Jeremy
(Jihyun Yoon)
1
I’ve thought that pam_cgfs.so is mandatory to run unprivileged container in order that non-root user could handle cgroup.
According to “https://blog.linuxplumbersconf.org/2016/ocw/system/presentations/3951/original/unprivlxc.pdf”,
PAM seems to be not as crucial.
Delegated cgroup
pam - not as crucial
echo "session optional pam_cgfs.so -c freezer,memory,name=systemd" >> /etc/pam.d/common-services
Is it possible to run unprivileged container without PAM or pam_cgfs.so ?
Thanks
stgraber
(Stéphane Graber)
2
It is possible but you will need to do the cgroup setup that pam_cgfs would normally do by hand as root.
So making sure that whatever shell you run lxc-start as a user from is in a cgroup which is owned by that user.
1 Like
Jeremy
(Jihyun Yoon)
3
Oh, I see.
You mean that I need to do the next things if I don’t use pam_cgfs.so
for example,
- mkdir /sys/fs/cgroup/memory/user/USER NAME/0
- add pid into /sys/fs/cgroup/memory/user/USER NAME/0/tasks
- …
Am I right ?
stgraber
(Stéphane Graber)
4
Right and also chown the directory and the entries in the directory, especially tasks
so that the user itself will be able to add tasks to it.
1 Like