Update getting-started.md #719
Conversation
Updated to reflect necessary steps when creating and using unprivileged containers as a user. These steps became clear as I tried following the getting-started guide without them. Signed-off-by: xmready <[email protected]>
content/lxc/getting-started.md
Outdated
| It is not possible to simply start a container from a shell as a user and automatically delegate a cgroup. Therefore, you need to wrap each call to any of the `lxc-*` commands in a `systemd-run` command. For example, to start a container, use the following command instead of just `lxc-start mycontainer`: | ||
| In newer versions of lxc, to start a container, use the following command instead of just `lxc-start mycontainer`: | ||
|
|
||
| lxc-unpriv-start --name mycontainer |
There was a problem hiding this comment.
This is a distro-specific command, not an upstream one
content/lxc/getting-started.md
Outdated
| @@ -443,7 +452,7 @@ You can then confirm its status with either of: | |||
|
|
|||
| And get a shell inside it with: | |||
|
|
|||
| lxc-attach --name mycontainer | |||
| lxc-unpriv-attach --name mycontainer | |||
There was a problem hiding this comment.
This is a distro-specific command, not an upstream one
There was a problem hiding this comment.
For distros without lxc-unpriv-attach how are users supposed to attach unprivileged containers? It fails with permission errors
There was a problem hiding this comment.
@stgraber would you care to answer so that I may fix this document properly?
content/lxc/getting-started.md
Outdated
| With that done, the last step is to create an LXC configuration file. | ||
|
|
||
| * Create the `~/.config/lxc` directory if it doesn't exist. | ||
| * Copy `/etc/lxc/default.conf` to `~/.config/lxc/default.conf` | ||
| * Set `lxc.apparmor.profile = lxc-container-default-cgns` |
There was a problem hiding this comment.
This allows things we should not allow by default, yes modern systemd needs it in some cases but that's still not a good idea to have it recommended by default.
There was a problem hiding this comment.
It's clear that copying the default config as recommended has generate set which fails for unprivileged containers started by a user. Considering this part of the guide is for that use case, what would be recommend default if the current recommendation fails?
There was a problem hiding this comment.
lxc-container-default is the safe profile
There was a problem hiding this comment.
Okay. I guess that is confusing given the manpages saying
The default is lxc-container-default-cgns if the host kernel is cgroup namespace aware, or lxc-container-default otherwise.
There was a problem hiding this comment.
lxc-container-defaultis the safe profile
Is lxc-container-default only recommended for non cgroup systems? Is there ever a time when lxc-container-default is appropriate for cgroup v2 systems? Can you be a little more explicit about these safety problems you are referring to?
Signed-off-by: xmready <[email protected]>
Signed-off-by: xmready <[email protected]>
Updated to reflect necessary steps when creating and using unprivileged containers as a user. These steps became clear as I tried following the getting-started guide without them.