fmt:/etc# ls -l *id
-rw-r--r-- 1 root root 18 Dec 30 06:06 subgid
-rw-r--r-- 1 root root 18 Dec 30 06:06 subuid
fmt:/etc# cat *id
root:100000:65536
root:100000:65536
fmt:/etc#
This allows root to create unprivileged LXC containers, but not anybody else.
subuid and subgid files need to have one entry per user, on non-overlapping ranges.
Once assigned, the range cannot change, otherwise the user's containers cannot start again.
I'd suggest deriving user ranges from their uids.
@yoursunny Thanks for yet another of your helpful and interesting comments!
@yoursunny said: This allows root to create unprivileged LXC containers, but not anybody else.
Do you see any issue with allowing non-root users to create their own containers? I was thinking of trying to set up LXC so that the containers each had their own IPv4 and IPv6/64.
@yoursunny said: I'd suggest deriving user ranges from their uids.
I haven't tried this yet, but it seems like a wonderful way to use getent and awk to derive user ranges! I would enjoy more context. For example, I took a quick look at the server's getent(1) man page. But that man page provided little historical context.
May I please ask where did you get this idea? Do you have a link to an LXC setup tutorial that discusses this method? I did a quick Google search and didn't find this idea for configuring user ranges.
@Not_Oles said: @yoursunny Thanks for yet another of your helpful and interesting comments!
@yoursunny said: This allows root to create unprivileged LXC containers, but not anybody else.
Do you see any issue with allowing non-root users to create their own containers? I was thinking of trying to set up LXC so that the containers each had their own IPv4 and IPv6/64.
A container created by a non-root user would not have more privileges than that user.
Address assignment is the next step: network bridge and lxc-usernet file.
@yoursunny said: I'd suggest deriving user ranges from their uids.
I haven't tried this yet, but it seems like a wonderful way to use getent and awk to derive user ranges! I would enjoy more context. For example, I took a quick look at the server's getent(1) man page. But that man page provided little historical context.
You can safely run this command line to see its effect.
It only prints the subuid map, but does not modify any files.
May I please ask where did you get this idea? Do you have a link to an LXC setup tutorial that discusses this method? I did a quick Google search and didn't find this idea for configuring user ranges.
These come from subuid manpage.
In my own server I only have one entry lxc:100000:65536 that allows a user named lxc to create containers.
Happy New Year everyone! I hope you continue to enjoy our time on this server!
I especially thank those who have thanked me for and posted replies to my server setup reports. Some of these have drawn so few thanks and so few comments that I considered no longer posting setup updates and transcripts.
For example, here's a recent update that did not previously get posted:
Since you are new here at LES we can say that your being new helps us celebrate the new in the New Year.
Do you want to share a little about who and where you are and what you want to do on the server?
Thanks!
Tom
Thank you, I wish you a happy new year, I am a student from China, I already have two vps, but I haven't used alpine yet, so I want to try it, I will run a web service on it or telegram bot or something
Since you are new here at LES we can say that your being new helps us celebrate the new in the New Year.
Do you want to share a little about who and where you are and what you want to do on the server?
Thanks!
Tom
Thank you, I wish you a happy new year, I am a student from China, I already have two vps, but I haven't used alpine yet, so I want to try it, I will run a web service on it or telegram bot or something
Access control for LXD is based on group membership.
The root user and all members of the lxd group can interact with the local daemon.
Anyone with access to the LXD socket can fully control LXD, which includes the ability to attach host devices and file systems.
In contrast, LXC doesn't have a local daemon.
Each user can launch their own unprivileged containers, without being able to access other users' containers.
May we please go easy on this kind of language here in this thread? Yes, I do appreciate the linguistic humor, maybe"tinker" vs "tinkle." But there are plenty enough other threads for humor. Thanks very much!
@drunekndog said: Why not LXD? It's a lot more usable than plain LXC.
Hi! LXD probably is okay. Certainly I have nothing against LXD. I myself haven't got to LXD yet. As of course you know, LXD is built on top of LXC. I imagined it might be a good idea to learn a little about how the LXC foundation worked before moving on to LCD.
Since you are new here at LES we can say that your being new helps us celebrate the new in the New Year.
Do you want to share a little about who and where you are and what you want to do on the server?
Thanks!
Tom
Thank you, I wish you a happy new year, I am a student from China, I already have two vps, but I haven't used alpine yet, so I want to try it, I will run a web service on it or telegram bot or something
I am a university student. In fact, I am not learning computer related, but I am very interested in the computer. We learned C. Now I want to learn Python during the holidays
Since you are new here at LES we can say that your being new helps us celebrate the new in the New Year.
Do you want to share a little about who and where you are and what you want to do on the server?
Thanks!
Tom
Thank you, I wish you a happy new year, I am a student from China, I already have two vps, but I haven't used alpine yet, so I want to try it, I will run a web service on it or telegram bot or something
I am a university student. In fact, I am not learning computer related, but I am very interested in the computer. We learned C. Now I want to learn Python during the holidays
Apologies @yoursunny! I am keeping the list locally. I haven't yet updated the subuid and subgid files on the server. I assumed I maybe could update the files on the server one time after the list seemed to be complete.
Due to your constant and careful study of everything in all six directions, you caught my laziness.
Guys, almost the last chance for this batch of LXC chicken. The next batch might be awhile. . . . Anybody else wanna jump on the LXC train?
@yoursunny said: Address assignment is the next step: network bridge and lxc-usernet file.
Just got a copy of the bridge setup I have been using elsewhere. 🔜 I hope. Thank you!
Comments
Friendly greetings!
I hope everyone gets the servers they want!
I would like to have one thx
This allows root to create unprivileged LXC containers, but not anybody else.
subuid and subgid files need to have one entry per user, on non-overlapping ranges.
Once assigned, the range cannot change, otherwise the user's containers cannot start again.
I'd suggest deriving user ranges from their uids.
Accepting submissions for IPv6 less than /64 Hall of Incompetence.
Hi @g121!
Best wishes for a Happy New Year!
Since you are new here at LES we can say that your being new helps us celebrate the new in the New Year.
Do you want to share a little about who and where you are and what you want to do on the server?
Thanks!
Tom
I hope everyone gets the servers they want!
@yoursunny Thanks for yet another of your helpful and interesting comments!
Do you see any issue with allowing non-root users to create their own containers? I was thinking of trying to set up LXC so that the containers each had their own IPv4 and IPv6/64.
I haven't tried this yet, but it seems like a wonderful way to use
getent
andawk
to derive user ranges! I would enjoy more context. For example, I took a quick look at the server's getent(1) man page. But that man page provided little historical context.May I please ask where did you get this idea? Do you have a link to an LXC setup tutorial that discusses this method? I did a quick Google search and didn't find this idea for configuring user ranges.
Thanks again and a very happy new year!
I hope everyone gets the servers they want!
A container created by a non-root user would not have more privileges than that user.
Address assignment is the next step: network bridge and lxc-usernet file.
You can safely run this command line to see its effect.
It only prints the subuid map, but does not modify any files.
These come from subuid manpage.
In my own server I only have one entry
lxc:100000:65536
that allows a user named lxc to create containers.Accepting submissions for IPv6 less than /64 Hall of Incompetence.
Happy New Year
Happy New Year everyone! I hope you continue to enjoy our time on this server!
I especially thank those who have thanked me for and posted replies to my server setup reports. Some of these have drawn so few thanks and so few comments that I considered no longer posting setup updates and transcripts.
For example, here's a recent update that did not previously get posted:
Man pages update
I was wondering why I couldn't seem to see many man pages on the server. Looking around on Google, I found that, in Alpine, man pages frequently are an additional package with the name $package-doc. I found a neat trick at https://georgegarside.com/blog/technology/alpine-linux-install-all-man-pages/:
apk list -I | sed -rn '/-doc/! s/([a-z-]+[a-z]).*/\1/p' | xargs -tI§ apk add §-doc
This trick seemed to work to install a lot of the man pages which were not installed because I didn't add $package-doc to
apk add $package
.I won't post the lengthy output of this command, but I have it if anybody wants to see it.
If you find a man page that still seems missing, please let me know, and I will try to add it. Thanks!
Are people interested in continuing setup update posts?
I hope everyone gets the servers they want!
Thank you, I wish you a happy new year, I am a student from China, I already have two vps, but I haven't used alpine yet, so I want to try it, I will run a web service on it or telegram bot or something
Hi @g121!
Could you please post your ed25519 public key?
May I please ask whether you are a high school student or a university student? Are you studying or do you want to study computer engineering?
Best wishes!
Tom
I hope everyone gets the servers they want!
Maybe I should at least look around a little. . . .
Anybody else want in on LXC? Thanks!
Noted. Thanks for your help!
I hope everyone gets the servers they want!
Hmm, the subuid manpage doesn't seem to be installed on fmt. How did I miss it? What apk package has it?
I hope everyone gets the servers they want!
Why not LXD? It's a lot more usable than plain LXC.
Why not LXC?
It's a lot more efficient than fancy LXD.
An important technical limitation of LXD is the lack of isolation between host machine users authorized to create containers.
From LXD installation:
In contrast, LXC doesn't have a local daemon.
Each user can launch their own unprivileged containers, without being able to access other users' containers.
Accepting submissions for IPv6 less than /64 Hall of Incompetence.
>
I'd love to Tinkle with lxc..
Hi @localhost!
You are in. But it's not quite ready yet. So please keep watching this thread, and maybe helping me out with the configuration.
May we please go easy on this kind of language here in this thread? Yes, I do appreciate the linguistic humor, maybe"tinker" vs "tinkle." But there are plenty enough other threads for humor. Thanks very much!
I hope everyone gets the servers they want!
Hi! LXD probably is okay. Certainly I have nothing against LXD. I myself haven't got to LXD yet. As of course you know, LXD is built on top of LXC. I imagined it might be a good idea to learn a little about how the LXC foundation worked before moving on to LCD.
Thanks @yoursunny! I appreciate your mentioning efficiency and isolation.
I hope everyone gets the servers they want!
Do we get a fancy LCD screen once we aced the LXC game?
The all seeing eye sees everything...
Redacted. Wrong thread clicked.
Stop the planet! I wish to get off!
I would like to try it.
Count me in.Thanks!
You are in!
I hope everyone gets the servers they want!
I'm interested, can i use this for building APKs ?
it will involve abuild and aports;
https://wiki.alpinelinux.org/wiki/Include:Abuild
https://wiki.alpinelinux.org/wiki/Aports_tree
Fuck this 24/7 internet spew of trivia and celebrity bullshit.
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIATk14TvQ1rBHNPAIvStuSK6OsHQKn8gXxkYa890+4TP
I am a university student. In fact, I am not learning computer related, but I am very interested in the computer. We learned C. Now I want to learn Python during the holidays
Maybe. But also maybe you are posting in the way you described yourself on your LES profile?
Best wishes!
I hope everyone gets the servers they want!
Hi @g121!
Hope you have fun learning Python! Hope your new account can help you learn!
You should be able to get in via IPv4 or IPv6 with your ssh key using something like:
ssh [email protected] -p 42365
Your account password is in a file in your home directory. Please change your password.
Please let us know if you can login okay!
I am looking forward to seeing your post here in this thread about fun stuff you accomplish on the server. Congrats in advance!
Best!
Tom
I hope everyone gets the servers they want!
unfortunately, yes
Fuck this 24/7 internet spew of trivia and celebrity bullshit.
May I jump in also @Not_Oles 😁
https://microlxc.net/
None of the
subuid
subgid
settings are actually deployedAccepting submissions for IPv6 less than /64 Hall of Incompetence.
Yep! Welcome again, @Fritz!
I hope everyone gets the servers they want!
Apologies @yoursunny! I am keeping the list locally. I haven't yet updated the subuid and subgid files on the server. I assumed I maybe could update the files on the server one time after the list seemed to be complete.
Due to your constant and careful study of everything in all six directions, you caught my laziness.
Guys, almost the last chance for this batch of LXC chicken. The next batch might be awhile. . . . Anybody else wanna jump on the LXC train?
Just got a copy of the bridge setup I have been using elsewhere. 🔜 I hope. Thank you!
I hope everyone gets the servers they want!
Thanks Tom for letting me in. 😘
https://microlxc.net/