[lxc-devel] Howto user namespaces?

Tue Jul 9 15:58:43 UTC 2013

Quoting Rui Xiang (rui.xiang at huawei.com):
> On 2013/7/5 19:48, Serge Hallyn wrote:
> > Quoting Rui Xiang (rui.xiang at huawei.com):
> >> The same issue troubles me. I try to start the container by these ways 
> >> in the mails, but get error results too.
> >>
> >> So I want to know about the plan to fix it. And your some advice are 
> >> appreciated. :)
> > 
> > Hi,
> > 
> > could you please start from the top explaining how you installed lxc,
> > set up the container, started it, and what went wrong?
> > 
> Hi,
> 
> I got lxc sources from the repo git://github.com/lxc/lxc (lxc 0.9.0), 
> and installed it in redhat6. The kernel version is 3.10.0.
> 
> I've created an opensuse template and then added the lines to config :
>  lxc.tty = 4
>  lxc.pts = 1024
>  lxc.mount  = /home/container/lxc4test/fstab
> ...
>  lxc.id_map = u 0 10000 2000
>  lxc.id_map = g 0 10000 2000
> 
> lxc-start failed:
>   # lxc-start -n foo  -f config
>   lxc-start: Operation not permitted - failed to set mode '020644' to '/dev/pts/5'
>   lxc-start: failed to setup the console for 'foo'
>   lxc-start: failed to setup the container
>   lxc-start: invalid sequence number 1. expected 2
>   lxc-start: failed to spawn 'foo'
> 
> As the discussion in previous mails, I add this to config: 
>   lxc.ttydir = lxc
> 
> but lxc-start still failed:
>   # lxc-start -n foo  -f config
>   lxc-start: Operation not permitted - failed to set mode '020644' to '/dev/pts/1'
>   lxc-start: failed to setup the console for 'foo'
>   lxc-start: failed to setup the container
>   lxc-start: invalid sequence number 1. expected 2
>   lxc-start: failed to spawn 'foo'
>  
> After setting lxc.tty = 0, the result was error too:
>   lxc-start: Operation not permitted - failed to set mode '020644' to '/dev/pts/1'.
> 
> So ashamed that I have no better ways to solve it now. :(

Hi,

When you do

  lxc.id_map = u 0 10000 2000
  lxc.id_map = g 0 10000 2000

The container will run with uid 0 in the container being mapped to 10000
on the host.  What I don't see is where you have shifted the uids of the
container's files.

If you look at https://code.launchpad.net/~serge-hallyn/+junk/nsexec ,
there are two programs of interest.  uidmapshift.c will do the uid
shifting (so for instance root owned files in the container will become
owned by 10000).  The container-userns-convert script will use the
uidmapshift.c program as well as add the lxc.id_map files to the
container configuration.  I usually just do

	container-userns-convert containername 10000

So you'll definately need to use the uidmapshift program to chown your
files, though to be honest your error sounds to me like a different
problem.  But just to be sure, please let me know what you see after
shifting the container uids.

Note, I will be getting back to my template for completely unprivileged
container creation this week - however it becomes pretty involved (to
allow an unprivileged user to chown files to his subuids) so at least at
first it is a customized template based on the lxc-ubuntu one.

-serge