Seeming misunderstanding about unprivileged containers

[assarbad]

Hi,

unprivileged containers may be started by root, so you can make full use of all abilities root has to manipulate the host system prior to a start; and best of all you can auto-start your containers.

Unprivileged in this context does not mean that it gets started by an unprivileged user. It may, of course. But that's just one use case here. Unprivileged means that the LXC guest makes use of userns. That is, the user on the host has been assigned a range of subordinate user (and group) IDs and assigns all or part of that range to the container. This then maps the start of said assigned range as UID 0 (inside) through whatever the range was. On the host you will see processes run inside the container with numeric user IDs that fall into that range. That's all there is about unprivileged containers.

And as you can imagine, the subordinate UIDs have no special privileges on the host and are therefore unprivileged.

You can find more information in this answer on unix.stackexchange.com.

Hope this helps.

Btw: do you accept pull requests?

[strycore]

Thanks for the clarification, I haven't used unprivileged containers for other purposes than testing and I haven't even touched this repository in a long long time :)

I should probably go back and update everything with LXD in mind (where unprivileged containers seem to be the norm).

Oh, btw, I'd love to have pull requests (and it would probably motivate me to continue writing this book)