[lxc-users] Using predefined cgroups

Fajar A. Nugraha list at fajar.net
Tue May 16 23:38:09 UTC 2017

On Tue, May 16, 2017 at 12:21 PM, Dr. Todor Dimitrov <dimitrov at technology.de
> wrote:

> My understanding is that the unprivileged user owning the container can
> still alter the cgroups, right?

You should really try lxd. e.g. https://linuxcontainers.org/lxd/try-it/ ,
or install it on your own ubuntu server/vm.

> The use case that we have in mind is to allow an unprivileged user run a
> preconfigured container, which configuration is only writable for power
> users. Ideally the unprivileged user should not be able to meddle with the
> cgroups or even create new containers.
> Is such a scenario feasible to implement using LXC and cgroups?

That's what lxd does. Sort of. Some options:
- you create an unpriv container (the default in lxd), then give access to
the container (e.g. ssh keys, root pass of the container, etc) to the user.
They will be able to restart the container and install whetever package
they want, but they can't create another container

- you create an unpriv container with nesting enabled (which is what the
try-me link does). The unpriv user will have a set of limits (e.g. total
disk space, total memory, etc) which they can use to create containers
under it.

In either way, the container's root user will not be able to alter it's own
cgroup configuration (e.g. /sys/fs/cgroup/memory/memory.limit_in_bytes).

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20170517/0dad70d4/attachment.html>

More information about the lxc-users mailing list