[lxc-devel] Howto user namespaces?
richard -rw- weinberger
richard.weinberger at gmail.com
Tue Apr 9 19:59:03 UTC 2013
On Tue, Apr 9, 2013 at 3:19 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> Quoting richard -rw- weinberger (richard.weinberger at gmail.com):
>> On Tue, Apr 9, 2013 at 9:58 AM, richard -rw- weinberger
>> <richard.weinberger at gmail.com> wrote:
>> > On Tue, Apr 9, 2013 at 5:28 AM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
>> >> Quoting richard -rw- weinberger (richard.weinberger at gmail.com):
>> >>> Am I missing something obvious?
>> >>
>> >> lxc-create does not yet convert the rootfs to the mapped uids, so you
>> >> need to do that manually using uidmapshift. Check the
>> >> container-userns-convert script at
>> >> https://code.launchpad.net/~serge-hallyn/+junk/nsexec or in the nsexec
>> >> package at ppa:serge-hallyn/userns-natty.
>> >
>> > Hmm, I've fixed the uids already by hand.
>> > Today I've created a new container and used container-userns-convert
>> > but with the same results.
>> >
>> > What I find very strange is that your script does:
>> > lxc.id_map = U ${uid} 0 $range
>> > lxc.id_map = G ${uid} 0 $range
>> > uid is 100000, range is 10000.
>> >
>> > But the lxc docs say:
>> > Four values must be provided. First a character, either
>> > 'u', or 'g', to specify whether user or group ids are
>> > being mapped. Next is the first userid as seen in the
>> > user namespace of the container. Next is the userid as
>> > seen on the host. Finally, a range indicating the number
>> > of consecutive ids to map.
>> >
>> > So, this would make more sense: lxc.id_map = u 0 100000 10000
>> >
>> > Anyways, mount of tmpfs fails with ENOPERM, is there any debugging
>> > mechanism to find out why it is failing?
>> > According to strace some bind mounts before the tmpfs work perfectly fine.
>>
>> BTW: I found out that tmpfs is not supported within user namespaces...
>
> It should be in 3.9:
>
> userns: Allow the userns root to mount tmpfs.
Okay. Mounting tmpfs works on 3.9 so far.
>> Anyways, now lxc-start dies here:
>> lxc-start: Operation not permitted - failed to set mode '020644' to '/dev/pts/1'
>> which is:
>> chmod("/dev/pts/1", 020644) = -1 EPERM (Operation not permitted)
>> Shouldn't this be /usr/lib64/lxc/rootfs/dev/pts/1?!
>
> Look at Eric's user namespaces kernel tree for patches which aren't in
> your tree yet. (I also have one, but right now it is out of date with
> respect to some recent fixes Eric has sent upstream.) Upstream is
> almost 100% there, but an <eensie weensie> bit away.
Which tree is that?
git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git
for-linus (and for-next)
differ only by one commit:
proc: Restrict mounting the proc filesystem
And I still get the same error (chmod to /dev/pts/.. is failing)
Eric, can you help us solving this maze?
--
Thanks,
//richard
More information about the lxc-devel
mailing list