[lxc-users] sharing files and unprivileged LXC container

John john at tonebridge.com
Wed Dec 11 14:55:37 UTC 2019 

I use setfacl/getfacl to change permissions on host files so they are
accessible to container's users.  I am doing only basic stuff with very few
users so not sure how that approach scales.

Of course anything you do open up what the container can do will reduce the
security of using containers.

On Wed, Dec 11, 2019, 8:19 AM Justus Schubert <justus.schubert at web.de>
wrote:

> Hi everyone,
>
> I'm trying the first time lxc. something I do not understand is the shared
> use
> of resources. This seems to be a problem especially with unprivileged
> containers.
> My first thought was to have a shared folder with custom user/group
> mapping in
> unprivileged LXC container for (user)mount
>
> I set up a LCX Container. My hostsystem is ArchLinux and the Container use
> Debian. I start the container as root and use user/group mapping so the
> container run 'unprivileged'.
> >> my /etc/lxc/default.conf:
> >> lxc.idmap = u 0 100000 65536
> >> lxc.idmap = g 0 100000 65536
>
> >> my /etc/subuid & /etc/subgid:
> >> root:100000:65536
>
> Now i like to share my homedir within the container.
> >> my /var/lib/lxc/<lxc-name>/config:
> >> lxc.mount.entry = /home/<user> /var/lib/lxc/<lxc-name>/rootfs/mnt/share
> none bind 0 0
>
> Because of the mapping described above rights of the shared folder are set
> to
> nobody nogroup.
>
> After some research, I came to the idea that there are certainly other
> ways to
> solve the problem. Maybe SSHfs, NFS or SAMBA? something that the
> 'usermapping'
> can implement in the protocol?
> can someone tell me his experiences or show ways of solution?
> in concrete terms, I am looking for ideas for the realization:
> 1) How can I share rights among 'unprivileged' users from the host to the
> container? User1 from host shares a folder to user1 from the container-os.
> both are not root. How can I achieve this?
> 2) sharing files between unprivileged lxc containers
>
> I can imagine that such questions are asked frequently. but unfortunately
> I
> have not found a simple and consistent solution.
>
> Thanks in advance for your help!
>
> --
>
> Justus Schubert
> 01099 Dresden_______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20191211/6bc442e8/attachment.html>

More information about the lxc-users mailing list