Quoting Stéphane Graber ([email protected]): > On Sat, Jan 11, 2014 at 12:18:12AM -0500, S.Çağlar Onur wrote: > > Hey Stéphane, > > > > On Fri, Jan 10, 2014 at 3:10 PM, Stéphane Graber <[email protected]> > > wrote: > > > Hey everyone, > > > > > > First of all, sorry for coming up with that so late in the 1.0 > > > development cycle. I tried to convince myself for a long time that this > > > wasn't necessary but reality is that with unprivileged containers, we > > > need to start thinking about new ways to let our users create > > > containers. > > > > Not an objection but a question to understand more. I'm assuming the > > problem is the tools that used for bootstrapping (like > > debootstrap/febootstrap etc.) requiring some privileges. If that's the > > case, can't we write something (like setting suid bit or giving > > required capabilities via libcap) to make unprivileged user to create > > the container using regular templates? > > The main problem we have at the moment is anything attempting to mknod. > Then we have some templates like fedora which use loop mounts and other > similar restricted kernel features.
And to be clear, adding suid bits won't help as the templates run in a user namespace. Mounting block filesystems and creating devices are not allowed there for now, period. -serge _______________________________________________ lxc-devel mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-devel
