You are not logged in.
- Topics: Active | Unanswered
#1 2016-11-26 14:39:03
- jjb2016
- Member
- From: Oxfordshire
- Registered: 2016-02-29
- Posts: 73
LXC - migrate existing privileged containers to unprivileged
Hi everyone - hope this is an appropriate section to post this in.
I have been using LXC containers on my box for various things for a while now, but only learned how to create and run privileged containers at first. they work great but I've recently learned about the difference between privileged and unprivileged containers, and how to setup the host to create and run unprivileged containers. Now I'd like to migrate my existing containers to unprivileged ones .... I've tried a few things already, which haven't worked.
Compiled a custom kernel with user namespaces enabled.
Setup /etc/subuid and /etc/subgid files.
Added lxc.id_map lines to my /etc/lxc/default.conf file.
After this I could create new arch containers unprivileged and they run fine. I noticed how from the host machined point of view the containers folder and rootfs folder is all owned by the mapped user:group (in my case 100000:100000).
So to try and migrate the existing containers I thought that all I would have to do is this:
Add the lxc.id_map lines to each containers config file.
Add the lxc.include = /usr/share/lxc/config/archlinux.userns.conf each containers config file.
Increment the user:group ownership of all the files in each containers rootfs by 100000 (I wrote a bash script to do this).
But after doing this they won't start up. Anybody know what else would need to be done to get them up and running?
Hope this all makes sense.
Thanks.
Offline
#2 2017-01-09 13:12:51
- graysky
- Wiki Maintainer
- From: :wq
- Registered: 2008-12-01
- Posts: 10,597
- Website
Re: LXC - migrate existing privileged containers to unprivileged
I was wondering the same; turns out it's more complicated. See: https://github.com/lxc/lxc/issues/1099
EDIT: The AUR contains a util that can do this conversion for you (pkgname = nsexec-brz). I edited the wiki, see here: https://wiki.archlinux.org/index.php/Li … _container
Compiled a custom kernel with user namespaces enabled.
Setup /etc/subuid and /etc/subgid files.
Added lxc.id_map lines to my /etc/lxc/default.conf file.
Would you consider either sharing the more precise steps (including the diffs in the kernel config you mentioned) either here or on the lxc wiki page? Odds are other users might want to repeat.
EDIT2: I think I hit all the points in these edits as well: https://wiki.archlinux.org/index.php?ti … did=461955
Last edited by graysky (2017-01-09 18:17:58)
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline