100251 1749
lxc.id_map = g 251 100251 1749
On Wed, 13 Jul 2016 11:26:53 +0000
"J__kel, Guido" <G.Jaekel at dnb.de> wrote:
> As said: You don't need write access to the portage tree, but at the
> distfiles cache holding the fetches source tarballs . And the package
> repository, if you let build bin packages (, and you want this, if
> you use more than a few Gentoo instances). But you may configure
> other locations or it outside the portage tree with the ebuild
> receipts.
Thanks, I've changed user of distfiles to uid=100000:
# ls -lad /usr/portage/distfiles/
drwxrwsr-x 5 fakeroot portage 360448 Jul 14
14:58 /usr/portage/distfiles/
Prescient advice about bin packages too.
>
>
> BTW: Instead of mapping the uid/gid for portage, you may be also
> change it inside the containers password/group files to the shifted
> one. It's depend on your policy of the "border of the container", if
> this is a proper way to handle the clash to offer a outerworld-shared
> resource inside an restricted environment of a unprivileged container.
I don't know how this would work. If portage starts off on the host as
uid 250, how can it appear in a container as anything useful without uid
mapping?
>
> Guido
Thanks for the advice, Fajar and Guido.
Fog_Watch.
More information about the lxc-users
mailing list