[lxc-users] subuids and subgid range with multiple LXC containers
Fajar A. Nugraha
list at fajar.net
Wed Mar 29 00:35:15 UTC 2017
On Wed, Mar 29, 2017 at 4:20 AM, Serge E. Hallyn <serge at hallyn.com> wrote:
> Quoting BIGOT Adrien (adrien.bigot at smile.fr):
> > Hello,
> >
> > Actually hosting many containers (2000+) with OpenVZ technology, we
> > want to move to LXC/LXD.
> > The goal is to host up to 20 unprivilegied containers per
> > hypervisor. I'd like to know if there is some best practice
> > regarding subuid and subgid in particular if we must have one range
> > of subuid/subgid per containers or not.
>
> It's been discussed a few times, but I can't be bothered to find
> links :) General guidance is if the containers are working together
> you can have them share uid ranges. If they belong to different
> groups, or if you want to prevent all chances of one container
> subverting another, then give them different ranges.
>
>
... and if you're feeling lazy:
- allocate large-enough [ug]id range for root and lxd on /etc/sub[ug]id
- use newer lxd (e.g. from
https://launchpad.net/~ubuntu-lxc/+archive/ubuntu/stable)
- set security.idmap.isolated true (
https://github.com/lxc/lxd/blob/master/doc/userns-idmap.md#different-idmaps-per-container
)
It should automatically assign unique [ug]id range for each container with
minimal manual setup.
--
Fajar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20170329/7d4d35d8/attachment.html>
More information about the lxc-users
mailing list