I use setfacl/getfacl to change permissions on host files so they are accessible to container's users. I am doing only basic stuff with very few users so not sure how that approach scales.
Of course anything you do open up what the container can do will reduce the security of using containers. On Wed, Dec 11, 2019, 8:19 AM Justus Schubert <justus.schub...@web.de> wrote: > Hi everyone, > > I'm trying the first time lxc. something I do not understand is the shared > use > of resources. This seems to be a problem especially with unprivileged > containers. > My first thought was to have a shared folder with custom user/group > mapping in > unprivileged LXC container for (user)mount > > I set up a LCX Container. My hostsystem is ArchLinux and the Container use > Debian. I start the container as root and use user/group mapping so the > container run 'unprivileged'. > >> my /etc/lxc/default.conf: > >> lxc.idmap = u 0 100000 65536 > >> lxc.idmap = g 0 100000 65536 > > >> my /etc/subuid & /etc/subgid: > >> root:100000:65536 > > Now i like to share my homedir within the container. > >> my /var/lib/lxc/<lxc-name>/config: > >> lxc.mount.entry = /home/<user> /var/lib/lxc/<lxc-name>/rootfs/mnt/share > none bind 0 0 > > Because of the mapping described above rights of the shared folder are set > to > nobody nogroup. > > After some research, I came to the idea that there are certainly other > ways to > solve the problem. Maybe SSHfs, NFS or SAMBA? something that the > 'usermapping' > can implement in the protocol? > can someone tell me his experiences or show ways of solution? > in concrete terms, I am looking for ideas for the realization: > 1) How can I share rights among 'unprivileged' users from the host to the > container? User1 from host shares a folder to user1 from the container-os. > both are not root. How can I achieve this? > 2) sharing files between unprivileged lxc containers > > I can imagine that such questions are asked frequently. but unfortunately > I > have not found a simple and consistent solution. > > Thanks in advance for your help! > > -- > > Justus Schubert > 01099 Dresden_______________________________________________ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users >
_______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users