Run a program inside an LXC container that is stored on the host

Question

I am writing a binary that will run inside LXC containers. I control the source code of the binary but not the contents of the containers it will run in. In particular, I do not want to pollute the containers by writing my binary into them.

Is there any way I can run a binary stored on the host, but within the execution context (namespaces, chroot, dropped capabilities, etc.) of the container?

Answer 1

You can make you program to setns(2) (to some, but not all namespaces), chroot and then drop capabilities.

You can also attain something similar with dived (not actually chrooted, but having access to the container's chroot).

You can run [staticly linked] dived inside a container (with the appropriate options, for example, --client-chroot --root-to-current), listening UNIX socket on some filesystem part that is visible both in the containter and on the host; and run dive to ask that dived to start your non-statically-linked program in container's namespace. The root filesystem will stay the same as your host (so your program can find libraries), and the containter's root filesystem will be set as current directory.

Answer 2

I don't think this is possible. What you can do though is mount a shared folder between your container and your host (using bind mount). Then, you can launch the binary (which is now part of your container FS) using chroot, for example:

sudo chroot <container_rootfs> /bin/bash -c 'cd <your shared folder>; ./<your_binary>'

Answer 3

You can install and apply upgrades to your program on the host, then use an lxc container described in this answer

Costs next to nothing in performance or disk space

Answer 4

i think you can export a samba service from host to container. You just put your stuff to the share folder of samba and do not pollute container.