Quoting Mahmood ([email protected]): > Hi, > > I'm trying to use unprivileged containers that are inaccessible by > other user in a shared environment. Setting container path to 550 > seems to block lxc-start. What are the minimal permissions that I > need to set on the directory so lxc-start can start successfully? Any > pointers for managing subuid permissions? > > Here is my sample commands transcript: > > ``` > ubuntu@ip-10-65-151-126:~$ chmod o-rx .local/share/lxc/u1 > ubuntu@ip-10-65-151-126:~$ ls -lha .local/share/lxc |grep u1 > drwxr-x--- 3 ubuntu ubuntu 4.0K May 23 23:45 u1
chgrp it to the root gid in your container, while keep it owned by ubuntu. Perhaps lxc should be setting it up like that at create... > ubuntu@ip-10-65-151-126:~$ > ubuntu@ip-10-65-151-126:~$ # Starting a container with no other permission > ubuntu@ip-10-65-151-126:~$ lxc-start -n u1 > lxc_container: Permission denied - failed to get real path for > '/home/ubuntu/.local/share/lxc/u1/rootfs' > lxc_container: failed to mount rootfs > lxc_container: failed to setup rootfs for 'u1' > lxc_container: failed to setup the container > lxc_container: invalid sequence number 1. expected 2 > lxc_container: failed to spawn 'u1' > ubuntu@ip-10-65-151-126:~$ > ubuntu@ip-10-65-151-126:~$ # Now with other having rx access > ubuntu@ip-10-65-151-126:~$ chmod o+rx .local/share/lxc/u1 > ubuntu@ip-10-65-151-126:~$ lxc-start -n u1 -d > ubuntu@ip-10-65-151-126:~$ lxc-attach -n u1 > root@u1:~# It worked > ``` > > Thanks! > - Mahmood > _______________________________________________ > lxc-users mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-users _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
