> On November 16, 2015 at 11:48 AM Wolfgang Bumiller <[email protected]> > wrote: > > > > On November 11, 2015 at 6:04 PM Serge Hallyn <[email protected]> > > wrote: > > > > 2. > > > > If you are just using unpriv containers to use user namespaces, you can > > > > actually have the container be owned/started by root. That's what I do > > > > for some containers where their rootfs is a dmcrypt device which I > > > > couldn't mount as an unpriv user. > > > > > > They are started as root, which means I can prepare the mounts as you > > > suggested above, but I'd again be clobbering the host's namespace. > > > > Oh, right. I forget that even when starting as root, this only works > > for the rootfs itself, not other mounts. (Lxd actually does handle this, > > but at the cost of having a MS_SLAVE mount per container) > > So we ended up doing just that, but now with the latest lxcfs > upgrades (I suspect cgmanager/cgfs changes) AppArmor suddenly > denies lxc-start to bind mount something. Here's what happens > with raw lxc-start commands
Seems to be related to lxc update. lxc 1.1.4 works with latest lxcfs. so the problem is introduced between lxc 1.1.4 and lxc 1.1.5 _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
