[lxc-users] Using predefined cgroups
Fajar A. Nugraha
list at fajar.net
Wed May 17 05:05:04 UTC 2017
On Wed, May 17, 2017 at 10:59 AM, Dr. Todor Dimitrov <dimitrov at technology.de
> wrote:
> I guess LXD would not be an option since we are talking about resource
> constrained devices. The unprivileged user is actually used only for
> namespacing purposes and not for actual logins. The power user starts a
> “provisioning/bootstrapping" process as the unprivileged user, which in
> turn starts the lxc container and performs some additional tasks, e.g.
> monitoring. The bootstrapping process might not be “trusted” in the sense
> that it could have bugs, which should not have any adverse effects on the
> main functionality of the device.
>
>
lxd would make the process a whole lot easier. And it shouldn't consume too
much resource.
However it should also be possible to achieve what you want using standar
lxc1 tools.
> Maybe the problem can be re-formulated: is an unprivileged container owned
> by an unprivileged user any more safer than an unprivileged container owned
> by root?
>
In theory, yes.
In real-world use case I believe it's pretty much similar. Just use
root-owned unpriv container.
--
Fajar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20170517/6595fbb9/attachment.html>
More information about the lxc-users
mailing list