Hello,
I'm testing containers on a host machine without selinux so I'm trying use the 
idmap feature, but I must be missing something because all that I get is a 
readonly container for the root user.

# virsh version --daemon
Compiled against library: libvirt 2.5.0
Using library: libvirt 2.5.0
Using API: QEMU 2.5.0
Running hypervisor: QEMU 2.8.1
Running against daemon: 2.5.0

# virsh --connect lxc:/// dumpxml lab-gentoo-01
<domain type='lxc'>
  <name>lab-gentoo-01</name>
  <uuid>a9f73091-b716-4b61-95ad-fa1d0c061bef</uuid>
  <memory unit='KiB'>524288</memory>
  <currentMemory unit='KiB'>524288</currentMemory>
  <vcpu placement='static'>2</vcpu>
  <resource>
    <partition>/machine</partition>
  </resource>
  <os>
    <type arch='x86_64'>exe</type>
    <init>/bin/sh</init>
  </os>
  <idmap>
    <uid start='0' target='900' count='10'/>
    <gid start='0' target='900' count='10'/>
  </idmap>
  <features>
    <privnet/>
  </features>
  <cpu mode='host-model'>
    <model fallback='allow'/>
  </cpu>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>destroy</on_crash>
  <devices>
    <emulator>/usr/libexec/libvirt_lxc</emulator>
    <filesystem type='mount' accessmode='passthrough'>
      <source dir='/media/containers/lab-gentoo-01/'/>
      <target dir='/'/>
    </filesystem>
    <interface type='bridge'>
      <mac address='00:16:3e:c8:13:14'/>
      <source bridge='bridge-01'/>
    </interface>
    <console type='pty'>
      <target type='lxc' port='0'/>
    </console>
  </devices>
</domain>


# ls -l /media/containers/lab-gentoo-01/
total 36
drwxr-xr-x  2 root root 4096 Apr 13 07:33 bin
drwxr-xr-x  2 root root   18 Apr 13 03:28 boot
drwxr-xr-x  7 root root 4096 Apr 18 12:45 dev
drwxr-xr-x 31 root root 4096 Apr 18 12:49 etc
drwxr-xr-x  2 root root   18 Apr 13 03:28 home
lrwxrwxrwx  1 root root    5 Apr 13 06:13 lib -> lib64
drwxr-xr-x  2 root root 4096 Apr 13 06:14 lib32
drwxr-xr-x  9 root root 4096 Apr 13 07:33 lib64
drwxr-xr-x  2 root root   18 Apr 13 03:28 media
drwxr-xr-x  2 root root   18 Apr 13 03:28 mnt
drwxr-xr-x  2 root root   18 Apr 13 03:28 opt
drwxr-xr-x  2 root root    6 Apr 13 03:18 proc
drwx------  2 root root   18 Apr 13 03:28 root
drwxr-xr-x  2 root root   31 Apr 13 07:32 run
drwxr-xr-x  2 root root 4096 Apr 13 07:36 sbin
drwxr-xr-x  2 root root   18 Apr 13 03:28 sys
drwxrwxrwt  2 root root   18 Apr 13 07:36 tmp
drwxr-xr-x 13 root root 4096 Apr 18 12:49 usr
drwxr-xr-x  9 root root  102 Apr 13 03:28 var


# virsh --connect lxc:/// start --console lab-gentoo-01
Domain lab-gentoo-01 started
Connected to domain lab-gentoo-01
Escape character is ^]
sh-4.3# /usr/bin/id
uid=0(root) gid=0(root) groups=0(root)
sh-4.3# pwd
/
sh-4.3# touch asdf
touch: cannot touch 'asdf': Permission denied
sh-4.3# 

indeed the container is using the idmap feature because the efective uid/gid 
map (900/900) is not allowing writes in the filesystem, but it doesn't seems 
very usefull. 

is it possible to have read/write containers while using idmap?



_______________________________________________
libvirt-users mailing list
libvirt-users@redhat.com
https://www.redhat.com/mailman/listinfo/libvirt-users

Reply via email to