Quoting Michael H. Warfield ([email protected]): > On Thu, 2014-01-09 at 08:08 +0200, Kevin Wilson wrote: > > Hello, > > I believe that creating a container as non root user should be > > straight-forward. > > Sigh... I'm afraid not... > > Funny, Serge and I just had a couple of comments in exchange about this > very thing with regards to templates. He's been working on getting > containers to run under unprivileged users and I know the Fedora and > CentOS templates will not even run under a non-user (they check). His > remark was that most templates will not and can not, including the > Ubuntu template. Problem with the Ubuntu template (and, presumably the > Debian template) is the use of debboot which, in turn, uses mknod to > create devices for the container - and you're then toast. > > The problem there is that there are going to be privileged operations > (chown, mknod, etc) that are simply going to require privileges in the > host which are not available to the non-priv user.
Note though that anything that just untars an image will work fine. This is why ubuntu-cloud works, and cirros should too (I just need to test it and then presumably do some tweaks). Main thing is that any image bootstrap mechanism which exits in failure when it can't create devices is not gonna fly, unless we do some ld_preload hackery. -serge _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
