mirror of
https://gitlab.alpinelinux.org/alpine/aports.git
synced 2025-08-05 13:27:09 +02:00
f78de62584
this enables unprivileged lxc containers on the vanilla kernel full instructions in README.alpine
32 lines
1.1 KiB
Plaintext
32 lines
1.1 KiB
Plaintext
Alpine Linux unprivileged LXC containers
|
|
========================================
|
|
|
|
At the moment unprivileged containers are only working with linux-vanilla.
|
|
|
|
They may work with grsecurity in the future with the following disabled:
|
|
|
|
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount
|
|
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_pivot
|
|
echo 0 > /proc/sys/kernel/grsecurity/chroot_caps
|
|
|
|
see also: https://en.wikibooks.org/wiki/Grsecurity/Runtime_Configuration
|
|
-------------------------------------------------------------------------------
|
|
|
|
Instructions:
|
|
-------------
|
|
|
|
(a) add the name(s) of the containers to run unprivileged to /etc/conf.d/lxcfs
|
|
(b) rc-service lxcfs setup => converts privileged => unprivileged containers
|
|
=> creates /etc/subuid & /etc/subgid
|
|
(c) rc-service lxcfs start
|
|
(d) rc-update add lxcfs
|
|
(e) rc-service lxcfs info => print & add config file settings to the containers
|
|
|
|
-------------------------------------------------------------------------------
|
|
|
|
Start the container & verify processes are running unprivileged:
|
|
|
|
ps aux | grep 100000
|
|
|
|
|