Talk:LXC

Unprivileged containers section confusing
the section about unprivileged containers is confusing, the author creates an "lxc" user and adds subuids/subgids for that user but in fact it seems he's creating/starting the container from a root prompt...

if there's no needs to give a user permissions to create/start containers, you don't need to create any lxc user in order to create/start an unprivileged container.

all what you need to do is to create subuids/subgids for the root user, add lxc.id_map parameters to container's config and create/start the container as root.

moreover, using subuids/subgids 100000-165536 didn't work on my hardened box, but 10000-65536 did. — The preceding unsigned comment was added by Skunk (talk • contribs) 22 February 2016‎


 * Answer - right. With latest edit - this issue are fixed — The preceding unsigned comment was added by Feniksa (talk • contribs) September 12, 2016‎

Is "MAJOR temporary problems with LXC" section still needed?
From what I understand from the linked page, user namespaces are now fully implemented and unprivileged containers are now safe. Couldn't we replace this section with a short description of privileged and unprivileged containers?

Vdupras (talk) 15:27, 8 December 2017 (UTC)


 * Answer - I renamed it to something less scary and got rid of the obsolete links. Rage (talk) 01:20, 15 June 2018 (UTC)

cgmanager deprecated
The cgmanager has become deprecated (see https://github.com/lxc/cgmanager). It is also not working anymore with current systemd builds: https://github.com/lxc/cgmanager/issues/32 https://github.com/lxc/lxc/issues/1554 As workaround the use of the pam module which ships with LXCFS is suggested, but it looks like this does not work with the current ebuilds of gentoo.

Text is too long and should be splitted
The first statement is all what is necessary (I mean from the first paragraph). All other feature comparisons should be moved to the end of the article, as links to separate pages. The reader of this article wants to know what to merge, how to check the kernel readiness, and how to configure unpriveleged containers. Even distribution server is not important because gentoo user will not trust to third party binaries (and it's description can be moved to a separate page).

Einstok Fair (talk) 10:02, 1 June 2021 (UTC)

Several containers in parallel
If one want several conainers with different subranges, should she create several users (lxc1, lxc2 and so on?)?

Einstok Fair (talk) 10:02, 1 June 2021 (UTC)

It is possible to create another container from same user (for example, lxc).

See lxc-create and lxc-start -n container_name commands

Isolating desktop GUI applications
Is it possible to connect a container to hosts's graphical server (xorg-server)? What should be done to magic cookies?

Einstok Fair (talk)

How unprivileged containers should be started from systemd?
lxc@guestname.service can take guestname as the parameter, but where and how to say it that container should be started from specific user?

In other words how to configure systemd's lxc@guestname.service to be unpriveileged container (to start from a specific user instead of root)?

Einstok Fair (talk) 04:20, 7 June 2021 (UTC)