Discussion: Best practice for unprivileged containers

morph027

Renowned Member
Mar 22, 2013
450
63
93
Leipzig
morph027.gitlab.io
First of all, thanks for this feature!

I'm now converting almost of my containers into unprivileged ones. But as i'm doing some kind of Docker-like separation of code and data on almost all services using a lot of mountpoints, i just felt some need to discuss things ;)

Example:

I have some database containers, some webserver containers, ...

ZFS is providing the datasets for /var/lib/mysql and /var/www, which are then mount-pointed into the containers.

This way, the containers are (like in Docker) just instances of code running on persistent data.

I've tried an unprivileged container, setup the whole id mapping thing and things just worked.

Now the interesting question to me: How do i setup things globally on a machine and the cluster?

Creating mappings for each dataset?
Create just one generic id for all?

Editing is /etc/subuid and /etc/subgid is no real challenge using Ansible, Salt, whatever.

Small annoying thing is that you sometimes need the uid/gid before installing things. For example, MariaDB needs the mysql user have access on /var/lib/mysql. Therefore, i need to create the user in advance, get the id/gid, setup the id mapping thing and then install MariaDB. Works, but is a bit fiddly.

Ideas and discussion welcome!
 
I think for dynamically allocated user IDs you will need to do something like you described - but it should be easily automatable. for static / reserved UIDs (e.g. in Debian Stretch/Sid: http://sources.debian.net/src/base-passwd/3.5.42/README/) you could just setup the mapping statically as well, or am I misunderstanding something?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!