Non-root lxc for juju

Registered by Patricia Gaughen on 2013-10-18

Discuss non-root lxc for juju

Blueprint information

Status:
Not started
Approver:
None
Priority:
Undefined
Drafter:
None
Direction:
Needs approval
Assignee:
None
Definition:
New
Series goal:
None
Implementation:
Unknown
Milestone target:
None

Related branches

Sprints

Whiteboard

1. Currently in 14.04 root can create a container in a user namespace so that the container does not have any root privilege over the host.
2. Work is still to be done to finish enabling non-root users to create and start containers:
    a. The uidmap package allows use of subuid ranges by unprivileged users
    b. lxc ships a 'lxc-user-nic' program which allows unprivileged users to request a limited number of nics to be assigned to specified bridges and passed into a netns.
    c. lxc currently will avoid trying to create new cgroups for containers started by unprivileged users.

Creation of a container by an unprivileged user currently needs to be done using a modified ubuntu-cloud template, since debootstrap won't run if it cannot create devices.

We might want to consider allowing unprivileged users to create certain innocuous devices (this is a kernel patch) like /dev/null and /dev/zero. In lieu of that we currently bind-mount those devices into the container.

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.