Quoting Michael H. Warfield (m...@wittsend.com):
> On Fri, 2013-11-01 at 16:30 -0500, Serge Hallyn wrote:
> > Quoting Michael H. Warfield (m...@wittsend.com):
> > > On Fri, 2013-11-01 at 15:03 -0500, Serge Hallyn wrote:
> > > > Quoting Michael H. Warfield (m...@wittsend.com):
> > > > > The only place that's being used is in creating a symlink...
> > > > >
> > > > > /dev/.lxc/$name -> /dev/.lxc/$pathhash
> > > > >
> > > > > I use it for the same reason you wanted the extra bind mounts to
> > > > > $lxcpath/$lxcname.dev. In your case, you wanted to see the dev
> > > > > mappings
> > > >
> > > > Oh - gotcha. Well in that case I'd say just create your own unique
> > > > $name.$index. that should be enough info.
> > >
> > > > Oh now unprivileged container creation of course will not be able
> > > > to do this as I won't be able to create /dev/.lxc/anything as uid
> > > > 1000.
> > >
> > > Oh, we're going to have to look into that then. We're doing other
> > > privileged operations like the bind mounts... Hmmm... It may have to
>
> > bind mounts are ok. we can do this in a private mntns. That's how
> > I currently get around our inability to mknod in a userns - I
> > bind mount devices from the host into the container's /dev.
>
> Ok... How are you handling the creation of objects under $lxc_path
> then? Obviously, I haven't been paying much attention to the unpriv
> user angle of things here. Is it like many of the other virt systems
> where the user needs to be part of a particular group? Could we do
> something similar?
No. I mkdir /home/serge/lxcbase and do
lxc-create -t tarball -n b1 -P /home/serge/lxcbase -f
/home/serge/lxc.conf -- -T /home/serge/ubuntu.tgz
(tarball is a special template that just extracts the given tarball.
I'm working on a patch to not need to do that, but I've been very
distracted by other issues)
So the key is the "-P" which specifies that the container lives in a
directory which I own.
Ok, so really to get this to work I first need to:
1. cat > /home/serge/lxc.conf << EOF
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.id_map = u 0 100000 10000
lxc.id_map = g 0 100000 10000
EOF
2. sudo usermod -v 100000-200000 -w 100000-200000 serge
And then if I want to actually start the container (since I specified a
nic) I need to
3. cat >> /etc/lxc/lxc-usernet << EOF
serge veth lxcbr0 2
EOF
------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
