On Feb 16, 2014, at 12:23 PM, Stéphane Graber <stgra...@ubuntu.com> wrote:
> On Sun, Feb 16, 2014 at 03:51:50AM -0500, Brian Campbell wrote: >> I'm running Debian Jessie (testing), and compiled lxc from a fresh git clone >> (7da8ab1: close inherited fds when we still have proc mounted). I would like >> to create a user container without using root privileges, so I set up UID >> mappings such that my user ID would map to root within the container. From >> what I can tell, this is all that should be necessary to get it to use user >> namespaces to operate unprivileged: >> >> lambda@gherkin:lxc$ cat ~/.config/lxc/default.conf >> lxc.id_map = u 0 1000 9999 >> lxc.id_map = g 0 1000 9999 >> lambda@gherkin:lxc$ id >> uid=1000(lambda) gid=1000(lambda) >> groups=1000(lambda),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),104(scanner),109(bluetooth),112(netdev),125(vboxusers) > > From the above, it seems like you didn't configure /etc/subuid and > /etc/subgid. Without those (and a version of the shadow package which > supports them), you won't be able to switch to those UID ranges. Nope, I haven't done anything with them, and it looks like Debian's passwd doesn't have subuid/subgid support. Taking a look at the Ubuntu changelog, it looks like they were added as a patch to the Ubuntu package in 1:4.1.5.1-1ubuntu5. Is there a Debian package already available for this, or should I try to extract the patches from the Ubuntu package and build my own? Ah, looks like I should have read this: https://s3hh.wordpress.com/2013/07/19/creating-and-using-containers-without-privilege/ before trying this; all I had seen was https://www.mail-archive.com/lxc-users@lists.sourceforge.net/msg05859.html which didn't mention anything about /etc/subuid and /etc/subgid. -- Brian _______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
