From 0cac513abee96000182a54b6cff86289053f9bf3 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 11 Jan 2019 06:53:02 +0100 Subject: Updating host-setup documentation for unpriviled containers. Signed-off-by: Daniel Baumann --- share/doc/HOST-SETUP.txt | 28 ++++++++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/share/doc/HOST-SETUP.txt b/share/doc/HOST-SETUP.txt index 74b7333..8c915ef 100644 --- a/share/doc/HOST-SETUP.txt +++ b/share/doc/HOST-SETUP.txt @@ -180,12 +180,32 @@ iface br100 inet static EOF -4. Enabling container-shell +4. Enabling user namespace for unprivileged containers +------------------------------------------------------ + +Linux supports unprivileged containers with the user namespace. +By default the user namespace is disabled on Debian systems (see #898446). +To enable user namespace, edit the following file for a permant change: + + /etc/sysctl.d/zz-container-tools.conf + sysctl -p + +or enable it manually with: + + echo 1 > /proc/sys/kernel/unprivileged_userns_clone + +Note that containers need to be started with the correct +configuration in /etc/container-tools/config to run unpriviled +(private-users option). + + +5. Enabling container-shell --------------------------- -Managing containers requires root privileges. In order to allow unprivileged -users to manage containers without granting them privileges or accounts, -the container-shell can be used together with sudo and a container user. +Managing privileged containers requires root privileges. In order to allow +unprivileged users to manage privileged containers without granting them +privileges or accounts, the container-shell can be used together with sudo +and a container user. sudo adduser --gecos "container-tools,,," \ --home /var/lib/machines/container-tools \ -- cgit v1.2.3