[lxc-devel] unprivileged create/start

[Serge Hallyn]

These patches address a few of the issues with creating and running
containers without privilege.  They are only a start.

On an ubuntu trusty system (with a device_cgroup kernel patch) I can
now do the following:

# one-time system setup
sudo apt-get -y install uidmap
sudo usermod -v 100000-199999 -w 100000-199999 serge
mkdir ~/lxcbase
cat > lxc.conf << EOF
lxc.network.type = empty
lxc.id_map = u 0 100000 10000
lxc.id_map = g 0 100000 10000
#EOF

# per-boot setup
echo 1 | sudo tee -a /sys/fs/cgroup/cpuset/cgroup.clone_children
for d in /sys/fs/cgroup/*; do
        sudo mkdir $d/serge
        chown serge: $d/serge
done

# login setup
for d in /sys/fs/cgroup/*; do
        echo $$ | sudo tee -a $d/serge/tasks
done

# create a busybox container
lxc-create -P /home/serge/lxcbase -t busybox -n b1 -f lxc.conf

# run it
lxc-start -P /home/serge/lxcbase -n b1
# or run it in the background
lxc-start -P /home/serge/lxcbase -n b1 -d
# attach a console
lxc-console -P /home/serge/lxcbase -n b1
# kill it
lxc-stop -P /home/serge/lxcbase -n b1

TO DO:

1. get the ubuntu-cloud template working.
   a. To avoid tar failing due to devices, we can simply require
      root to create new cloud image tarballs with no devices
      (mkdir x; cd x; sudo tar zxf /var/cache/lxc/cloud-saucy/*;
       sudo rm -rf dev/*; sudo mkdir dev/pts;
       sudo tar pzcf ../cloud.tar.gz .)
      or we can do '|| true' after the tar.  Are there any other
      good options?
   b. fix assumptions in the template that we can write to
      @LOCALESTATEDIR@
2. implement networking using lxc-user-nic

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel