[lxc-users] Trying to set elevated privileges for non-root user in privileged container

Mark Paterson markpaters at gmail.com
Thu Jun 13 17:00:07 UTC 2019 

I thought I'd write back (a couple of months later!) to say that I found a
way to solve my problem in case it helps someone else or there's a better
way to do this. To recap, I'm using Ubuntu 16.04 with latest lxd from snap
and trying to run as container non-root user a program in a privileged
container that needs to increase thread real-time priorities. I've set
  raw.lxc: |-
    lxc.cap.drop=
    limits.kernel.rtprio=99
  security.privileged: "true"
in the config, and this is sufficient to allow container root to increase
real-time priorities, but not non-root users, even though the limit files
in /etc/security should allow this, and I have both container user ids and
group ids mapped to ids that can do this on the host.

Solution: if in the container I use 'sudo prlimit -r99 -p$$' to raise the
limit on the non-root user's shell process, any program I now start from
the shell as non-root user can now raise real-time priorities. This works
well enough for me, but it would be preferable if there's a way to handle
it in the container configuration.

Thanks!

Mark


On Tue, Apr 9, 2019 at 11:46 AM Serge E. Hallyn <serge at hallyn.com> wrote:

> It looks like the kernel is gating this on having CAP_SYS_NICE
> in the initial user namespace.
>
> -serge
>
> On Mon, Apr 01, 2019 at 04:10:57PM -0500, Mark Paterson wrote:
> > Any answer on this?
> > I'm running lxc from snap, on Ubuntu 16.04. We have a couple of big
> > applications at work that I'd like to run in lxc, but only if there is a
> > way to make elevated privileges work.
> >
> > On Wed, Mar 20, 2019 at 2:00 PM Mark Paterson <markpaters at gmail.com>
> wrote:
> >
> > > Hi all!
> > > I am trying to run as a non-root user an application in a privileged
> > > container that requires setting elevated thread priority. From within
> the
> > > container, elevating priority works if I use sudo, so I can tell that
> the
> > > container is not dropping capabilities. The non-root user is set up in
> > > /etc/security/limits.d for rtprio, and is mapped via raw.idmap to a
> host
> > > user with equivalent privileges that work on the host side.
> > >
> > > However, if I try in the container to chrt a process to a higher
> priority,
> > > I get "Operation not permitted." What am I missing?
> > >
> > > Thanks!
> > >
> > > Mark
> > >
>
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20190613/c804becf/attachment.html>

More information about the lxc-users mailing list