Quoting Patrick Toomey ([email protected]): > I was wanting to experiment with the idea of running throw away processes > in a low privilege container. In general, I'd want to run something like > this > > lxc-execute -n test1 -f test.conf --lxcpath=/home/my_user/containers > /bin/bash > > test.conf contains the unprivileged ID mapping: > > xc.id_map = u 0 100000 65536 > lxc.id_map = g 0 100000 65536 > > and I have my subordinate ID mapping setup in /etc/subuid: > > my_user:100000:65536 > > and /etc/subgid: > > my_user:100000:65536 > > when I run lxc-execute I do get a new bash instance, but it is running as > uid/gid 0 in the new namespace. And when I do an ls -l on my home > directory I see: > > ls -l > total 6224 > -rwxrwxr-x 1 nobody nogroup 13832 Feb 12 17:24 test1.txt > drwxr-xr-x 6 nobody nogroup 4096 Feb 9 10:11 test2.txt > > I would have expected that uid/gid mapping to effectively map all container > uids/gids to my hosts "my_user" uid/gid. In effect, no matter what uid I > had inside the container it would have the access granted to "my_user". > So, I'm confused by: > > 1) Why is bash uid 0 in the container? Since I mapped the container uid > 0-65536 to host uid 100000-165536 I would have expected my host uid (1000) > to then map to the container 101000. And, then I would have expected the
? If host uid 100000-165536 maps to container uid 0-65536, then host uid 1000 is not mapped. > subordinate entry to map that to my_user. > > 2) Why are my home directory files listed as being owned by nobody? I've > seen that when playing with user namespaces (directly calling > CLONE_NEWUSER) when you have no mapping configured in /proc/uid/uid_map. > But, I checked the uid_map of the container process and it all seems to be > setup correctly. > > I've tried this on Ubuntu 14.10, 14.04, and 12.04 (with backported lxc, > etc). They all produce the same behavior. So, I'm not sure if I'm > misunderstanding something about the uid/gid mapping or if I'm missing some > config setting to make it work the way I would expect. > > Thanks! > Patrick > _______________________________________________ > lxc-users mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-users _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
