On Wed, May 10, 2017 at 1:33 PM, T.C 吳天健 <[email protected]> wrote:
> Fajar and Andrey, > > I run lxc-1.0 on embedded system and I don't have lxd on that platform. > (i.e. I cross-compile lxc-1.0 from scratch no prebuild package available). > And yes I run container with root privilege . > I highly suggest you invest some time to port lxd there. It'd make some things a lot easier. > > Can I have your mentioned features "use separate u/gid range for each > container" and "limits which device nodes (block and char) allowed in the > container" without existence of lxd? > > Without LXD? Best docs I can point you to are: - https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html (for example, find "lxc.cgroup.devices.allow" and "UID MAPPINGS" there) - https://github.com/lxc/lxc/tree/master/doc - https://stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/ - https://help.ubuntu.com/lts/serverguide/lxc.html#lxc-unpriv A little note about the last two, they guide you to create user-owned unpriv containers. It's usually MUCH easier to manage (including setting autostart behavior) root-owned unpriv containers (which is basically what lxd does). root-owned unpriv containers are similar to privileged container, except that: - it has uid mappings configurations - the files in rootfs has its u/gid shifted (e.g. with fuidshift) Again, the process is MUCH simpler if you have lxd (e.g. look for "security.idmap.isolated" in https://github.com/lxc/lxd/blob/master/doc/containers.md) -- Fajar
_______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
