On Wed, Mar 29, 2017 at 4:20 AM, Serge E. Hallyn <[email protected]> wrote:
> Quoting BIGOT Adrien ([email protected]): > > Hello, > > > > Actually hosting many containers (2000+) with OpenVZ technology, we > > want to move to LXC/LXD. > > The goal is to host up to 20 unprivilegied containers per > > hypervisor. I'd like to know if there is some best practice > > regarding subuid and subgid in particular if we must have one range > > of subuid/subgid per containers or not. > > It's been discussed a few times, but I can't be bothered to find > links :) General guidance is if the containers are working together > you can have them share uid ranges. If they belong to different > groups, or if you want to prevent all chances of one container > subverting another, then give them different ranges. > > ... and if you're feeling lazy: - allocate large-enough [ug]id range for root and lxd on /etc/sub[ug]id - use newer lxd (e.g. from https://launchpad.net/~ubuntu-lxc/+archive/ubuntu/stable) - set security.idmap.isolated true ( https://github.com/lxc/lxd/blob/master/doc/userns-idmap.md#different-idmaps-per-container ) It should automatically assign unique [ug]id range for each container with minimal manual setup. -- Fajar
_______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
