On 03/05/2016 11:30 AM, Bogdan wrote: > Would someone be interested in creating such a backport? Just for your information: lxc 1:1.1.5-1~bpo8+1 was accepted into jessie-backports today (thanks, backports ftp-masters!) and is already available on the amd64 architecture, the other architectures (such as i386) will need to wait a bit longer to appear (but will soon). Take note of two things: 1. To create a container as a normal user (which was your use case for requesting the backport, I believe) needs some manual intervention (also on Stretch, this is not specific to the backport): a. You need to explicitly tell the kernel to allow it (it's disabled by default), so set the following sysctl: kernel.unprivileged_userns_clone = 1 (Make it permanent in /etc/sysctl.d.) b. You need to make sure that the process starting the LXC container is in a cgroup where the current user can create sub-cgroups for _every_ controller. In Ubuntu their systemd version carries a patch that session scopes have that property by default to support LXC, but that is not the case in Debian, which basically means this still needs to be done manually at the moment. Examples of how to do so can be found in the first repsonse in this stackexchange thread: [1] If you follow that, you can in fact create unprivileged containers as a normal user, both on Stretch and also on Jessie with this backport. 2. As per backports policy, we will track the LXC package in Stretch with jessie-backports, and the plan for Stretch is to include LXC 2.0. So be aware that at some point in the future, once LXC 2.0 has been migrated to Stretch, we will also upload a backport of LXC 2.0 to jessie-backports and 1.1 will not be available anymore. Nobody in Debian has plans to support LXC 1.1 after that point. (On the other hand, LXC 2.0 is what's going to make the whole cgroup business much easier to use out of the box.) Regards, Christian [1] http://unix.stackexchange.com/questions/170998/how-to-create-user-cgroups-with-systemd
Attachment:
signature.asc
Description: OpenPGP digital signature