As said: You don't need write access to the portage tree, but at the distfiles cache holding the fetches source tarballs . And the package repository, if you let build bin packages (, and you want this, if you use more than a few Gentoo instances). But you may configure other locations or it outside the portage tree with the ebuild receipts.
BTW: Instead of mapping the uid/gid for portage, you may be also change it inside the containers password/group files to the shifted one. It's depend on your policy of the "border of the container", if this is a proper way to handle the clash to offer a outerworld-shared resource inside an restricted environment of a unprivileged container. Guido >-----Original Message----- >From: lxc-users [mailto:[email protected]] On Behalf >Of Fog_Watch >Sent: Wednesday, July 13, 2016 12:35 PM >To: [email protected] >Subject: Re: [lxc-users] Can I, or should I, "lxc.id_map = u 250 250 1"? > >On Wed, 13 Jul 2016 12:36:07 +0700 >"Fajar A. Nugraha" <[email protected]> wrote: > >> >> I don't think you can use overlapping id_map. Example on >> https://www.stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/ >> > >Fajar, how is the following an overlapping id_map: >lxc.id_map = u 250 250 1 >lxc.id_map = g 250 250 1 >lxc.id_map = u 0 100000 1000 >lxc.id_map = g 0 100000 1000 >? > > > >On Wed, 13 Jul 2016 07:58:21 +0200 >Guido J__kel <[email protected]> wrote: >> >> But don't think that Gentoo need to have the user/group of the >> portage tree to be "portage:portage" for the purpose to run a ebuild. >> This will be a requirement for portage sync operations, of corse. But >> this ones, you probably want to run on the host, i think. Maybe you >> should even bind-mount it read-only to your containers. >> > >Guido, if I use the following: >lxc.id_map = u 1000 250 1 >lxc.id_map = g 1000 250 1 >lxc.id_map = u 0 100000 1000 >lxc.id_map = g 0 100000 1000 >Container uid=1000 can create files in distfiles that end up as >uid=portage files in the tree, but uid=1000 can't run emerge. Or, a >container root emerge terminates with the following chown yuck: > > * tail -f /var/log/emerge-fetch.log >bash: /usr/portage/distfiles/.__portage_test_write__: Permission denied >[Errno 1] Operation not permitted: > b'/usr/portage/distfiles/.Net-Daemon-0.48.tar.gz.portage_lockfile': > chown('/usr/portage/distfiles/.Net-Daemon-0.48.tar.gz.portage_lockfile', > -1, 250) Cannot chown a lockfile: > '/usr/portage/distfiles/.Net-Daemon-0.48.tar.gz.portage_lockfile' > Group IDs of current user: 1000 0 1 2 3 4 6 10 11 26 27 >>>> Downloading >>>> 'http://distfiles.gentoo.org/distfiles/Net-Daemon-0.48.tar.gz' >/usr/portage/distfiles/Net-Daemon-0.48.tar.gz: Permission denied >>>> Downloading >>>> >>>> 'http://search.cpan.org/CPAN/authors/id/M/MN/MNOONING/Net-Daemon-0.48.tar.gz' >/usr/portage/distfiles/Net-Daemon-0.48.tar.gz: Permission denied >>>> Downloading >>>> 'http://www.cpan.org/authors/id/M/MN/MNOONING/Net-Daemon-0.48.tar.gz' >/usr/portage/distfiles/Net-Daemon-0.48.tar.gz: Permission denied >>>> Downloading >>>> >>>> 'http://cpan.metacpan.org/authors/id/M/MN/MNOONING/Net-Daemon-0.48.tar.gz' >/usr/portage/distfiles/Net-Daemon-0.48.tar.gz: Permission denied >!!! Couldn't download 'Net-Daemon-0.48.tar.gz'. Aborting. > * Fetch failed for 'dev-perl/Net-Daemon-0.480.0-r1', Log file: > * '/var/tmp/portage/dev-perl/Net-Daemon-0.480.0-r1/temp/build.log' >_______________________________________________ >lxc-users mailing list >[email protected] >http://lists.linuxcontainers.org/listinfo/lxc-users _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
