On Wed, Feb 4, 2015 at 6:01 PM, Fajar A. Nugraha <l...@fajar.net> wrote:
> On Wed, Feb 4, 2015 at 5:46 PM, Adam Gold <a...@gmx.com> wrote: > >> >> If so, what's the best way to manually create a template in >> unprivileged mode to ensure all the subuids and subgids are assigned >> correctly. >> > > Create it using any normal method known to work. It should be OK when > .local/share/lxc is on the same filesystem as $HOME, right? > After that, copy it manually to your template dataset > (zfs/lxc/containers/template > ?) using "rsync -avP" or whatever tool of your choice. When you clone the > template to a new directory, don't forget to change these settings manually > in the new container config: > > This is what I just tested. Environment: - there's a system container called "template" - user "user" is allowed to create its own container (including setting /etc/subuid) - I want to copy the system container to user container Current permissions: # grep user /etc/subuid user:100000:65537 # grep user /etc/subgid user:100000:65537 # ls -la /var/lib/lxc/template/ total 6 drwxr-xr-x 3 root root 4 Jul 10 2014 . drwxr-xr-x 4 root root 4 Jan 22 19:26 .. -rw-r--r-- 1 root root 691 Jul 10 2014 config drwxr-xr-x 21 root root 21 Feb 4 18:32 rootfs # ls -la /home/user/.local/share/lxc/template/ total 6 drwxr-xr-x 3 user user 4 Feb 4 18:39 . drwxr-xr-x 3 user user 4 Feb 4 18:37 .. drwxr-xr-x 21 100000 100000 21 Feb 4 18:32 rootfs # df -h /home/user/.local/share/lxc/template/ Filesystem Size Used Avail Use% Mounted on rpool/lxc/user/template 46G 164M 46G 1% /home/user/.local/share/lxc/template Note that /home/user/.local/share/lxc/template/rootfs is EMPTY. The zfs datasets, owner, and permission were created/set by root. I can then run this command to copy system's rootfs to users's rootfs, with the correct permissions: # tar -C /var/lib/lxc/template/rootfs -cf - . | su - user -c "lxc-usernsexec -- tar -C /home/user/.local/share/lxc/template/rootfs -xf - --exclude ./dev/*" WARN: could not reopen tty: No such file or directory tar: ./dev/log: socket ignored Ignore the warning messages. Next step is to create /home/user/.local/share/lxc/template/config, like so: ### # Template used to create this container: /usr/share/lxc/templates/lxc-download # Parameters passed to the template: -d ubuntu -r trusty -a amd64 # For additional config options, please look at lxc.conf(5) # Distribution configuration lxc.include = /usr/share/lxc/config/ubuntu.common.conf lxc.include = /usr/share/lxc/config/ubuntu.userns.conf lxc.arch = x86_64 # Container specific configuration lxc.id_map = u 0 100000 65536 lxc.id_map = g 0 100000 65536 lxc.rootfs = /home/user/.local/share/lxc/template/rootfs lxc.utsname = template # Network configuration lxc.network.type = veth lxc.network.veth.pair = veth-u-te-0 lxc.network.flags = up lxc.network.link = br0 lxc.network.hwaddr = 00:16:3E:3A:53:E7 ### Note that I use br0, where the default bridge created by lxc is lxcbr0, so you need to make sure it's correct. When creating another container for the same user "user", I can simply use zfs clone rpool/lxc/user/template. If I wanted to create container for another user (e.g. "user2"), then I need to repeat the "tar" method above as a different user (e.g. "| su - user2 -c ...") > >> Also, for the additional containers that I get from zfs cloning, will >> they be recognised by 'lxc-* -n' commands? >> >> > AFAIK most lxc commands simply reads whatever is under the directory, and > doesn't really care what fs they are on. > > After doing the above steps I can do this: $ id uid=1000(user) gid=1000(user) groups=1000(user),4(adm),6(disk),27(sudo) $ lxc-ls -f NAME STATE IPV4 IPV6 GROUPS AUTOSTART ------------------------------------------------ template STOPPED - - - NO $ lxc-start -d -n template $ lxc-ls -f NAME STATE IPV4 IPV6 GROUPS AUTOSTART ----------------------------------------------------------- template RUNNING 192.168.124.104 - - NO $ lxc-attach -n template id uid=0(root) gid=0(root) groups=0(root) $ lxc-attach -n template ip ad li eth0 25: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:16:3e:3a:53:e7 brd ff:ff:ff:ff:ff:ff inet 192.168.124.104/24 brd 192.168.124.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::216:3eff:fe3a:53e7/64 scope link valid_lft forever preferred_lft forever $ lxc-stop -n template $ lxc-ls -f NAME STATE IPV4 IPV6 GROUPS AUTOSTART ------------------------------------------------ template STOPPED - - - NO -- Fajar
_______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users