a) Compile a newer LXC myself orJust yesterday I came across a show-stopper with a bugging 1.0.6 so I would have had toHello Christian,Appreciate your effort in backporting the new(er) LXC 1.1 to Jessie. Thank you!b) Move to UbuntuI'll test the backport today.Thanks again.On Tue, Mar 29, 2016 at 8:17 PM, Christian Seiler <christian@iwakd.de> wrote:On 03/05/2016 11:30 AM, Bogdan wrote:
> Would someone be interested in creating such a backport?
Just for your information: lxc 1:1.1.5-1~bpo8+1 was accepted into
jessie-backports today (thanks, backports ftp-masters!) and is
already available on the amd64 architecture, the other architectures
(such as i386) will need to wait a bit longer to appear (but will
soon).
Take note of two things:
1. To create a container as a normal user (which was your use case for
requesting the backport, I believe) needs some manual intervention
(also on Stretch, this is not specific to the backport):
a. You need to explicitly tell the kernel to allow it (it's
disabled by default), so set the following sysctl:
kernel.unprivileged_userns_clone = 1
(Make it permanent in /etc/sysctl.d.)
b. You need to make sure that the process starting the LXC
container is in a cgroup where the current user can create
sub-cgroups for _every_ controller. In Ubuntu their systemd
version carries a patch that session scopes have that
property by default to support LXC, but that is not the case
in Debian, which basically means this still needs to be done
manually at the moment. Examples of how to do so can be found
in the first repsonse in this stackexchange thread: [1]
If you follow that, you can in fact create unprivileged containers
as a normal user, both on Stretch and also on Jessie with this
backport.
2. As per backports policy, we will track the LXC package in Stretch
with jessie-backports, and the plan for Stretch is to include LXC
2.0. So be aware that at some point in the future, once LXC 2.0 has
been migrated to Stretch, we will also upload a backport of LXC 2.0
to jessie-backports and 1.1 will not be available anymore. Nobody in
Debian has plans to support LXC 1.1 after that point. (On the other
hand, LXC 2.0 is what's going to make the whole cgroup business much
easier to use out of the box.)
Regards,
Christian
[1] http://unix.stackexchange.com/questions/170998/how-to-create-user-cgroups-with-systemd