Re: [Lxc-users] Launching init in a container as non-root
Quoting Ryan Campbell (ryan.campb...@gmail.com): fedora 13 lxc 0.7.2-1.fc13 I've used lxc-setcap to allow non-root to run lxc-start. This seems to work OK, until LXC attempts to launch init. Init fails with init: Need to be root. I would expect init to be launched using the 0 UID of the container. However, from what I've read, UID namespaces are not complete yet. Is this correct? Should one expect that once UID namespaces are implemented within lxc, that one should be able to launch processes as root within the container, but have them run as non-root from the perspective of the host? Yes. Is there anywhere I can read more about this? http://wiki.ubuntu.com/UserNamespace I've got a few patches to send yet for tightening down some remaining privilege leaks, then we should be ready to start relaxing things to make them usable. This includes Eric's simple implementation of assigning a superblock to a user namespace. My current tree is at http://kernel.ubuntu.com/git?p=serge/linux-2.6.git;a=shortlog;h=refs/heads/userns (Please feel free to join in!) thanks, -serge -- All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Launching init in a container as non-root
On 10/18/2011 04:47 PM, Serge E. Hallyn wrote: http://wiki.ubuntu.com/UserNamespace I've got a few patches to send yet for tightening down some remaining privilege leaks, then we should be ready to start relaxing things to make them usable. This includes Eric's simple implementation of assigning a superblock to a user namespace. My current tree is at http://kernel.ubuntu.com/git?p=serge/linux-2.6.git;a=shortlog;h=refs/heads/userns (Please feel free to join in!) When can be expected to be available in the stock kernel? Thank you, tamas -- All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Launching init in a container as non-root
On Tue, Oct 18, 2011 at 9:47 AM, Serge E. Hallyn serge.hal...@canonical.com wrote: Quoting Ryan Campbell (ryan.campb...@gmail.com): fedora 13 lxc 0.7.2-1.fc13 I've used lxc-setcap to allow non-root to run lxc-start. This seems to work OK, until LXC attempts to launch init. Init fails with init: Need to be root. I would expect init to be launched using the 0 UID of the container. However, from what I've read, UID namespaces are not complete yet. Is this correct? Should one expect that once UID namespaces are implemented within lxc, that one should be able to launch processes as root within the container, but have them run as non-root from the perspective of the host? Yes. Is there anywhere I can read more about this? http://wiki.ubuntu.com/UserNamespace Very informative, thanks. I've got a few patches to send yet for tightening down some remaining privilege leaks, then we should be ready to start relaxing things to make them usable. This includes Eric's simple implementation of assigning a superblock to a user namespace. My current tree is at http://kernel.ubuntu.com/git?p=serge/linux-2.6.git;a=shortlog;h=refs/heads/userns (Please feel free to join in!) thanks, -serge -- All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Launching init in a container as non-root
Quoting Papp Tamas (tom...@martos.bme.hu): On 10/18/2011 04:47 PM, Serge E. Hallyn wrote: http://wiki.ubuntu.com/UserNamespace I've got a few patches to send yet for tightening down some remaining privilege leaks, then we should be ready to start relaxing things to make them usable. This includes Eric's simple implementation of assigning a superblock to a user namespace. My current tree is at http://kernel.ubuntu.com/git?p=serge/linux-2.6.git;a=shortlog;h=refs/heads/userns (Please feel free to join in!) When can be expected to be available in the stock kernel? Depends on how many people join in? :) I'm hoping they'll be somewhat usable (including basic VFS support) sometime during 2012. -- All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Launching init in a container as non-root
On 10/18/2011 12:51 PM, Serge E. Hallyn wrote: Quoting Papp Tamas (tom...@martos.bme.hu): On 10/18/2011 04:47 PM, Serge E. Hallyn wrote: http://wiki.ubuntu.com/UserNamespace I've got a few patches to send yet for tightening down some remaining privilege leaks, then we should be ready to start relaxing things to make them usable. This includes Eric's simple implementation of assigning a superblock to a user namespace. My current tree is at http://kernel.ubuntu.com/git?p=serge/linux-2.6.git;a=shortlog;h=refs/heads/userns (Please feel free to join in!) When can be expected to be available in the stock kernel? Depends on how many people join in? :) I'm hoping they'll be somewhat usable (including basic VFS support) sometime during 2012. What do you need people to help with? I don't know how much I could help but would be willing to take a look. v/r dps -- All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users