Re: [lxc-users] Starting unprivileged containers at boot

[Mike Bernson]

That was very close
/I am putting it here so that search might find it/

Thanks for the help it was just what I needed.

Here is what I got to work

 /usr/local/bin/startunprivlxc:
#!/bin/sh
cgm movepid all $1 $$
sudo -iH -u $2 -- lxc-start -n $3 -d

/etc/init/lxc-user.conf:
description "start unpriv containers"

start on started lxc

script
    USERS="user1 user2 user3"

    for u in $USERS; do
        cgm create all lxc$u
        cgm chown all lxc$u $(id -u $u) $(id -g $u)
        lxc-autostart -L -P /home/$u/.local/share/lxc | while read line;
 do
            set -- $line
            /usr/local/bin/startunprivlxc lxc$u $u $1
            sleep $2
        done
    done
end script



:
On 08/22/2014 01:24 AM, Serge Hallyn wrote:

Quoting Mike Bernson (m...@mlb.org):

I have user on the server that wants to create container that have services
running in them. The users need to have the services runing at boot.

I want to keep user out of each other containers.
If a container is broken out of I would like to limit the damage to the user 
running the container

The users do not have access /var/lib/lxc. I want to keep
the users in there own area. I was hoping that the user
could create the contains under there home dir and use
the lxc-autostart of  unprivileged containers to start them.

This all works when the user is logged in. I was just looking to
start the containers at boot.

If there is not a easy way to handle this can you give me info
on what needs to happen with cgroups ?
  I can then write a small set uid c program to setup the cgroups and then run 
lxc-autostart.

I would also be willing to contribute the back to the lxc project if they find 
it usefull.

Ok, so (this is all untested, so you may have to tweak0 create a script
/usr/bin/startunprivlxc which does

#!/bin/sh
cgm movepid all $1
sudo -u $2 -- lxc-start -P $2 -n $3 -d

then create yourself a new upstart job which does

description "start unpriv containers"

start on started lxc

script
        USERS="user1 user2 user3"

        for u in $USERS; do
                cgm create all lxc$u
                cgm chown all lxc$u $(id -u $u) $(id -g $u)
                lxc-autostart -L -P /home/$u/.local/share/lxc | while read 
line; do
                        set -- $line
                        /usr/bin/startunprivlxc lxc$u $u $1
                        sleep $2
                done
        done
end script
_______________________________________________
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

_______________________________________________
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users