[lxc-users] subuids and subgid range with multiple LXC containers

Serge E. Hallyn serge at hallyn.com
Wed Mar 29 01:07:08 UTC 2017


On Wed, Mar 29, 2017 at 07:35:15AM +0700, Fajar A. Nugraha wrote:
> On Wed, Mar 29, 2017 at 4:20 AM, Serge E. Hallyn <serge at hallyn.com> wrote:
> 
> > Quoting BIGOT Adrien (adrien.bigot at smile.fr):
> > > Hello,
> > >
> > > Actually hosting many containers (2000+) with OpenVZ technology, we
> > > want to move to LXC/LXD.
> > > The goal is to host up to 20 unprivilegied containers per
> > > hypervisor. I'd like to know if there is some best practice
> > > regarding subuid and subgid in particular if we must have one range
> > > of subuid/subgid per containers or not.
> >
> 
> 
> 
> > It's been discussed a few times, but I can't be bothered to find
> > links :)  General guidance is if the containers are working together
> > you can have them share uid ranges.  If they belong to different
> > groups, or if you want to prevent all chances of one container
> > subverting another, then give them different ranges.
> >
> >
> 
> ... and if you're feeling lazy:
> - allocate large-enough [ug]id range for root and lxd on /etc/sub[ug]id
> - use newer lxd (e.g. from
> https://launchpad.net/~ubuntu-lxc/+archive/ubuntu/stable)
> - set security.idmap.isolated true (
> https://github.com/lxc/lxd/blob/master/doc/userns-idmap.md#different-idmaps-per-container
> )
> 
> It should automatically assign unique [ug]id range for each container with
> minimal manual setup.

One thing I've always thought would be useful, but not had the time to
pursue, woudl be to have a concept of 'clients' or somesuch, where each
client can get one or more unique ranges.  They can then use those
ranges however they want, but no other clients will ever get their
rnages.


More information about the lxc-users mailing list