April 12, 2022 Roberto Puzzanghera 0 comments
Handling LXC unprivileged containers as
root is not possible with the default LXC programs, because they must be called by the user who owns them and sometime is also necessary to specify the container's configuration file. For example, running
lxc-ls as root shows all the unprivileged containers as stopped even when they are running, while
lxc-start aborts the containers' startup sequence due to id mapping issues.
Since I prefer to run/stop/create/destroy/etc. my containers just typing my commands as root, not after the usual
su - owner each time, I wrote my own wrapper scripts collection for the main LXC commands, just to simplify my tasks. In addition, all the containers will be created in the same directory, say
I use them both for privileged (owned by root itself) and unprivileged containers. In the latter case the owner of the container is determined dinamically.
These scripts allow an administrator to use LXC running his applications in separate containers, each one (or group of them) runned by a different user and id map.
I wrote them for my Slackware linux distro, but I think that they remain valid for any other Linux flavor.
If you are a Slackware user and you are looking for unprivileged containers documentation, you should take a look to Chris Willings' guide, which was my starting point on this topic. Also the Stéphane Graber's article is a suitable reading at the beginning.
apache clamav dkim dovecot ezmlm fail2ban hacks lamp letsencrypt linux linux-vserver lxc mariadb mediawiki mozilla mysql openboard owncloud patches php proftpd qmail qmail-spp qmailadmin rbl roundcube rsync sieve simscan slackware solr spamassassin spf ssh ssl surbl tcprules tex ucspi-tcp vpopmail vqadmin