On Tue, Nov 05, 2013 at 02:12:58PM -0600, Serge Hallyn wrote:
> With this patchset I am able to create and run ubuntu-cloud containers
> as non-root user. Note this requires an uptodate ubuntu trusty host to
> get a userns-enabled kernel. The steps:
>
> 1. install uidmap
> sudo apt-get install uidmap
> 2. make sure to have a range of allocated subuids, i.e.
> sudo usermod -v 100000-199999 -w 100000-199999 serge
> 3. make sure to allocate some nics
> echo "serge veth lxcbr0 2" | sudo tee -a /etc/lxc/lxc-usernet
> 4. set yourseulf up in cgroups which you own:
> for c in /sys/fs/cgroup/*; do
> sudo mkdir $c/serge;
> sudo chown -R serge: $c/serge;
> if [ `basename $c` = "cpuset" ]; then
> echo 0 > $c/serge/cpuset.{cpus,mems}
> fi
> echo $$ > $c/serge/tasks;
> done
> 5. write a lxc.conf
> cat > ~/lxc.conf << EOF
> lxc.network.type = veth
> lxc.network.link = lxcbr0
> lxc.network.flags = up
> lxc.id_map = u 0 100000 10000
> lxc.id_map = g 0 100000 10000
> EOF
> 6. create an lxcpath for yourself
> mkdir /home/serge/lxcbase
> 7. you'll need to make lxc-user-nic setuid-root (as Makefile isn't doing
> that):
> sudo chmod u+s /usr/bin/lxc-user-nicWhy isn't the Makefile doing that? > > Now create the container: > lxc-create -P /home/serge/lxcbase -n a1 -f /home/serge/lxc.conf -t > ubuntu-cloud -- -r saucy > and start it: > lxc-start -P /home/serge/lxcbase -n a1 > You can stop it or open a console: > lxc-console -P /home/serge/lxcbase -n a1 > lxc-stop -P /home/serge/lxcbase -n a1 -k > > You can't yet delete such a container very easily. (sudo and > lxc-usernsexec being the obvious ways) > > It's not complete, but it's a start and doesn't (AFAICS) adversely affect > privileged use. > > -serge > > ------------------------------------------------------------------------------ > November Webinars for C, C++, Fortran Developers > Accelerate application performance with scalable programming models. Explore > techniques for threading, error checking, porting, and tuning. Get the most > from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk > _______________________________________________ > Lxc-devel mailing list > Lxc-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com
signature.asc
Description: Digital signature
------------------------------------------------------------------------------ November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
_______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
