Quoting Robert Pendell ([email protected]): > On Thu, May 8, 2014 at 12:48 PM, Robert Pendell > <[email protected]> wrote: > > On Tue, May 6, 2014 at 6:16 PM, Serge Hallyn <[email protected]> > > wrote: > >> Quoting Robert Pendell ([email protected]): > >>> On Tue, May 6, 2014 at 5:01 PM, Serge Hallyn <[email protected]> > >>> wrote: > >>> > Quoting Robert Pendell ([email protected]): > >>> >> OS: Ubuntu 14.04 LTS x86_64 > >>> >> Kernel: Host-Supplied 3.14.1 > >>> >> Provider: Linode > >>> >> Host Virtualization: Xen Paravirtualized > >>> >> LXC Version: 1.0.3-0ubuntu3 > >>> >> > >>> >> On a fresh boot unprivileged containers are not starting automatically > >>> >> even though they have lxc.start.auto enabled. lxc-ls as the user > >>> >> confirms autostart is enabled as well. > >>> >> > >>> >> Is this a bug or intended or am I just missing something really > >>> >> obvious in my configuration? > >>> > > >>> > By default only containers in /var/lib/lxc are autostarted. You > >>> > could edit /etc/lxc/lxc.conf to change that. If you're ok with > >>> > them only starting on login you might also be able to use a user > >>> > upstart session job, but I suspect tying the containers so closely > >>> > to your login session won't be what you want. > >>> > > >>> > >>> That would be an accurate assumption. At this point if I need to I > >>> can login and start the container manually. I checked lxc.conf and > >>> I'm not sure how to set it up the way you suggest. This system may > >>> end up being home to multiple containers that are mixed between > >>> locations. > >>> > >>> P.S. - I noticed that lxc-autostart doesn't list unprivileged containers? > >> > >> It doesn't list containers under your home dir. However if you create > >> a root-owned unprivileged root-owned container, lxc-autostart will list > >> it: > >> > >> cat > lxc.conf << EOF > >> lxc.network.type = veth > >> lxc.network.link = lxcbr0 > >> lxc.id_map = u 0 100000 100000 > >> lxc.id_map = g 0 100000 100000 > >> lxc.aa_profile = lxc-container-default-with-nesting > >> lxc.start.auto = 1 > >> lxc.mount.auto = cgroup > >> EOF > >> sudo lxc-create -t download -n listme1 -f lxc.conf > >> > >> After this, > >> sudo lxc-autostart -L > >> should show > >> listme1 0 > >> > > > > > > Ok. So I got a chance to give this a shot but unfortunately I'm being > > denied the ability to actually change uid. Should I need to add root > > to /etc/subuid and /etc/subgid in order to accomplish this? I left > > the AA profile define out because it won't apply in my case since > > apparmor is disabled at kernel level. > > > > Error: > > newuidmap: uid range [0-65536) -> [100000-165536) not allowed > > error mapping child > > setgid: Invalid argument > > lxc_container: container creation template for gateone failed > > lxc_container: Error creating container gateone > > > > I tried to add it manually after the fact and it refuses to boot > > giving the same error as what I got before. Finally I went back and > > add root to subuid and subgid and it seemed to work fine at that point > > however it still won't start. Here is the result of an info check. > > Just so you know I gave root 65536 ids starting at 800000 for the > > unprivileged containers. For some reason though it fails at a > > permission denied error for /var/lib/lxc. It is obviously just a > > permission error but I don't know if it would be safe to add x for > > others. > > > > Right after posting I thought I give it a shot so I added 'x' to the > others so that it shows as rwx for root and just x for others and that
fwiw the reason you had to do that is that /var/lib/lxc could have vulnerable setuid-root binaries from a non-updated container, so /var/lib/lxc is now not accessible by default by non-root users. It may be worth adding a lxc group and making /var/lib/lxc g+w. Then the upstart jobs could run as user jdoe and group lxc and still access the container rootfs as they should. > worked beautifully allowing the containers to boot. Checking with ps > axfO euser on the host confirms that processes within the container > are running "unprivileged". > > However if there are any concerns that I should be aware of then > please tell me so that I might be able to try to address them in the > future. I have my own devils to contend with being I lack apparmor > support but I think it should be safe "enough" for my purposes if I > keep public services running in unprivileged containers. > _______________________________________________ > lxc-users mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-users _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
