[systemd-devel] systemd-nspawn create container under unprivileged user

[Lennart Poettering]

On Thu, 05.02.15 02:03, Vasiliy Tolstov (v.tolstov at selfip.ru) wrote:

> Hello!
> Does it possible to create container as regular user? Oh what capabilities
> i need to add to create container not using root?

Invoking containers without privileges is not supported by nspawn, and
this is unlikely to change, as I fail to see any strong usecase for
this... 

If somebody can englighten me about the usecase for allowing
containers to be run by unprivileged users, I'd be willing to change
my mind though...

Note that to my knowledge any support for unprivileged containers has
been disabled in the kernel on many distros though including Fedora's,
since it's basically one giant security hole.

Note that many of machinectl's commands involve polkit checks, which
means it's easy to open them up for unprivileged clients. However,
in that case the containers would be forked off and maintained
privileged, only the clients will be unprivileged...

LXC supports unprivileged containers though, this might be an option
for you.

Lennart

-- 
Lennart Poettering, Red Hat