Quoting Robert Pendell ([email protected]): > On Thu, May 8, 2014 at 11:35 PM, Serge Hallyn <[email protected]> wrote: > > Quoting Robert Pendell ([email protected]): > >> On Thu, May 8, 2014 at 12:48 PM, Robert Pendell > >> <[email protected]> wrote: > >> > On Tue, May 6, 2014 at 6:16 PM, Serge Hallyn <[email protected]> > >> > wrote: > >> >> Quoting Robert Pendell ([email protected]): > >> >>> On Tue, May 6, 2014 at 5:01 PM, Serge Hallyn <[email protected]> > >> >>> wrote: > >> >>> > Quoting Robert Pendell ([email protected]): > >> >>> >> OS: Ubuntu 14.04 LTS x86_64 > >> >>> >> Kernel: Host-Supplied 3.14.1 > >> >>> >> Provider: Linode > >> >>> >> Host Virtualization: Xen Paravirtualized > >> >>> >> LXC Version: 1.0.3-0ubuntu3 > >> >>> >> > >> >>> >> On a fresh boot unprivileged containers are not starting > >> >>> >> automatically > >> >>> >> even though they have lxc.start.auto enabled. lxc-ls as the user > >> >>> >> confirms autostart is enabled as well. > >> >>> >> > >> >>> >> Is this a bug or intended or am I just missing something really > >> >>> >> obvious in my configuration? > >> >>> > > >> >>> > By default only containers in /var/lib/lxc are autostarted. You > >> >>> > could edit /etc/lxc/lxc.conf to change that. If you're ok with > >> >>> > them only starting on login you might also be able to use a user > >> >>> > upstart session job, but I suspect tying the containers so closely > >> >>> > to your login session won't be what you want. > >> >>> > > >> >>> > >> >>> That would be an accurate assumption. At this point if I need to I > >> >>> can login and start the container manually. I checked lxc.conf and > >> >>> I'm not sure how to set it up the way you suggest. This system may > >> >>> end up being home to multiple containers that are mixed between > >> >>> locations. > >> >>> > >> >>> P.S. - I noticed that lxc-autostart doesn't list unprivileged > >> >>> containers? > >> >> > >> >> It doesn't list containers under your home dir. However if you create > >> >> a root-owned unprivileged root-owned container, lxc-autostart will list > >> >> it: > >> >> > >> >> cat > lxc.conf << EOF > >> >> lxc.network.type = veth > >> >> lxc.network.link = lxcbr0 > >> >> lxc.id_map = u 0 100000 100000 > >> >> lxc.id_map = g 0 100000 100000 > >> >> lxc.aa_profile = lxc-container-default-with-nesting > >> >> lxc.start.auto = 1 > >> >> lxc.mount.auto = cgroup > >> >> EOF > >> >> sudo lxc-create -t download -n listme1 -f lxc.conf > >> >> > >> >> After this, > >> >> sudo lxc-autostart -L > >> >> should show > >> >> listme1 0 > >> >> > >> > > >> > > >> > Ok. So I got a chance to give this a shot but unfortunately I'm being > >> > denied the ability to actually change uid. Should I need to add root > >> > to /etc/subuid and /etc/subgid in order to accomplish this? I left > >> > the AA profile define out because it won't apply in my case since > >> > apparmor is disabled at kernel level. > >> > > >> > Error: > >> > newuidmap: uid range [0-65536) -> [100000-165536) not allowed > >> > error mapping child > >> > setgid: Invalid argument > >> > lxc_container: container creation template for gateone failed > >> > lxc_container: Error creating container gateone > >> > > >> > I tried to add it manually after the fact and it refuses to boot > >> > giving the same error as what I got before. Finally I went back and > >> > add root to subuid and subgid and it seemed to work fine at that point > >> > however it still won't start. Here is the result of an info check. > >> > Just so you know I gave root 65536 ids starting at 800000 for the > >> > unprivileged containers. For some reason though it fails at a > >> > permission denied error for /var/lib/lxc. It is obviously just a > >> > permission error but I don't know if it would be safe to add x for > >> > others. > >> > > >> > >> Right after posting I thought I give it a shot so I added 'x' to the > >> others so that it shows as rwx for root and just x for others and that > > > > fwiw the reason you had to do that is that /var/lib/lxc could have > > vulnerable setuid-root binaries from a non-updated container, so > > /var/lib/lxc is now not accessible by default by non-root users. It > > may be worth adding a lxc group and making /var/lib/lxc g+w. Then the > > upstart jobs could run as user jdoe and group lxc and still access > > the container rootfs as they should. > > > > I just realized one other side effect of this. With o+x being present > I can traverse the entire tree down as non-root if I know the running > folder of the lxc container. Without it I can't get into any folder > at all. > > Any idea on how one might accomplish what you suggest?
Currently the permissions are set in debian/rules in the override_dh_builddeb rule. I suspect we'd have to add the lxc group in preinst, then chgrp /var/lib/lxc in postinst (only on new installations). _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
