On 07/02/2014 08:08 PM, Christoph Willing wrote:
I'm trying to make unprivileged containers work nicely on Slackware - with some success. After some updates (kernel config, latest shadow, latest lxc, install cgmanager) I worked through steps at https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/. I've made a Slackware template with which I can create a working normal privileged container. I then use Serge Hallyn's uidmapshift on it and copy the resulting unprivileged container into $USER/.local/share/lxc/ from where it can be run by the user. It all works fine. The only wrinkle is that before being able to run lxc-start for the first time on an unprivileged container, the user must first run the commands: sudo cgm create all $USER sudo cgm chown all $USER $(id -u) $(id -g) sudo cgm movepid all $USER $$ I'd like to avoid that if possible. Interestingly, - those commands only need to be run once in a given terminal session (run lxc-start any number of times after that) - those commands need to be run in any new terminal in which lxc-start is to be run on an unprivileged container i.e. running them in one terminal doesn't bless any new terminal sessions - the commands don't work when executed from a script - the commands don't work if executed by root on the user's behalf Ideally this would be set up either at boot time for "approved" users or whenever the approved users log in to the machine. I have tried chmod'ing cgm to setuid root (not sure that would be a good long term solution anyway) and it succeeded with first and last of those commands but not the second (cgm chown ..). Could someone explain how this is managed in other distros where running unprivileged already works please? I have an uneasy feeling that its via PAM (the last of the prerequisites mentioned on Stephane's page) but PAM is not used in Slackware and most unlikely to be introduced. BTW, the situation is exactly the same when using the download template to run the available premade containers i.e. I don't believe its a problem with the template I made myself. Anyway, this is surely something to be arranged in the host, not in the container itself. Any description of how the user environment is set up and/or tips about this would be greatly appreciated.
After some fiddling I discovered that, although running the cgm commands from a script did not set up the user environment correctly, it did work if I sourced the script rather than executed it.
Using that fact, my solution is to have an entry in /etc/profile.d which is run whenever a user logs in. That entry checks whether the user is in the "lxcusers" group (a group for users permitted to run unprivileged containers). If so, then the script containing the cgm commands is sourced. Although that script does a series of "sudo cgm .." commands, I've made the script itself the object of a command alias in /etc/sudoers so that it can be run (sourced) without password by members of the lxcusers group.
Now the authorised user can run lxc-start on unprivileged containers without further tricks - just logging in sets them up.
chris _______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
