X-Original-To: alpine-user@lists.alpinelinux.org Received: from mail.toastin.space (mail.toastin.space [207.246.93.162]) by lists.alpinelinux.org (Postfix) with ESMTP id DEB53F84EA0 for ; Fri, 29 Mar 2019 17:21:22 +0000 (UTC) Received: from mail.toastin.space (localhost [127.0.0.1]) by mail.toastin.space (OpenSMTPD) with ESMTP id 473987b7 for ; Fri, 29 Mar 2019 13:21:21 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=toastin.space; h=subject :to:references:from:message-id:date:mime-version:in-reply-to :content-type:content-transfer-encoding; s=ml; bh=KbaWEph2Vj87/K rmMzEcJlhcphs=; b=jg9uLvox43hamy828G022KeqCry+yEzZbCl97lO8zyvtMy c2mIa6rvrAmS2JIzdDC4GP5OYV92ynQ97Q0iLuDF9iB2aLEip19tdZRygPEy81j/ 39z+fSXkpP1tJQb9MJu3t+F9WR342aFaA5sWLm7M2h7I+07v+SzpNBKsHxXvnbbM y/5jSRlhelv+roSoNj1MJ1RH1tE3mM/1E/IvlQ9ZXyt3aZzMcw2vGSH0l9TVTo9o E7PZdDtbXZW5Kk2d1WsAo+fMDvR2Jooe6eNS/Qnl+G2cp10F5cwUBOF+a/Yjght1 C6BPlbH+rL8av68YQT0i/aQ7v6UUu4Zo+zQzat9g== DomainKey-Signature: a=rsa-sha1; c=nofws; d=toastin.space; h=subject:to :references:from:message-id:date:mime-version:in-reply-to :content-type:content-transfer-encoding; q=dns; s=ml; b=qh+CNyke C1UIKAR+MGtgwNA0KezdZM69F4HqOe0eRBpy5gZKuzlsflnXIOrQj+wW1fpO9nZb y+OnUAgR8kkPC/yZ8BJVaSAxkfb3LOdUHUqIWAy2kHdn/8CSNz2qtXxZ2h2bZ/pF cHYmaPTgVv4INq6DD6QKFrpUTrbpVJGTLIHMgvD7T7Coyx/ViwBzWVWkEer+jOdt ISimWpdBDgI2VdEtgHlpehio0uaJtL+FYANxnowJwKYofd0kVALRAhWnyE8yu8Gv gYgMgiuWmkPq9r5JQ3LTL1XSKnUD9SWU9vnDOB+oNqjDEVEHibMSEZXseCsdXElg sjcm0SWx4IF65A== Received: from [192.168.0.135] (173-246-15-165.qc.cable.ebox.net [173.246.15.165]) by mail.toastin.space (OpenSMTPD) with ESMTPSA id 569ab943 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO) for ; Fri, 29 Mar 2019 13:21:21 -0400 (EDT) Subject: Re: [alpine-user] liblxc segfaults when trying to start unprivileged container To: alpine-user@lists.alpinelinux.org References: <20190304235659.b64e6019003b26b4edcb2a67@googlemail.com> <988908273.7812074.1553849007859@mail.yahoo.com> From: Chloe Kudryavtsev Message-ID: Date: Fri, 29 Mar 2019 13:21:21 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:66.0) Gecko/20100101 Thunderbird/66.0 X-Mailinglist: alpine-user Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 In-Reply-To: <988908273.7812074.1553849007859@mail.yahoo.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit On 3/29/2019 4:43 AM, paul gauret wrote: > in my case doing everything with root. >> Privileged containers work just fine. We're missing kernel.unprivileged_userns_clone for whatever reason. You have to enable that to run things as non-root (which I suspect you're trying to do). Spun up a VM to test: unprivileged containers are just fine as root, but not as a user (in the latter case you get a segfault - likely because an unprivileged user is trying to userns clone without having the right to :) ) I suppose the question now becomes "why are we missing that option". In the interim, feel free to have root-owned unprivileged containers (you can give root subuids just like everywhere else, and everything ends up running as UID 100000 or whatever you use). --- Unsubscribe: alpine-user+unsubscribe@lists.alpinelinux.org Help: alpine-user+help@lists.alpinelinux.org ---