Hello List, With LXC1 on Trusty following sequence was used to fill an unprivileged container as root, where only configuration exists but no content. With LXC2 on Xenial, this results in an error:
cd -- /var/lib/lxc/test/rootfs lxc-usernsexec -m u:0:296608:65536 -m g:0:296608:65536 -- tar --numeric-owner --exclude=./dev -xjf [somepath]/ubuntuxenial1604-i386.tar.bz2 newuidmap: uid range [0-65536) -> [296608-362144) not allowed error mapping child Deleting the file "/usr/bin/newuidmap" fixes the problem, but I guess that is not the best idea :-) Following command works also ... bzip2 -cd < [somepath]/ubuntuxenial1604-i386.tar.bz2 | PATH="" /usr/bin/lxc-usernsexec -m u:0:296608:65536 -m g:0:296608:65536 -- /bin/tar --numeric-owner --exclude=./dev -x ... but maybe there is a smarter way to avoid that problem? Is there a way to use "lxc-create" in a way, that it does not touch any file-system property (mode/owner/xattrs) nor any file content EXCEPT extracting a tar to the prepared directory? Using PATH does not seem very sensible as it could provoke regressions as it relies on undocumented internal function of " lxc-usernsexec". Kind regards, Roman PS: after UID-mapping the procedure should not attempt a chdir: when mapped and not already inside, it will have no means to reach the container rootfs location any more (as no other non-host-root process has). DI Roman Fiedler Scientist Digital Safety & Security Department Assistive Healthcare Information Technology AIT Austrian Institute of Technology GmbH Reininghausstraße 13/1 | 8020 Graz | Austria T +43(0) 50550 2957 | M +43(0) 664 8561599 | F +43(0) 50550 2950 roman.fied...@ait.ac.at | http://www.ait.ac.at/ FN: 115980 i HG Wien | UID: ATU14703506 http://www.ait.ac.at/Email-Disclaimer
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users