Quoting Gleb Peregud (<email address hidden>):
> Oops, missed the point that lxc-setcap is not recommended. Thank you for
> the response!
>
> Is it possible to get it to work using some yet-unsupported version of
> the kernel? Can you point out some feature status document where I can
> read about what is missing?
The last time I set up containers working with user namespaces I
documented it at
Most of the kernel patches in there were actually just accepted
into Linus' tree at the last (current?) window.
However, to get what you want, we need one more step of splitting
up the lxc tools a bit to support use by unprivileged users. (A
few things will still require privilege, like hooking the host
end of the container's network tunnel into the host bridge, and
setting up the uid mapping. Those will become usable by unprivileged
users once they've been authorized - for instance an admin with
privilege will authorize uid 1000 to map userids 100,000-199,999.
The plan right now is to do that work during the next (13.10) cycle.
Quoting Gleb Peregud (<email address hidden>):
> Oops, missed the point that lxc-setcap is not recommended. Thank you for
> the response!
>
> Is it possible to get it to work using some yet-unsupported version of
> the kernel? Can you point out some feature status document where I can
> read about what is missing?
The last time I set up containers working with user namespaces I
documented it at
http:// s3hh.wordpress. com/2012/ 10/31/full- ubuntu- container- confined- in-a-user- namespace/
Most of the kernel patches in there were actually just accepted
into Linus' tree at the last (current?) window.
However, to get what you want, we need one more step of splitting
up the lxc tools a bit to support use by unprivileged users. (A
few things will still require privilege, like hooking the host
end of the container's network tunnel into the host bridge, and
setting up the uid mapping. Those will become usable by unprivileged
users once they've been authorized - for instance an admin with
privilege will authorize uid 1000 to map userids 100,000-199,999.
The plan right now is to do that work during the next (13.10) cycle.