[systemd-devel] systemd-nspawn create container under unprivileged user
Lennart Poettering
lennart at poettering.net
Tue Feb 10 03:52:34 PST 2015
On Thu, 05.02.15 02:03, Vasiliy Tolstov (v.tolstov at selfip.ru) wrote:
> Hello!
> Does it possible to create container as regular user? Oh what capabilities
> i need to add to create container not using root?
Invoking containers without privileges is not supported by nspawn, and
this is unlikely to change, as I fail to see any strong usecase for
this...
If somebody can englighten me about the usecase for allowing
containers to be run by unprivileged users, I'd be willing to change
my mind though...
Note that to my knowledge any support for unprivileged containers has
been disabled in the kernel on many distros though including Fedora's,
since it's basically one giant security hole.
Note that many of machinectl's commands involve polkit checks, which
means it's easy to open them up for unprivileged clients. However,
in that case the containers would be forked off and maintained
privileged, only the clients will be unprivileged...
LXC supports unprivileged containers though, this might be an option
for you.
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list