[lxc-devel] problem with user namespace as root
Michael H. Warfield
mhw at WittsEnd.com
Sat Feb 15 04:07:52 UTC 2014
On Fri, 2014-02-14 at 13:30 -0600, Serge Hallyn wrote:
> Quoting Michael H. Warfield (mhw at WittsEnd.com):
> > On Fri, 2014-02-14 at 13:52 -0500, Michael H. Warfield wrote:
> > > On Fri, 2014-02-14 at 09:55 -0600, Serge Hallyn wrote:
> > > > Quoting Michael H. Warfield (mhw at WittsEnd.com):
> > > > > On Fri, 2014-02-14 at 11:49 +0100, Stephan Sachse wrote:
> > > > > > > You didn't say if you had applied my experimental patch or not. I'm
> > > > > > > guessing not but I can't be sure.
> > > > >
> > > > > > no, this was only the complete log of my "i lost my brain" mail.
> > > > >
> > > > > K
> > > > >
> > > > > > > 2) Find the lxc-devsetup script (in lxc/config/init/systemd/lxc-devsetup
> > > > > > > in the source tree) and run that as root to see if we have better luck
> > > > > > > under devtmpfs.
> > > > >
> > > > > > output attached
> > > > >
> > > > > Ok...
> > > > >
> > > > > lxc-start 1392374433.579 DEBUG lxc_conf - Bind
> > > > > mounting /dev/.lxc/user/fedora1.533098688727054a
> > > > > to /usr/lib64/lxc/rootfs/dev
> > > > >
> > > > > That looks good...
> > > > >
> > > > > lxc-start 1392374433.579 INFO lxc_conf - Mounted /dev
> > > > > under /usr/lib64/lxc/rootfs
> > > > > lxc-start 1392374433.579 INFO lxc_conf - Creating initial consoles
> > > > > under /usr/lib64/lxc/rootfs/dev
> > > > > lxc-start 1392374433.579 INFO lxc_conf - Populating /dev
> > > > > under /usr/lib64/lxc/rootfs
> > > > > lxc-start 1392374433.579 ERROR lxc_conf - Operation not permitted -
> > > > > Error creating null
> > > > >
> > > > > That looks bad. Rats. That's not going to work for the reason I
> > > > > suspected to begin with. We're back to square one and need to get the
> > > > > operations of mounting devpts on top of tmpfs working.
> > > >
> > > > But it does work.
> >
> > > I can't get it to work. This is obviously part of my coming up to speed
> > > with user namespaces, I guess...
> >
> > Crap. Here's my problem:
> >
> > lxc-checkconfig:
> >
> > User namespace: missing
> >
> > Damn...
> Probably best to grab a 3.13 kernel and set CONFIG_USER_NS=y.
I'm working from rpm's to save what little management sanity I have
left. There may be a 3.13 rpm in rawhide I can snag.
Hmmm... Which I just did. Rawhide (F21) actually has a 3.14 kernel in
it while F20 updates testing has a 3.13 kernel. I'm snagging them both
to see what they have in them and how their configured.
At this point, I'm real close to the point where I have to drop into a
black hole for a couple of weeks. Starting Sunday, I'm going to be
seriously out of pocket and this is probably larger that what I can get
set up between now and then. I was hoping to play with different
parameters to that mount to figure out what's breaking in the tmpfs case
but that looks like it's going to be out of reach for the next 2-1/2
weeks.
I posted an alternate patch in this thread in another message. If that
solves anything, please feel free to make any necessary modifications
and commit with my blessing. I don't see where the patch does any harm
in the working case where we can execute the mknod and may help with
this case. If so, go for it.
> Out of curiosity, where did you get your shadow package or your
> newuidmap program?
I didn't. I rolled my own based on the sparse documentation I could
find (man page for lxc-usernsexec). You got pointers to doco that could
help me get started. Like I said, I'm just learning and getting up to
speed in this usernamespace gig.
> -serge
Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 978-7061 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 465 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140214/bde6a443/attachment.pgp>
More information about the lxc-devel
mailing list