for all of you, who want to use unpriviledged LXC containers (with TurrisOS or plain openWrt/LEDE), i got kind of a howto (not a beginners guide, that one is located here), and i hope the devs will pick it up and integrate this into TurrisOS
basically it boils down to:
-
apply this patch to the packages feed, select and install shadow-newgidmap and shadow-newuidmap
-
add appropiate values to /etc/subgid and /etc/subuid files
-
applying this patch (quick and dirty, sry ;)) to an openwrt build root, will enable you to build and install uidmapshift, a utility to shift the uid:gid of an existing container
-
the last issue gave me a headache for some time, until i digged it up in the kernel sources: procd mounts proc and sys with the noatime flag (which is quite unusual, at least never saw that on another distro), and if lxc mounts proc and sys into another namespace, noatime needs to be set there, too, at least if it’s not mounted as root (which is the case for unpriviledged containers, of cause)
long story short: starting an unpriviledged container will fail on openWrt/LEDE, unless you add “noatime” to the proc+sys mount options in your containers config… or… imo the better way (because you can stick to default configs, like “proc:mixed” and such) -> use this patch to change procd’s mount flags for proc+sys to “relatime”, which actually works
that’s it 