Quoting Xavier Gendre ([email protected]): > Thanks for your answer. Indeed, it only needs to be done at login > and this is my problem. Your solutions work well but all need to > login at least one time for each user with unprivileged containers. > > I admit that my question was not clear :-° My goal is to autostart > the unprivileged containers when the machine starts, i.e. before any > user can login. > > I have seen solutions based cgm with Ubuntu on internet, maybe it > works on Debian Jessie too... I have to try harder or change to > Ubuntu server ;-)
Hm, if you want to autostart unprivileged containers then switching to ubuntu still may not help. On my (ubuntu trusty) server I do autostart userns containers, but they are owned/started by root, with lxc.id_map entries. That way root has the rights to create its cgroups, as well as (more importantly for me) mount rootfs from lvm devices. > Xavier > > Le 05/02/2015 16:56, Serge Hallyn a écrit : > >Quoting Xavier Gendre ([email protected]): > >>Hi, > >> > >>following the hints given by Serge Hallyn on the lxc-devel list, I > >>managed to run an unprivileged container on my Debian Jessie \o/ > >> > >>Now, I want to avoid handlings and get it works on startup. Thus, I > >>set permanently kernel.unprivileged_userns_clone to 1 and I create a > >>systemd service to run the following script: > >> > >>#!/bin/bash > >> > >>echo 1 > /sys/fs/cgroup/cpuset/cgroup.clone_children > >> > >># Allowed users > >>lxc_users="user1 user2" > >> > >>for u in $lxc_users; do > >> for d in /sys/fs/cgroup/*; do > >> mkdir -p $d/$u > >> chown -R $u: $d/$u > >> done > >>done > >> > >>The only thing that I need now is to put a 'good' PID in the tasks > >>files in order to be allowed to start my unprivileged containers. I > >>can do that by login as an allowed user and by putting the PID of > >>the current shell in my tasks file. But this solution is volatile > >>and has to be done on each startup for each container :-/ > > > >No, it only needs to be done at login right? You've already chowned > >the cgroups to your user, so you should be able to just do it from > >your .bashrc or equivalent. Or, you could whip up a quick pam module > >to do it. > > > >>Is my approach good? Maybe there is a simpler solution to my > >>problem... If this is the way, how can I put a valid PID in the > >>tasks files of the allowed users on startup in order, for example, > >>to autostart some unprivileged containers? > >> > >>Thanks, > >>Xavier > _______________________________________________ > lxc-users mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-users _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
