[lxc-users] Unprivileged networking option?
Fajar A. Nugraha
list at fajar.net
Fri Mar 6 06:07:07 UTC 2020
On Thu, Mar 5, 2020 at 11:43 PM Ede Wolf <listac at nebelschwaden.de> wrote:
>
> Hello Andrey,
>
> thanks for getting back to me. The reason for unpriviledged containers
> is basically user id separation.
>
> I fancy the idea that each container has its own id (range) and the user
> ids are not being shared between containers (and the host).
>
> So it is another level of isolation and administration - in its simplest
> form be it just using "ps" where you can tell from the user id what
> container (os) the process belongs to.
While you mentioned plain lxc instead of lxd earlier, lxd might be
more suitable for you needs.
Does https://stgraber.org/2017/06/15/custom-user-mappings-in-lxd-containers/
fit the bill?
Look for "isolated"
>
>
> More into classical os level virtualisation (jails, openvz) than what
> is usually associated these days with the term "container".
> So there is no respawning, no stacked images, no orchestration, but a
> proper (albeit minimal) os installation. Without the overhead of a
> hypervisor.
>
> So lxc pretty much is the right tool. Would just be great if one could
> use level3 ip-vlan for easier filtering.
https://discuss.linuxcontainers.org/t/lxc-3-2-1-has-been-released/5322
Look for "ipvlan".
You could also use nested lxd, so (for example) each user have access
to their own lxd container, with isolated idmap. Inside each
container, They can create and manage their own containers.
--
Fajar
More information about the lxc-users
mailing list