On Fri, Jul 19, 2013 at 02:26:47PM +0000, Serge Hallyn wrote: > With this patchset, I am able to create and start an ubuntu-cloud > container completely as an unprivileged user, on an ubuntu saucy > host with the kernel from ppa:ubuntu-lxc/kernel and the nsexec > package from ppa:serge-hallyn/userns-natty.
That's great! We're definetely getting close to having really useful
unprivileged containers!
>
> The one thing still completely unimplemented is networking. I am
> creating containers with lxc.network.type=empty to work around this.
> Once the rest of this settles down, I'll address that.
>
> lxc-destroy has not yet been updated, so right now the easiest way
> to delete these containers is as root. lxc-console and lxc-stop do
> work as expected.
>
> ====================
> Prerequisities:
> ====================
>
> 1. A privileged user or init script needs to create
> /run/lock/lxc/$HOME
> and set perms so $USER can create locks there.
I have a feeling we already talked about this but my memory needs to be
refreshed, why can't we use XDG_RUNTIME_DIR for that instead of
requiring a privileged process to create a directory under
/run/lock/lxc?
Was that only for the corner case where multiple users may have write
access and uid/gid mapping to a shared container? Is that actually
likely to happen (you'd need the same uid/gid allocation for both users
and have the container on a shared path for it to be a problem).
> 2. Before starting the container you'll need to be in a cgroup you
> can manipulate. I do this with:
>
> #!/bin/sh
> name=`whoami`
> for d in /sys/fs/cgroup/*; do
> sudo mkdir $d/$name
> sudo chown -R $name $d/$name
> done
> echo 0 | sudo tee -a /sys/fs/cgroup/cpuset/$name/cpuset.cpus
> echo 0 | sudo tee -a /sys/fs/cgroup/cpuset/$name/cpuset.mems
>
> followed by:
>
> cgroup_enter() {
> name=`whoami`
> for d in /sys/fs/cgroup/*; do
> echo $$ > $d/$name/cgroup.procs
> done
> }
>
> 3. You need to give your user some subuids. If you're creating a
> new saucy system to use this on, then you already have some - check
> /etc/subuids. If not, then add some using "usermod -w 100000-299999
> -v 100000-299999 $user"
I'm assuming you mean /etc/subuid and /etc/subgid?
On up to date saucy, those two files are empty but I guess we may be
getting some allocation for new users or on new installs?
>
> 4. I copied the ubuntu-cloud tarball into my home directory since the
> template won't be able to download it without changes:
>
> sudo lxc-create -t ubuntu-cloud -n cloud1 -- -r precise
> cp /var/cache/lxc/cloud-precise/*.gz ~/precise.tar.gz
>
> 5. I created a configuration file to set the id mapping and set the
> empty network.
>
> cat > ~/default.conf << EOF
> lxc.network.type = empty
> lxc.id_map = u 0 100000 10000
> lxc.id_map = g 0 100000 10000
> EOF
>
> 6. Finally, so that the ubuntu-cloud container will fully start up
> without networking (just a 2 minute delay waiting in vain for eth0
> to come up), copy the lxc-ubuntu-cloud template to your home directory
> and sed -i 's/nocloud-net/nocloud/' on it, then call that template
> (using the full path) to create the container.
>
> ====================
> Commands:
> ====================
>
> The actual commands I use are:
>
> lxc-create -t /home/serge/lxc-ubuntu-cloud -P /home/serge/lxcbase -n x3 -f
> default.conf -- -T precise.tar.gz
> lxc-start -P /home/serge/lxcbase -n x3
>
> And voila, it waits 2 minutes for eth0, then gives me a prompt at
> which I can login.
>
> ====================
> Explanations:
> ====================
>
> When you create a new user namespace, it initially is unmapped. Your task
> has uid and gid -1. You can then map userids from the parent namespace onto
> userids in the new namespace by ranges. For instance if you are userid 1000,
> then you can map uid 1000 in the parent to uid 0 in the namespace. From the
> kernel's point of view, you can only map uids which you have privilege over -
> either by being that uid, or having CAP_SYS_ADMIN in the parent.
>
> This is where subuids come in. /etc/subuids and /etc/subgids list range of
> uids which users are allowed to map. The newuidmap and newgidmap are
> setuid-root
> programs which will respect those subuids to allow unprivileged users to map
> their allotted subuids.
>
> Lxc uses these programs (indirectly through the 'usernsexec' program) to allow
> unprivileged users to map their allotted subuids to containers.
>
> Of note is that regular DAC and MAC remain unchanged. Therefore although I
> as user serge/uid 1000 may have 100000-199999 as my subuids, I do not own
> files owned by those subuids! To work around this, map the uids together into
> a namespace. For instance, if you are uid 1000 and want to create a file
> owned
> by uid 100000, you can
>
> touch foo
> usernsexec -m b:0:100000:1 -m b:1000:1000 -- /bin/chown 0 foo
>
> This maps 100000 on the host to root in the container, and 1000 to 1000
> in the container. So 100000 has privilege over the namespace. It is
> therefore allowed to chown a file owned by uid 1000 (which is really 1000)
> to uid 0 (which is really 100000). You end up with foo owned by
> 100000:100000. You can do the same sort of games to clean up containers.
>
>
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Lxc-devel mailing list
> Lxc-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
signature.asc
Description: Digital signature
------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
