[lxc-devel] Howto user namespaces?

Serge Hallyn serge.hallyn at ubuntu.com
Tue Apr 9 13:19:31 UTC 2013 

Quoting richard -rw- weinberger (richard.weinberger at gmail.com):
> On Tue, Apr 9, 2013 at 9:58 AM, richard -rw- weinberger
> <richard.weinberger at gmail.com> wrote:
> > On Tue, Apr 9, 2013 at 5:28 AM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> >> Quoting richard -rw- weinberger (richard.weinberger at gmail.com):
> >>> Am I missing something obvious?
> >>
> >> lxc-create does not yet convert the rootfs to the mapped uids, so you
> >> need to do that manually using uidmapshift.  Check the
> >> container-userns-convert script at
> >> https://code.launchpad.net/~serge-hallyn/+junk/nsexec or in the nsexec
> >> package at ppa:serge-hallyn/userns-natty.
> >
> > Hmm, I've fixed the uids already by hand.
> > Today I've created a new container and used container-userns-convert
> > but with the same results.
> >
> > What I find very strange is that your script does:
> > lxc.id_map = U ${uid} 0 $range
> > lxc.id_map = G ${uid} 0 $range
> > uid is 100000, range is 10000.
> >
> > But the lxc docs say:
> >               Four values must be provided.  First a character, either
> >               'u', or 'g', to specify whether user or group ids are
> >               being mapped.  Next is the first userid as seen in the
> >               user namespace of the container.  Next is the userid as
> >               seen on the host.  Finally, a range indicating the number
> >               of consecutive ids to map.
> >
> > So, this would make more sense: lxc.id_map = u 0 100000 10000
> >
> > Anyways, mount of tmpfs fails with ENOPERM, is there any debugging
> > mechanism to find out why it is failing?
> > According to strace some bind mounts before the tmpfs work perfectly fine.
> 
> BTW: I found out that tmpfs is not supported within user namespaces...

It should be in 3.9:

    userns: Allow the userns root to mount tmpfs.

> Anyways, now lxc-start dies here:
> lxc-start: Operation not permitted - failed to set mode '020644' to '/dev/pts/1'
> which is:
> chmod("/dev/pts/1", 020644) = -1 EPERM (Operation not permitted)
> Shouldn't this be /usr/lib64/lxc/rootfs/dev/pts/1?!

Look at Eric's user namespaces kernel tree for patches which aren't in
your tree yet.  (I also have one, but right now it is out of date with
respect to some recent fixes Eric has sent upstream.)  Upstream is
almost 100% there, but an <eensie weensie> bit away.

-serge

More information about the lxc-devel mailing list