testing/lxcfs: fix build & move to community

this enables unprivileged lxc containers on the vanilla kernel

full instructions in README.alpine

1 files changed, 31 insertions, 0 deletions

diff --git a/community/lxcfs/README.alpine b/community/lxcfs/README.alpine
new file mode 100644
index 0000000000..a358bab6e4
--- /dev/null
+++ b/community/lxcfs/README.alpine
@@ -0,0 +1,31 @@
+Alpine Linux unprivileged LXC containers
+========================================
+
+At the moment unprivileged containers are only working with linux-vanilla.
+
+They may work with grsecurity in the future with the following disabled:
+
+	echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount
+	echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_pivot
+	echo 0 > /proc/sys/kernel/grsecurity/chroot_caps
+
+see also: https://en.wikibooks.org/wiki/Grsecurity/Runtime_Configuration
+-------------------------------------------------------------------------------
+
+Instructions:
+-------------
+
+(a) add the name(s) of the containers to run unprivileged to /etc/conf.d/lxcfs
+(b) rc-service lxcfs setup => converts privileged => unprivileged containers
+			   => creates /etc/subuid & /etc/subgid
+(c) rc-service lxcfs start
+(d) rc-update add lxcfs
+(e) rc-service lxcfs info => print & add config file settings to the containers
+
+-------------------------------------------------------------------------------
+
+Start the container & verify processes are running unprivileged:
+
+ps aux | grep 100000
+
+