[lxc-devel] Howto user namespaces?

Serge Hallyn serge.hallyn at ubuntu.com
Thu Apr 11 17:21:26 UTC 2013 

Quoting Eric W. Biederman (ebiederm at xmission.com):
> Serge Hallyn <serge.hallyn at ubuntu.com> writes:
> 
> > Quoting Eric W. Biederman (ebiederm at xmission.com):
> >> richard -rw- weinberger <richard.weinberger at gmail.com> writes:
> >> 
> >> > On Thu, Apr 11, 2013 at 7:03 AM, Eric W. Biederman
> >> > <ebiederm at xmission.com> wrote:
> >> >> richard -rw- weinberger <richard.weinberger at gmail.com> writes:
> >> >>> {st_mode=S_IFCHR|0644, st_rdev=makedev(5, 1), ...}) = 0
> >> >>> [pid  3100] chmod("/dev/pts/5", 020644) = -1 EPERM (Operation not permitted)
> >> >>
> >> >> I am puzzled why we don't see something to create /dev/pts/5 in this trace.
> >> >
> >> > I have also no idea.
> >> > Please see both attached strace logs (linux v3.9-rc6, lxc 0.9.0).
> >> > One with lxc.autodev = 0, the other with = 1.
> >> 
> >> I have read through and I can see why you are failing.
> >> With autodev you are failing with mknod /dev/null.
> >> Without autodev you are creating pts (I assume to represent /dev/ttyN)
> >> before creating the user namespace and then there is a permission
> >> problem with chmod.
> >
> > After creating the /dev/ttyN we chown them to the root uid inside the
> > container.  I've not had failures with this.
> 
> Yes that should work fine.
> 
> There aren't any chown calls in Richards strace logs, why that is I
> don't know, but that seems to be cause of his troubles.

Richard,

finally had some time to reproduce.  Here is what I did.  You can look
at deltas to figure out what is going wrong.

1. create a uptodate new ubuntu raring vm (instance actually)
2. sudo add-apt-repository ppa:serge-hallyn/userns-natty
3. sudo add-apt-repository ppa:ubuntu-lxc/daily
4. wget https://launchpad.net/~ubuntu-lxc/+archive/kernel/+files/linux-image-3.8.0-12-generic_3.8.0-12.22%7Euserns1_amd64.deb
5. sudo apt-get update
6. sudo apt-get install lxc nsexec
7. sudo dpkg -i linux-image*.deb
8. reboot
9. sudo lxc-create -t ubuntu -n r1
10. sudo container-userns-convert r1 100000
11. sudo lxc-start -n r1  # note this console has issues, which may be
#due to the same issue Dwight has.  You can log in, but sudo.
12. sudo lxc-console -n r1 # in another console

I can log in fine, terminals are correct etc.

Now, note - this is not what we consider the future of lxc in user
namespaces.  Rather, we expect unprivileged users to use their
own lxcpath and create and run containers entirely without privilege.
This still requires some more work.

-serge

(Note - I just pushed a fix for container-userns-convert to fix the
order of the lxc.xid_map lines in the container config)

More information about the lxc-devel mailing list