[lxc-devel] [RFC 0/2] Enabling unprivileged containers

Tue, 05 Nov 2013 12:14:32 -0800 

With this patchset I am able to create and run ubuntu-cloud containers
as non-root user.  Note this requires an uptodate ubuntu trusty host to
get a userns-enabled kernel.  The steps:

1. install uidmap
        sudo apt-get install uidmap
2. make sure to have a range of allocated subuids, i.e.
        sudo usermod -v 100000-199999 -w 100000-199999 serge
3. make sure to allocate some nics
        echo "serge veth lxcbr0 2" | sudo tee -a /etc/lxc/lxc-usernet
4. set yourseulf up in cgroups which you own:
        for c in /sys/fs/cgroup/*; do
                sudo mkdir $c/serge;
                sudo chown -R serge: $c/serge;
                if [ `basename $c` = "cpuset" ]; then
                        echo 0 > $c/serge/cpuset.{cpus,mems}
                fi
                echo $$ > $c/serge/tasks;
        done
5. write a lxc.conf
        cat > ~/lxc.conf << EOF
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.id_map = u 0 100000 10000
lxc.id_map = g 0 100000 10000
EOF
6. create an lxcpath for yourself
        mkdir /home/serge/lxcbase
7. you'll need to make lxc-user-nic setuid-root (as Makefile isn't doing that):
        sudo chmod u+s /usr/bin/lxc-user-nic

Now create the container:
        lxc-create -P /home/serge/lxcbase -n a1 -f /home/serge/lxc.conf -t 
ubuntu-cloud -- -r saucy
and start it:
        lxc-start -P /home/serge/lxcbase -n a1
You can stop it or open a console:
        lxc-console -P /home/serge/lxcbase -n a1
        lxc-stop -P /home/serge/lxcbase -n a1 -k

You can't yet delete such a container very easily.  (sudo and
lxc-usernsexec being the obvious ways)

It's not complete, but it's a start and doesn't (AFAICS) adversely affect
privileged use.

-serge

------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most 
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
_______________________________________________
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel

Reply via email to