On Tue, Jan 14, 2014 at 06:38:43PM -0500, Dwight Engen wrote: > On Mon, 13 Jan 2014 20:56:23 -0500 > Stéphane Graber <stgra...@ubuntu.com> wrote: > > [...] > > > > Yeah, I did a few last-minute changes. > > > > fstab is no longer required (only copied over if it's there). > > > > If the expiry file is messing, it's simply assumed that the container > > won't expire. > > Nice, that makes sense. > > [...] > > Now for Oracle, I guess it depends what's most useful for your users. > > > > Is there actually still a demand for 4.x? I thought at least RHEL 4.x > > went out of support last year. > > > > In any case, I suspect that starting with the latest of each supported > > release on i386 and amd64 is probably a good start. > > We can then expand that to include popular minor releases, possibly > > the last few 6.x? > > Yeah I think it makes sense to start with just x86_64 6.latest, and > we'll see how it goes from there. > > > > One question I have on this is that the rootfs (at least that the > > > Oracle template makes, not sure about others) isn't quite right > > > since the host name will have already been injected into config > > > files (for example /etc/hosts), but lxc-download wants to template > > > them itself. Should we add a switch to the distro template so it > > > knows when its being called to create a rootfs for lxc-download to > > > put LXC_NAME in there instead the --name it was passed? > > > > So currently my build script (Jenkins job) will call the template > > with: > > - --rootfs=/build-lxc/container/LXC_NAME/rootfs > > - --path=/build-lxc/container/LXC_NAME > > - --name=LXC_NAME > > Oh yeah, doh! Clever, that should make it work fine. > > [...] > > > I have not tried from a normal user account yet. Is it basically > > > that you expect the template to be run by a normal user, but be > > > running in a userns? Can you describe how mapped_uid is supposed to > > > be set? Thanks! > > -d oracle -r 6.5 -a x86_64 --server phocis/lxc-images --no-validate > > Yeah, lxc-create basically does all the magic we need there. > > When run as a user, it'll run the template in a userns mapped with the > > container's range. > > > > $mapped_uid appears to be set to the uid in the userns which maps back > > to the user's own uid outside of it and makes it possible to chown > > files back to the actual user. > > So I had to dig into the source to see how I could get this to work, > and tried passing a line like: > > lxc-create -P /home/dengen/ct -f /home/dengen/ct/dengen_id_map.conf -n ol65 > -t download -- -d oracle -r 6.5 -a x86_64 --server lxchttp/lxc-images > --no-validate > > where /home/dengen/ct/dengen_id_map.conf just has: > lxc.id_map = u 0 100000 10000 > lxc.id_map = g 0 100000 10000 > > in order to get mapped_uid in lxc-create to kick in. Sadly this didn't > work because lxc.spec is still installing lxc-create (and a lot more) > setuid, so the geteuid() check in create_run_template() isn't firing. > So my question is: which lxc binaries are supposed to be installed > setuid these days? Is it just lxc-user-nic? Once I know, I can go ahead > and fixup lxc.spec. Thanks.
Oh, wow, I didn't realize some distros were still installing anything setuid these days, especially after we drop lxc-setuid and lxc-setcap from the upstream tree. So anyway, nowadays, the recommendation is for only lxc-user-nic to be setuid, everything else should always run as the user. When run as root, you'll end up with system containers, when run as a user, you'll get an unprivileged container. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com
signature.asc
Description: Digital signature
_______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
