i would like to run unprivileged containers with nesting capabilities. By unprivileged, i mean not only that the root user of the container will not be the root user of the host system, but also that the user that will execute the lxc-unpriv-start command on the host system is an unprivileged user.
My understanding is that the config file of the containers should contain:
But then apparently only the root user of the host system can execute the lxc-unpriv-start command for such containers.
Is there a way to run unprivileged nested containers ? I am not sure about the meaning of generated in the configuration above, but i am OK with generating an apparmor profile as root and then execute lxc-unpriv-start as an unprivileged user.
You may need to add your own policy to /etc/apparmor.d/lxc/.
Though note that most modern container managers will attempt to create and load apparmor policies of their own. The only way to really support that is by using apparmor namespacing which is what we do by default in Incus. But you need root privileges to create an apparmor namespace so you won’t be able to get that part working in your environment.
Now something you could do is just turn off apparmor with lxc.apparmor.profile=unconfined, since the container is already unprivileged and spawned by an unprivileged user, that shouldn’t really be a problem and may make podman happy.
Thanks for your advices. I will try to write an ad-hoc apparmor policy and have a look at what incus does with that respect (it makes me a bit nervous to let the containers apparmor-free).