On 04/02/2015 11:54, Fajar A. Nugraha wrote: > On Wed, Feb 4, 2015 at 6:01 PM, Fajar A. Nugraha <[email protected] > <mailto:[email protected]>> wrote: > > On Wed, Feb 4, 2015 at 5:46 PM, Adam Gold <[email protected] > <mailto:[email protected]>> wrote: > > > If so, what's the best way to manually create a template in > unprivileged mode to ensure all the subuids and subgids are assigned > correctly. > > > Create it using any normal method known to work. It should be OK > when .local/share/lxc is on the same filesystem as $HOME, right? > After that, copy it manually to your template dataset > (zfs/lxc/containers/template ?) using "rsync -avP" or whatever tool > of your choice. When you clone the template to a new directory, > don't forget to change these settings manually in the new container > config: > > > > This is what I just tested. Environment: > - there's a system container called "template" > - user "user" is allowed to create its own container (including setting > /etc/subuid) > - I want to copy the system container to user container > > Current permissions: > # grep user /etc/subuid > user:100000:65537 > > # grep user /etc/subgid > user:100000:65537 > > # ls -la /var/lib/lxc/template/ > total 6 > drwxr-xr-x 3 root root 4 Jul 10 2014 . > drwxr-xr-x 4 root root 4 Jan 22 19:26 .. > -rw-r--r-- 1 root root 691 Jul 10 2014 config > drwxr-xr-x 21 root root 21 Feb 4 18:32 rootfs > > # ls -la /home/user/.local/share/lxc/template/ > total 6 > drwxr-xr-x 3 user user 4 Feb 4 18:39 . > drwxr-xr-x 3 user user 4 Feb 4 18:37 .. > drwxr-xr-x 21 100000 100000 21 Feb 4 18:32 rootfs > > # df -h /home/user/.local/share/lxc/template/ > Filesystem Size Used Avail Use% Mounted on > rpool/lxc/user/template 46G 164M 46G 1% > /home/user/.local/share/lxc/template > > Note that /home/user/.local/share/lxc/template/rootfs is EMPTY. The zfs > datasets, owner, and permission were created/set by root. > I can then run this command to copy system's rootfs to users's rootfs, > with the correct permissions: > > # tar -C /var/lib/lxc/template/rootfs -cf - . | su - user -c > "lxc-usernsexec -- tar -C /home/user/.local/share/lxc/template/rootfs > -xf - --exclude ./dev/*" > > WARN: could not reopen tty: No such file or directory > tar: ./dev/log: socket ignored > > Ignore the warning messages. Next step is to create > /home/user/.local/share/lxc/template/config, like so: > ### > # Template used to create this container: > /usr/share/lxc/templates/lxc-download > # Parameters passed to the template: -d ubuntu -r trusty -a amd64 > # For additional config options, please look at lxc.conf(5) > > # Distribution configuration > lxc.include = /usr/share/lxc/config/ubuntu.common.conf > lxc.include = /usr/share/lxc/config/ubuntu.userns.conf > lxc.arch = x86_64 > > # Container specific configuration > lxc.id_map = u 0 100000 65536 > lxc.id_map = g 0 100000 65536 > lxc.rootfs = /home/user/.local/share/lxc/template/rootfs > lxc.utsname = template > > # Network configuration > lxc.network.type = veth > lxc.network.veth.pair = veth-u-te-0 > lxc.network.flags = up > lxc.network.link = br0 > lxc.network.hwaddr = 00:16:3E:3A:53:E7 > ### > > Note that I use br0, where the default bridge created by lxc is lxcbr0, > so you need to make sure it's correct. > > When creating another container for the same user "user", I can simply > use zfs clone rpool/lxc/user/template. If I wanted to create container > for another user (e.g. "user2"), then I need to repeat the "tar" method > above as a different user (e.g. "| su - user2 -c ...") > > > > Also, for the additional containers that I get from zfs cloning, > will > they be recognised by 'lxc-* -n' commands? > > > AFAIK most lxc commands simply reads whatever is under the > directory, and doesn't really care what fs they are on. > > > > After doing the above steps I can do this: > > $ id > uid=1000(user) gid=1000(user) groups=1000(user),4(adm),6(disk),27(sudo) > > $ lxc-ls -f > NAME STATE IPV4 IPV6 GROUPS AUTOSTART > ------------------------------------------------ > template STOPPED - - - NO > > $ lxc-start -d -n template > > $ lxc-ls -f > NAME STATE IPV4 IPV6 GROUPS AUTOSTART > ----------------------------------------------------------- > template RUNNING 192.168.124.104 - - NO > > $ lxc-attach -n template id > uid=0(root) gid=0(root) groups=0(root) > > $ lxc-attach -n template ip ad li eth0 > 25: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast > state UP group default qlen 1000 > link/ether 00:16:3e:3a:53:e7 brd ff:ff:ff:ff:ff:ff > inet 192.168.124.104/24 <http://192.168.124.104/24> brd > 192.168.124.255 scope global eth0 > valid_lft forever preferred_lft forever > inet6 fe80::216:3eff:fe3a:53e7/64 scope link > valid_lft forever preferred_lft forever > > $ lxc-stop -n template > > $ lxc-ls -f > NAME STATE IPV4 IPV6 GROUPS AUTOSTART > ------------------------------------------------ > template STOPPED - - - NO > > -- > Fajar >
Thank you so much for doing all of that. I will attempt to follow your approach and hopefully reproduce the results. FYI, I just tried using btrfs and creating containers at the root of a sub volume in unprivileged mode and that worked just fine. I guess it's not surprising that it may be harder with zfs. _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
