Talk:LXC

From Gentoo Wiki
Jump to:navigation Jump to:search
Note
Before creating a discussion or leaving a comment, please read about using talk pages. To create a new discussion, click here. Comments on an existing discussion should be signed using ~~~~:
A comment [[User:Larry|Larry]] 13:52, 13 May 2024 (UTC)
: A reply [[User:Sally|Sally]] 10:39, 5 November 2024 (UTC)
:: Your reply ~~~~

Unprivileged containers section confusing

Talk status
This discussion is done.

the section about unprivileged containers is confusing, the author creates an "lxc" user and adds subuids/subgids for that user but in fact it seems he's creating/starting the container from a root prompt...

if there's no needs to give a user permissions to create/start containers, you don't need to create any lxc user in order to create/start an unprivileged container.

all what you need to do is to create subuids/subgids for the root user, add lxc.id_map parameters to container's config and create/start the container as root.

moreover, using subuids/subgids 100000-165536 didn't work on my hardened box, but 10000-65536 did. — The preceding unsigned comment was added by Skunk (talkcontribs) 22 February 2016‎

Answer - right. With latest edit - this issue are fixed — The preceding unsigned comment was added by Feniksa (talkcontribs) September 12, 2016‎

Is "MAJOR temporary problems with LXC" section still needed?

Talk status
This discussion is done.

From what I understand from the linked page, user namespaces are now fully implemented and unprivileged containers are now safe. Couldn't we replace this section with a short description of privileged and unprivileged containers?

Vdupras (talk) 15:27, 8 December 2017 (UTC)

Answer - I renamed it to something less scary and got rid of the obsolete links. Rage (talk) 01:20, 15 June 2018 (UTC)

cgmanager deprecated

Talk status
This discussion is still ongoing.

The cgmanager has become deprecated (see https://github.com/lxc/cgmanager). It is also not working anymore with current systemd builds: https://github.com/lxc/cgmanager/issues/32 https://github.com/lxc/lxc/issues/1554 As workaround the use of the pam module which ships with LXCFS is suggested, but it looks like this does not work with the current ebuilds of gentoo.

Text is too long and should be splitted

Talk status
This discussion is still ongoing.

The first statement is all what is necessary (I mean from the first paragraph). All other feature comparisons should be moved to the end of the article, as links to separate pages. The reader of this article wants to know what to merge, how to check the kernel readiness, and how to configure unpriveleged containers. Even distribution server is not important because gentoo user will not trust to third party binaries (and it's description can be moved to a separate page).

Einstok Fair (talk) 10:02, 1 June 2021 (UTC)

Several containers in parallel

Talk status
This discussion is still ongoing.

If one want several conainers with different subranges, should she create several users (lxc1, lxc2 and so on?)?

Einstok Fair (talk) 10:02, 1 June 2021 (UTC)

Answer It is possible to create another container from same user (for example, lxc).
See lxc-create and lxc-start -n container_name commands
— The preceding unsigned comment was added by Feniksa (talkcontribs) 2022-07-11T14:22:16

Isolating desktop GUI applications

Talk status
This discussion is still ongoing.

Is it possible to connect a container to hosts's graphical server (xorg-server)? What should be done to magic cookies?

Einstok Fair (talk)

How unprivileged containers should be started from systemd?

Talk status
This discussion is still ongoing.

lxc@guestname.service can take guestname as the parameter, but where and how to say it that container should be started from specific user?

In other words how to configure systemd's lxc@guestname.service to be unpriveileged container (to start from a specific user instead of root)?

Einstok Fair (talk) 04:20, 7 June 2021 (UTC)

Tell users about /usr/libexec/lxc/lxc-net, maybe even expose it as a service in openrc\systemd

Talk status
This discussion is still ongoing as of 2024-10-16.

Linux distributions like Debian and ubuntu use the above script as the underling mechanism to stop and start the lxc service (similar to "docke"). This script saves a lot of manual work and allows isolating lxc containers like docker containers behind a bridge.