[lxc-users] Using predefined cgroups

Fajar A. Nugraha list at fajar.net
Wed May 17 05:05:04 UTC 2017

On Wed, May 17, 2017 at 10:59 AM, Dr. Todor Dimitrov <dimitrov at technology.de
> wrote:

> I guess LXD would not be an option since we are talking about resource
> constrained devices. The unprivileged user is actually used only for
> namespacing purposes and not for actual logins. The power user starts a
> “provisioning/bootstrapping" process as the unprivileged user, which in
> turn starts the lxc container and performs some additional tasks, e.g.
> monitoring. The bootstrapping process might not be “trusted” in the sense
> that it could have bugs, which should not have any adverse effects on the
> main functionality of the device.
lxd would make the process a whole lot easier. And it shouldn't consume too
much resource.
However it should also be possible to achieve what you want using standar
lxc1 tools.

> Maybe the problem can be re-formulated: is an unprivileged container owned
> by an unprivileged user any more safer than an unprivileged container owned
> by root?

In theory, yes.
In real-world use case I believe it's pretty much similar. Just use
root-owned unpriv container.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20170517/6595fbb9/attachment.html>

More information about the lxc-users mailing list