Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow LXD drivers to remap the image filesystem #3258

Open
dann1 opened this issue Apr 23, 2019 · 2 comments

Comments

@dann1
Copy link
Contributor

commented Apr 23, 2019

Description
Through the use of security.privileged LXD can start a container as privileged or unprivileged. When the key is set to true/false, on the next start action, the container will be started as privileged or unprivileged. On the next start action, if the value of security.privileged differs, at the time of starting, differs from the last value when the container started, the container rootfs will be remapped accordingly.

Currently, the LXD drivers do not perform that remmaping, due to the fact that the container is deleted during the OpenNebula shutdown action. This limits the support to deploying privileged and unprivileged containers to the conditions of the image rootfs. If the image has the set of ids belonging to the root user, like the KVM images and the images from the LXD marketplace, the VM created from that image will only work properly under LXD_SECURITY_PRIVILEGED = true. Then, in order to create an unprivileged container, the user would have to provide an image with the set of ids stated in the default lxd profile.

Use case

  • Deploy a privileged or unprivileged container regardless of the image id set.
  • More compatibility with KVM apps from the marketplace by avoiding stating LXD_SECURITY_PRIVILEGED = true

Additional Context
There is a tool called fuidshift that could help with this

Progress Status

  • Branch created
  • Code committed to development branch
  • Testing - QA
  • Documentation
  • Release notes - resolved issues, compatibility, known issues
  • Code committed to upstream release/hotfix branches
  • Documentation committed to upstream release/hotfix branches
@JPaulMora

This comment has been minimized.

Copy link

commented Jul 28, 2019

Hi, I too am interested in running/converting all my images to unprivileged. Could we move this up the priority list as a way to make ON safer by default?

@dann1

This comment has been minimized.

Copy link
Contributor Author

commented Jul 29, 2019

Could you add an emoji upvote for the description ? It helps us keep track on interest.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.