Alpine Linux unprivileged LXC containers ======================================== At the moment unprivileged containers are only working with linux-vanilla. They may work with grsecurity in the future with the following disabled: echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_pivot echo 0 > /proc/sys/kernel/grsecurity/chroot_caps see also: https://en.wikibooks.org/wiki/Grsecurity/Runtime_Configuration ------------------------------------------------------------------------------- Instructions: ------------- (a) add the name(s) of the containers to run unprivileged to /etc/conf.d/lxcfs (b) rc-service lxcfs setup => converts privileged => unprivileged containers => creates /etc/subuid & /etc/subgid (c) rc-service lxcfs start (d) rc-update add lxcfs (e) rc-service lxcfs info => print & add config file settings to the containers ------------------------------------------------------------------------------- Start the container & verify processes are running unprivileged: ps aux | grep 100000