Ubuntu Server Guide Changes, errors and bugs
Download 1.27 Mb. Pdf ko'rish
|
ubuntu-server-guide
|
Basic unprivileged usage
To create unprivileged containers, a few first steps are needed. You will need to create a default container configuration file, specifying your desired id mappings and network setup, as well as configure the host to allow the unprivileged user to hook into the host network. The example below assumes that your mapped user and group id ranges are 100000–165536. Check your actual user and group id ranges and modify the example accordingly: g r e p $USER / e t c / s u b u i d g r e p $USER / e t c / s u b g i d mkdir −p ~ / . c o n f i g / l x c echo ” l x c . id_map = u 0 100000 65536” > ~ / . c o n f i g / l x c / d e f a u l t . c o n f echo ” l x c . id_map = g 0 100000 65536” >> ~ / . c o n f i g / l x c / d e f a u l t . c o n f echo ” l x c . network . type = veth ” >> ~ / . c o n f i g / l x c / d e f a u l t . c o n f echo ” l x c . network . l i n k = l x c b r 0 ” >> ~ / . c o n f i g / l x c / d e f a u l t . c o n f echo ”$USER veth l x c b r 0 2” | sudo t e e −a / e t c / l x c / l x c −u s e r n e t After this, you can create unprivileged containers the same way as privileged ones, simply without using sudo. l x c −c r e a t e −t download −n u1 −− −d ubuntu −r DISTRO−SHORT−CODENAME −a amd64 l x c −s t a r t −n u1 −d l x c −a t t a c h −n u1 l x c −s t o p −n u1 l x c −d e s t r o y −n u1 Nesting In order to run containers inside containers - referred to as nested containers - two lines must be present in the parent container configuration file: l x c . mount . auto = cgroup l x c . a a _ p r o f i l e = l x c −c o n t a i n e r −d e f a u l t −with−n e s t i n g 120 The first will cause the cgroup manager socket to be bound into the container, so that lxc inside the container is able to administer cgroups for its nested containers. The second causes the container to run in a looser Apparmor policy which allows the container to do the mounting required for starting containers. Note that this policy, when used with a privileged container, is much less safe than the regular policy or an unprivileged container. See the Apparmor section for more information. Download 1.27 Mb. Do'stlaringiz bilan baham: 
|