example, a process running as UID and GID 0 inside the container might
appear as UID and GID 100000 on the host. The implementation and working
details can be gathered from the corresponding user namespace man page.
- UID and GID mappings can be defined with the <option>lxc.id_map</option>
+ UID and GID mappings can be defined with the <option>lxc.idmap</option>
key.
-->
本質的には、ユーザ名前空間は与えられた UID、GID の組を隔離します。ユーザ名前空間は、ホスト上の UID、GID のある範囲を、それとは異なるコンテナ上の UID、GID の範囲へマッピングすることで実現します。カーネルは、ホスト上では実際には UID、GID は特権を持たないにも関わらず、コンテナ内ではすべての UID、GID が期待されるように見えるように変換を行います。
- 例えば、コンテナ内では UID、GID が 0 として実行中のプロセスは、ホスト上では UID、GID が 100000 として見えるでしょう。実装と動作の詳細は、ユーザ名前空間の man ページから得られます。UID と GID のマッピングは <option>lxc.id_map</option> を使って定義できます。
+ 例えば、コンテナ内では UID、GID が 0 として実行中のプロセスは、ホスト上では UID、GID が 100000 として見えるでしょう。実装と動作の詳細は、ユーザ名前空間の man ページから得られます。UID と GID のマッピングは <option>lxc.idmap</option> を使って定義できます。
</para>
<para>
<variablelist>
<varlistentry>
<term>
- <option>lxc.id_map</option>
+ <option>lxc.idmap</option>
</term>
<listitem>
<para>
この設定は、コンテナ内のユーザとグループ両方の id 0-9999 の範囲を、ホスト上の 100000-109999 へマッピングします。
</para>
<programlisting>
- lxc.id_map = u 0 100000 10000
- lxc.id_map = g 0 100000 10000
+ lxc.idmap = u 0 100000 10000
+ lxc.idmap = g 0 100000 10000
</programlisting>
</refsect2>
<variablelist>
<varlistentry>
<term>
- <option>lxc.id_map</option>
+ <option>lxc.idmap</option>
</term>
<listitem>
<para>
이 설정은 UID와 GID 둘다를 컨테이너의 0 ~ 9999를 호스트의 100000 ~ 109999로 매핑한다.
</para>
<programlisting>
- lxc.id_map = u 0 100000 10000
- lxc.id_map = g 0 100000 10000
+ lxc.idmap = u 0 100000 10000
+ lxc.idmap = g 0 100000 10000
</programlisting>
</refsect2>
example, a process running as UID and GID 0 inside the container might
appear as UID and GID 100000 on the host. The implementation and working
details can be gathered from the corresponding user namespace man page.
- UID and GID mappings can be defined with the <option>lxc.id_map</option>
+ UID and GID mappings can be defined with the <option>lxc.idmap</option>
key.
</para>
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>lxc.cgroup.dir</option>
+ </term>
+ <listitem>
+ <para>
+ specify a directory or path in which the container's cgroup will
+ be created. For example, setting
+ <option>lxc.cgroup.dir = my-cgroup/first</option> for a container
+ named "c1" will create the container's cgroup as a sub-cgroup of
+ "my-cgroup". For example, if the user's current cgroup "my-user"
+ is located in the root cgroup of the cpuset controllerin in a
+ cgroup v1 hierarchy this would create the cgroup
+ "/sys/fs/cgroup/cpuset/my-user/my-cgroup/first/c1" for the
+ container. Any missing cgroups will be created by LXC. This
+ presupposes that the user has write access to its current cgroup.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect2>
<variablelist>
<varlistentry>
<term>
- <option>lxc.id_map</option>
+ <option>lxc.idmap</option>
</term>
<listitem>
<para>
range 0-9999 in the container to the ids 100000-109999 on the host.
</para>
<programlisting>
- lxc.id_map = u 0 100000 10000
- lxc.id_map = g 0 100000 10000
+ lxc.idmap = u 0 100000 10000
+ lxc.idmap = g 0 100000 10000
</programlisting>
</refsect2>
}
/*
- * TODO: this should be re-written to use the get_config_item("lxc.id_map")
+ * TODO: this should be re-written to use the get_config_item("lxc.idmap")
* cmd api instead of getting the idmap from c->lxc_conf. The reason is
* that the id_maps may be different if the container was started with a
* -f or -s argument.
ERROR("To pass uid mappings to lxc-create, you could create");
ERROR("~/.config/lxc/default.conf:");
ERROR("lxc.include = %s", LXC_DEFAULT_CONFIG);
- ERROR("lxc.id_map = u 0 %u %u", uid, urange);
- ERROR("lxc.id_map = g 0 %u %u", gid, grange);
+ ERROR("lxc.idmap = u 0 %u %u", uid, urange);
+ ERROR("lxc.idmap = g 0 %u %u", gid, grange);
free(gname);
free(uname);
/*
* id_map is an id map entry. Form in confile is:
- * lxc.id_map = u 0 9800 100
- * lxc.id_map = u 1000 9900 100
- * lxc.id_map = g 0 9800 100
- * lxc.id_map = g 1000 9900 100
+ * lxc.idmap = u 0 9800 100
+ * lxc.idmap = u 1000 9900 100
+ * lxc.idmap = g 0 9800 100
+ * lxc.idmap = g 1000 9900 100
* meaning the container can use uids and gids 0-99 and 1000-1099,
* with [ug]id 0 mapping to [ug]id 9800 on the host, and [ug]id 1000 to
* [ug]id 9900 on the host.
cat > $HDIR/.config/lxc/default.conf << EOF
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
-lxc.id_map = u 0 910000 9999
-lxc.id_map = g 0 910000 9999
+lxc.idmap = u 0 910000 9999
+lxc.idmap = g 0 910000 9999
EOF
chown -R $TUSER: $HDIR
cat > $HDIR/.config/lxc/default.conf << EOF
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
-lxc.id_map = u 0 910000 9999
-lxc.id_map = g 0 910000 9999
+lxc.idmap = u 0 910000 9999
+lxc.idmap = g 0 910000 9999
EOF
chown -R $TUSER: $HDIR
mkdir -p /home/usernic-user/.config/lxc/
cat > /home/usernic-user/.config/lxc/default.conf << EOF
lxc.net.0.type = empty
-lxc.id_map = u 0 910000 10000
-lxc.id_map = g 0 910000 10000
+lxc.idmap = u 0 910000 10000
+lxc.idmap = g 0 910000 10000
EOF
if which cgm >/dev/null 2>&1; then
return -1;
}
+ /* lxc.idmap
+ * We can't really save the config here since save_config() wants to
+ * chown the container's directory but we haven't created an on-disk
+ * container. So let's test set-get-clear.
+ */
+ if (set_get_compare_clear_save_load(
+ c, "lxc.idmap", "u 0 100000 1000000000", NULL, false) < 0) {
+ lxc_error("%s\n", "lxc.idmap");
+ goto non_test_error;
+ }
+
+ if (!c->set_config_item(c, "lxc.idmap", "u 1 100000 10000000")) {
+ lxc_error("%s\n", "failed to set config item "
+ "\"lxc.idmap\" to \"u 1 100000 10000000\"");
+ return -1;
+ }
+
+ if (!c->set_config_item(c, "lxc.idmap", "g 1 100000 10000000")) {
+ lxc_error("%s\n", "failed to set config item "
+ "\"lxc.idmap\" to \"g 1 100000 10000000\"");
+ return -1;
+ }
+
+ if (!c->get_config_item(c, "lxc.idmap", retval, sizeof(retval))) {
+ lxc_error("%s\n", "failed to get config item \"lxc.cgroup\"");
+ return -1;
+ }
+
c->clear_config(c);
c->lxc_conf = NULL;
if [[ $unprivileged && $unprivileged == true ]] ; then
if [[ $flush_owner == true ]] ; then
unprivileged_options="
-lxc.id_map = u 0 ${mapped_uid} 65536
-lxc.id_map = g 0 ${mapped_gid} 65536
+lxc.idmap = u 0 ${mapped_uid} 65536
+lxc.idmap = g 0 ${mapped_gid} 65536
"
fi