----- Mail original ----- > De: "Serge E. Hallyn" <[email protected]> > À: "lxc-users" <[email protected]> > Envoyé: Mardi 28 Mars 2017 21:07:08 > Objet: Re: [lxc-users] subuids and subgid range with multiple LXC > containers
> On Wed, Mar 29, 2017 at 07:35:15AM +0700, Fajar A. Nugraha wrote: > > On Wed, Mar 29, 2017 at 4:20 AM, Serge E. Hallyn <[email protected]> wrote: > > > Quoting BIGOT Adrien ([email protected]): > > > > Hello, > > > > Actually hosting many containers (2000+) with OpenVZ technology, we > > > > want to move to LXC/LXD. > > > > The goal is to host up to 20 unprivilegied containers per > > > > hypervisor. I'd like to know if there is some best practice > > > > regarding subuid and subgid in particular if we must have one range > > > > of subuid/subgid per containers or not. > > > It's been discussed a few times, but I can't be bothered to find > > > links :) General guidance is if the containers are working together > > > you can have them share uid ranges. If they belong to different > > > groups, or if you want to prevent all chances of one container > > > subverting another, then give them different ranges. > > ... and if you're feeling lazy: > > - allocate large-enough [ug]id range for root and lxd on /etc/sub[ug]id > > - use newer lxd (e.g. from > > https://launchpad.net/~ubuntu-lxc/+archive/ubuntu/stable) > > - set security.idmap.isolated true ( > > https://github.com/lxc/lxd/blob/master/doc/userns-idmap.md#different-idmaps-per-container > > ) > > It should automatically assign unique [ug]id range for each container with > > minimal manual setup. > One thing I've always thought would be useful, but not had the time to > pursue, woudl be to have a concept of 'clients' or somesuch, where each > client can get one or more unique ranges. They can then use those > ranges however they want, but no other clients will ever get their > rnages. That's the way I always tough about LXD and the future with multi-tenant ;) You are an unprivileged user A , you can SSH to the control-host , manage your, and only your containers. _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
