<p dir="ltr">> I have a user 'jenkins' in a host, which is able to create<br>
> and start this unprivilaged container whose config is:<br>
><br>
> # Distribution configuration<br>
> lxc.include = /usr/share/lxc/config/ubuntu.common.conf<br>
> lxc.include = /usr/share/lxc/config/ubuntu.userns.conf<br>
> lxc.arch = x86_64<br>
><br>
> lxc.mount.auto = cgroup<br>
> lxc.aa_profile = lxc-container-default-with-nesting<br>
><br>
> # Container specific configuration<br>
> lxc.id_map = u 0 100000 65536<br>
> lxc.id_map = u 100000 165536 65536<br>
> lxc.id_map = g 0 100000 65536<br>
> lxc.id_map = g 100000 165536 65536<br>
> lxc.rootfs = /home/jenkins/.local/share/lxc/jenkins/rootfs<br>
> lxc.utsname = jenkins<br>
><br>
> # Network configuration<br>
> lxc.network.type = veth<br>
> lxc.network.flags = up<br>
> lxc.network.link = lxcbr0<br>
> lxc.network.hwaddr = 00:16:3e:17:02:1a<br>
><br>
><br>
> The idea is to use the ids in the host 165536-231072 for an unprivilaged<br>
> inside the unprivilaged container above.<br>
><br>
> Another user (also called jenkins) in the container jenkins is able to create<br>
> unprivilaged (nested) containers as expected, but is not able to start them.<br>
> The log says:<br>
><br>
> lxc-start 1457449899.746 INFO lxc_start_ui - lxc_start.c:main:264 - using rcfile /var/lib/jenkins/.local/share/lxc/test/config<br>
> lxc-start 1457449899.746 INFO lxc_confile - confile.c:config_idmap:1378 - read uid map: type u nsid 0 hostid 100000 range 65536<br>
> lxc-start 1457449899.746 INFO lxc_confile - confile.c:config_idmap:1378 - read uid map: type g nsid 0 hostid 100000 range 65536<br>
> lxc-start 1457449899.746 WARN lxc_log - log.c:lxc_log_init:316 - lxc_log_init called with log already initialized<br>
> lxc-start 1457449899.748 WARN lxc_cgmanager - cgmanager.c:cgm_get:985 - do_cgm_get exited with error<br>
> lxc-start 1457449899.748 INFO lxc_lsm - lsm/lsm.c:lsm_init:48 - LSM security driver AppArmor<br>
> lxc-start 1457449899.748 INFO lxc_seccomp - seccomp.c:use_seccomp:531 - Already seccomp-confined, not loading new policy<br>
> lxc-start 1457449899.748 DEBUG lxc_conf - conf.c:lxc_create_tty:3791 - allocated pty '/dev/pts/5' (5/6)<br>
> lxc-start 1457449899.748 DEBUG lxc_conf - conf.c:lxc_create_tty:3791 - allocated pty '/dev/pts/6' (7/8)<br>
> lxc-start 1457449899.748 DEBUG lxc_conf - conf.c:lxc_create_tty:3791 - allocated pty '/dev/pts/7' (9/10)<br>
> lxc-start 1457449899.748 DEBUG lxc_conf - conf.c:lxc_create_tty:3791 - allocated pty '/dev/pts/8' (11/12)<br>
> lxc-start 1457449899.748 INFO lxc_conf - conf.c:lxc_create_tty:3802 - tty's configured<br>
> lxc-start 1457449899.748 DEBUG lxc_start - start.c:setup_signal_fd:263 - sigchild handler set<br>
> lxc-start 1457449899.748 DEBUG lxc_console - console.c:lxc_console_peer_default:500 - opening /dev/tty for console peer<br>
> lxc-start 1457449899.748 DEBUG lxc_console - console.c:lxc_console_peer_default:506 - using '/dev/tty' as console<br>
> lxc-start 1457449899.748 DEBUG lxc_console - console.c:lxc_console_sigwinch_init:179 - 10902 got SIGWINCH fd 17<br>
> lxc-start 1457449899.748 DEBUG lxc_console - console.c:lxc_console_winsz:88 - set winsz dstfd:14 cols:382 rows:92<br>
> lxc-start 1457449899.931 INFO lxc_start - start.c:lxc_init:463 - 'test' is initialized<br>
> lxc-start 1457449899.931 DEBUG lxc_start - start.c:__lxc_start:1099 - Not dropping cap_sys_boot or watching utmp<br>
> lxc-start 1457449899.931 INFO lxc_start - start.c:lxc_spawn:832 - Cloning a new user namespace<br>
> lxc-start 1457449899.931 INFO lxc_cgroup - cgroup.c:cgroup_init:62 - cgroup driver cgmanager initing for test<br>
> lxc-start 1457449899.932 ERROR lxc_cgmanager - cgmanager.c:lxc_cgmanager_create:301 - call to cgmanager_create_sync failed: invalid request<br>
> lxc-start 1457449899.932 ERROR lxc_cgmanager - cgmanager.c:lxc_cgmanager_create:303 - Failed to create hugetlb:lxc/test<br>
> lxc-start 1457449899.932 ERROR lxc_cgmanager - cgmanager.c:cgm_create:650 - Error creating cgroup hugetlb:lxc/test<br>
> lxc-start 1457449899.933 INFO lxc_cgmanager - cgmanager.c:cgm_remove_cgroup:528 - cgroup removal attempt: hugetlb:lxc/test did not exist<br>
> lxc-start 1457449899.933 INFO lxc_cgmanager - cgmanager.c:cgm_remove_cgroup:528 - cgroup removal attempt: net_prio:lxc/test did not exist<br>
> lxc-start 1457449899.933 INFO lxc_cgmanager - cgmanager.c:cgm_remove_cgroup:528 - cgroup removal attempt: perf_event:lxc/test did not exist<br>
> lxc-start 1457449899.934 INFO lxc_cgmanager - cgmanager.c:cgm_remove_cgroup:528 - cgroup removal attempt: net_cls:lxc/test did not exist<br>
> lxc-start 1457449899.934 INFO lxc_cgmanager - cgmanager.c:cgm_remove_cgroup:528 - cgroup removal attempt: freezer:lxc/test did not exist<br>
> lxc-start 1457449899.934 INFO lxc_cgmanager - cgmanager.c:cgm_remove_cgroup:528 - cgroup removal attempt: devices:lxc/test did not exist<br>
> lxc-start 1457449899.934 INFO lxc_cgmanager - cgmanager.c:cgm_remove_cgroup:528 - cgroup removal attempt: memory:lxc/test did not exist<br>
> lxc-start 1457449899.934 INFO lxc_cgmanager - cgmanager.c:cgm_remove_cgroup:528 - cgroup removal attempt: blkio:lxc/test did not exist<br>
> lxc-start 1457449899.934 INFO lxc_cgmanager - cgmanager.c:cgm_remove_cgroup:528 - cgroup removal attempt: cpuacct:lxc/test did not exist<br>
> lxc-start 1457449899.935 INFO lxc_cgmanager - cgmanager.c:cgm_remove_cgroup:528 - cgroup removal attempt: cpu:lxc/test did not exist<br>
> lxc-start 1457449899.935 INFO lxc_cgmanager - cgmanager.c:cgm_remove_cgroup:528 - cgroup removal attempt: cpuset:lxc/test did not exist<br>
> lxc-start 1457449899.935 INFO lxc_cgmanager - cgmanager.c:cgm_remove_cgroup:528 - cgroup removal attempt: name=systemd:lxc/test did not exist<br>
> lxc-start 1457449899.935 ERROR lxc_start - start.c:lxc_spawn:891 - failed creating cgroups<br>
> lxc-start 1457449899.935 ERROR lxc_start - start.c:__lxc_start:1121 - failed to spawn 'test'<br>
> lxc-start 1457449899.935 ERROR lxc_start_ui - lxc_start.c:main:341 - The container failed to start.<br>
> lxc-start 1457449899.935 ERROR lxc_start_ui - lxc_start.c:main:345 - Additional information can be obtained by setting the --logfile and --logpriority options.<br>
><br>
> In the container jenkins as user jenkins, cat /proc/self/cgroup returns:<br>
><br>
> 12:hugetlb:/user/1009.user/2.session/lxc/jenkins<br>
> 11:net_prio:/user/1009.user/2.session/lxc/jenkins<br>
> 10:perf_event:/user/1009.user/2.session/lxc/jenkins<br>
> 9:net_cls:/user/1009.user/2.session/lxc/jenkins<br>
> 8:freezer:/user/1009.user/2.session/lxc/jenkins<br>
> 7:devices:/user/1009.user/2.session/lxc/jenkins<br>
> 6:memory:/user/1009.user/2.session/lxc/jenkins<br>
> 5:blkio:/user/1009.user/2.session/lxc/jenkins<br>
> 4:cpuacct:/user/1009.user/2.session/lxc/jenkins<br>
> 3:cpu:/user/1009.user/2.session/lxc/jenkins<br>
> 2:cpuset:/user/1009.user/2.session/lxc/jenkins<br>
> 1:name=systemd:/user/1009.user/2.session/lxc/jenkins/user/1009.user/2.session/lxc/jenkins/user/106.user/c6.session<br>
><br>
> How can I fix it?<br>
</p>