[lxc-devel] Howto user namespaces?
richard -rw- weinberger
richard.weinberger at gmail.com
Tue Apr 9 11:33:33 UTC 2013
On Tue, Apr 9, 2013 at 9:58 AM, richard -rw- weinberger
<richard.weinberger at gmail.com> wrote:
> On Tue, Apr 9, 2013 at 5:28 AM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
>> Quoting richard -rw- weinberger (richard.weinberger at gmail.com):
>>> Am I missing something obvious?
>>
>> lxc-create does not yet convert the rootfs to the mapped uids, so you
>> need to do that manually using uidmapshift. Check the
>> container-userns-convert script at
>> https://code.launchpad.net/~serge-hallyn/+junk/nsexec or in the nsexec
>> package at ppa:serge-hallyn/userns-natty.
>
> Hmm, I've fixed the uids already by hand.
> Today I've created a new container and used container-userns-convert
> but with the same results.
>
> What I find very strange is that your script does:
> lxc.id_map = U ${uid} 0 $range
> lxc.id_map = G ${uid} 0 $range
> uid is 100000, range is 10000.
>
> But the lxc docs say:
> Four values must be provided. First a character, either
> 'u', or 'g', to specify whether user or group ids are
> being mapped. Next is the first userid as seen in the
> user namespace of the container. Next is the userid as
> seen on the host. Finally, a range indicating the number
> of consecutive ids to map.
>
> So, this would make more sense: lxc.id_map = u 0 100000 10000
>
> Anyways, mount of tmpfs fails with ENOPERM, is there any debugging
> mechanism to find out why it is failing?
> According to strace some bind mounts before the tmpfs work perfectly fine.
BTW: I found out that tmpfs is not supported within user namespaces...
Anyways, now lxc-start dies here:
lxc-start: Operation not permitted - failed to set mode '020644' to '/dev/pts/1'
which is:
chmod("/dev/pts/1", 020644) = -1 EPERM (Operation not permitted)
Shouldn't this be /usr/lib64/lxc/rootfs/dev/pts/1?!
--
Thanks,
//richard
More information about the lxc-devel
mailing list