On 07/03/2014 11:46 PM, Serge Hallyn wrote:
Quoting Christoph Willing (chris.will...@iinet.net.au):
I'm trying to make unprivileged containers work nicely on Slackware
- with some success. After some updates (kernel config, latest
shadow, latest lxc, install cgmanager) I worked through steps at
https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/.
I've made a Slackware template with which I can create a working
normal privileged container. I then use Serge Hallyn's uidmapshift
on it and copy the resulting unprivileged container into
$USER/.local/share/lxc/ from where it can be run by the user. It all
works fine.
The only wrinkle is that before being able to run lxc-start for the
first time on an unprivileged container, the user must first run the
commands:
sudo cgm create all $USER
sudo cgm chown all $USER $(id -u) $(id -g)
sudo cgm movepid all $USER $$
I'd like to avoid that if possible.
Interestingly,
- those commands only need to be run once in a given terminal
session (run lxc-start any number of times after that)
- those commands need to be run in any new terminal in which
lxc-start is to be run on an unprivileged container i.e. running
them in one terminal doesn't bless any new terminal sessions
- the commands don't work when executed from a script
- the commands don't work if executed by root on the user's behalf
Ideally this would be set up either at boot time for "approved"
users or whenever the approved users log in to the machine. I have
tried chmod'ing cgm to setuid root (not sure that would be a good
long term solution anyway) and it succeeded with first and last of
those commands but not the second (cgm chown ..).
Could someone explain how this is managed in other distros where
running unprivileged already works please? I have an uneasy feeling
Yup, it's done via pam_systemd.so
that its via PAM (the last of the prerequisites mentioned on
Stephane's page) but PAM is not used in Slackware and most unlikely
to be introduced.
BTW, the situation is exactly the same when using the download
template to run the available premade containers i.e. I don't
believe its a problem with the template I made myself. Anyway, this
is surely something to be arranged in the host, not in the container
itself.
Any description of how the user environment is set up and/or tips
about this would be greatly appreciated.
So what is the standard way that slackware does things like chowning
audio and cdrom devices to the user logging in on console? I would
hook that with a script that creates, sets up, and chowns new cgroups
and moves the new user into it.
Thanks for the response Serge - it must have just crossed my last email
with a solution I found that is, more or less, what you've suggested.
In Slackware, things like video, audio, cdrom etc., have their own
groups and when a new user is created on the system, they're optionally
made member of those groups. I've just made a new group (lxcusers - like
vboxusers) and when users who are members of that group log in, their
cgroups are set up. The breakthrough was finding that the cgroup setup
script (which uses your cgm) should be sourced, not executed.
Its a bit clunky but it works and good enough for now.
chris
_______________________________________________
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
