Is it possible to run unprivileged container without PAM or pam_cgfs.so?


(Jihyun Yoon) #1

I’ve thought that pam_cgfs.so is mandatory to run unprivileged container in order that non-root user could handle cgroup.

According to “https://blog.linuxplumbersconf.org/2016/ocw/system/presentations/3951/original/unprivlxc.pdf”,
PAM seems to be not as crucial.

Delegated cgroup
  pam - not as crucial
  echo "session optional pam_cgfs.so -c freezer,memory,name=systemd" >> /etc/pam.d/common-services

Is it possible to run unprivileged container without PAM or pam_cgfs.so ?

Thanks


(Stéphane Graber) #2

It is possible but you will need to do the cgroup setup that pam_cgfs would normally do by hand as root.

So making sure that whatever shell you run lxc-start as a user from is in a cgroup which is owned by that user.


(Jihyun Yoon) #3

Oh, I see.

You mean that I need to do the next things if I don’t use pam_cgfs.so

for example,

  • mkdir /sys/fs/cgroup/memory/user/USER NAME/0
  • add pid into /sys/fs/cgroup/memory/user/USER NAME/0/tasks

Am I right ?


(Stéphane Graber) #4

Right and also chown the directory and the entries in the directory, especially tasks so that the user itself will be able to add tasks to it.