On Wed, Mar 04, 2020 at 11:37:32PM +0300, Andrey Repin wrote: > Greetings, Ede Wolf! > > > So please let me rephrase my question: Is there any alternative to > > standard bridging for running unprivileged lxc containers? > > Is there a use case for unprivileged LXC containers? > I fail to see one, and I'm using LXC for five-or-so years. If you are using > bare LXC, you are likely spawning new ones infrequently and each have its own > unique purpose. If that's not true, you're better off using > LXD/docker-swarm/etc.
https://www.youtube.com/watch?v=J34UzHo4G5w For starters, awesome as lxd is, it doesn't qualify as fully unprivileged containers, because the containers are *started* by root. With lxc containers you can get very close. You need setuid-root newuidmap and newgidmap to create userid mappings, and you currently need a privileged lxc-user-nic to setup network. By intercepting network connection related syscalls, you can avoid the need for privileged lxc-user-nic. And yeah, while I use lxd for spawning containers on remote hosts, I use lxc on my own home server and my laptop. _______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users