Hey Serge, On Sat, Jan 11, 2014 at 12:55 AM, Serge Hallyn <[email protected]> wrote: > Quoting Stéphane Graber ([email protected]): >> On Sat, Jan 11, 2014 at 12:18:12AM -0500, S.Çağlar Onur wrote: >> > Hey Stéphane, >> > >> > On Fri, Jan 10, 2014 at 3:10 PM, Stéphane Graber <[email protected]> >> > wrote: >> > > Hey everyone, >> > > >> > > First of all, sorry for coming up with that so late in the 1.0 >> > > development cycle. I tried to convince myself for a long time that this >> > > wasn't necessary but reality is that with unprivileged containers, we >> > > need to start thinking about new ways to let our users create >> > > containers. >> > >> > Not an objection but a question to understand more. I'm assuming the >> > problem is the tools that used for bootstrapping (like >> > debootstrap/febootstrap etc.) requiring some privileges. If that's the >> > case, can't we write something (like setting suid bit or giving >> > required capabilities via libcap) to make unprivileged user to create >> > the container using regular templates? >> >> The main problem we have at the moment is anything attempting to mknod. >> Then we have some templates like fedora which use loop mounts and other >> similar restricted kernel features. > > And to be clear, adding suid bits won't help as the templates run in a > user namespace. Mounting block filesystems and creating devices are not > allowed there for now, period.
I knew the lxc-create story, in fact I believe you explained that part to me last week or so :) What I suggested was writing something else (like lxc-user-create with enough capabilities) to call/drive the templates as a user but after sleeping over it, I realized that that's no different than calling "sudo lxc-create" as a user. > -serge > _______________________________________________ > lxc-devel mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-devel -- S.Çağlar Onur <[email protected]> _______________________________________________ lxc-devel mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-devel
