aboutsummaryrefslogtreecommitdiffstats
path: root/community/lxcfs/README.alpine
diff options
context:
space:
mode:
Diffstat (limited to 'community/lxcfs/README.alpine')
-rw-r--r--community/lxcfs/README.alpine31
1 files changed, 31 insertions, 0 deletions
diff --git a/community/lxcfs/README.alpine b/community/lxcfs/README.alpine
new file mode 100644
index 0000000000..a358bab6e4
--- /dev/null
+++ b/community/lxcfs/README.alpine
@@ -0,0 +1,31 @@
+Alpine Linux unprivileged LXC containers
+========================================
+
+At the moment unprivileged containers are only working with linux-vanilla.
+
+They may work with grsecurity in the future with the following disabled:
+
+ echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount
+ echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_pivot
+ echo 0 > /proc/sys/kernel/grsecurity/chroot_caps
+
+see also: https://en.wikibooks.org/wiki/Grsecurity/Runtime_Configuration
+-------------------------------------------------------------------------------
+
+Instructions:
+-------------
+
+(a) add the name(s) of the containers to run unprivileged to /etc/conf.d/lxcfs
+(b) rc-service lxcfs setup => converts privileged => unprivileged containers
+ => creates /etc/subuid & /etc/subgid
+(c) rc-service lxcfs start
+(d) rc-update add lxcfs
+(e) rc-service lxcfs info => print & add config file settings to the containers
+
+-------------------------------------------------------------------------------
+
+Start the container & verify processes are running unprivileged:
+
+ps aux | grep 100000
+
+
generated by cgit v1.2.3 (git 2.25.1) at 2025-02-12 02:26:38 +0000