Great thanks to Fajar, Andrey, Jared and all of you. Usually on embedded system our porting/upgrading strategy is as prudent as possible. My previous survey showing that GOLANG is either undone or not popular on embedded. I will survey docs you mentioned and evaluate porting GOLANG and lxd then.
TC WU 2017-05-10 15:10 GMT+08:00 Fajar A. Nugraha <[email protected]>: > On Wed, May 10, 2017 at 1:33 PM, T.C 吳天健 <[email protected]> wrote: > >> Fajar and Andrey, >> >> I run lxc-1.0 on embedded system and I don't have lxd on that platform. >> (i.e. I cross-compile lxc-1.0 from scratch no prebuild package available). >> And yes I run container with root privilege . >> > > I highly suggest you invest some time to port lxd there. It'd make some > things a lot easier. > > > >> >> Can I have your mentioned features "use separate u/gid range for each >> container" and "limits which device nodes (block and char) allowed in the >> container" without existence of lxd? >> >> > Without LXD? Best docs I can point you to are: > - https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html > (for example, find "lxc.cgroup.devices.allow" and "UID MAPPINGS" there) > - https://github.com/lxc/lxc/tree/master/doc > - https://stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/ > - https://help.ubuntu.com/lts/serverguide/lxc.html#lxc-unpriv > > A little note about the last two, they guide you to create user-owned > unpriv containers. It's usually MUCH easier to manage (including setting > autostart behavior) root-owned unpriv containers (which is basically what > lxd does). root-owned unpriv containers are similar to privileged > container, except that: > - it has uid mappings configurations > - the files in rootfs has its u/gid shifted (e.g. with fuidshift) > > > Again, the process is MUCH simpler if you have lxd (e.g. look for > "security.idmap.isolated" in https://github.com/lxc/lxd/ > blob/master/doc/containers.md) > > -- > Fajar > > _______________________________________________ > lxc-users mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-users >
_______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
