[lxc-devel] Error "unshare: Operation not permitted" when trying to create user container
Stéphane Graber
stgraber at ubuntu.com
Sun Feb 16 17:23:42 UTC 2014
On Sun, Feb 16, 2014 at 03:51:50AM -0500, Brian Campbell wrote:
> I'm running Debian Jessie (testing), and compiled lxc from a fresh git clone (7da8ab1: close inherited fds when we still have proc mounted). I would like to create a user container without using root privileges, so I set up UID mappings such that my user ID would map to root within the container. From what I can tell, this is all that should be necessary to get it to use user namespaces to operate unprivileged:
>
> lambda at gherkin:lxc$ cat ~/.config/lxc/default.conf
> lxc.id_map = u 0 1000 9999
> lxc.id_map = g 0 1000 9999
> lambda at gherkin:lxc$ id
> uid=1000(lambda) gid=1000(lambda) groups=1000(lambda),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),104(scanner),109(bluetooth),112(netdev),125(vboxusers)
From the above, it seems like you didn't configure /etc/subuid and
/etc/subgid. Without those (and a version of the shadow package which
supports them), you won't be able to switch to those UID ranges.
>
> However, when I try to create the container with lxc-create, I get an "unshare: Operation not permitted" error, and then a later error about trying to chown the directory to the container root. Any ideas? Did I do something wrong?
>
> lambda at gherkin:lxc$ lxc-create -l DEBUG -o lxc.log --name precise-test -t download -- -d ubuntu -r precise -a amd64
> unshare: Operation not permitted
> read pipe: No such file or directory
> lxc-create: Error chowning /home/lambda/.local/share/lxc/precise-test/rootfs to container root
> lxc-create: Error creating backing store type (none) for precise-test
> lxc-create: Error creating container precise-test
> lambda at gherkin:lxc$ cat lxc.log
> lxc-create 1392539899.116 WARN lxc_log - lxc_log_init called with log already initialized
> lxc-create 1392539899.116 INFO lxc_confile - read uid map: type u nsid 0 hostid 1000 range 9999
> lxc-create 1392539899.116 INFO lxc_confile - read uid map: type g nsid 0 hostid 1000 range 9999
> lxc-create 1392539899.118 ERROR lxc_container - Error chowning /home/lambda/.local/share/lxc/precise-test/rootfs to container root
> lxc-create 1392539899.118 ERROR lxc_container - Error creating backing store type (none) for precise-test
> lxc-create 1392539899.119 ERROR lxc_create_ui - Error creating container precise-test
> lambda at gherkin:lxc$ lxc-checkconfig
> Kernel configuration not found at /proc/config.gz; searching...
> Kernel configuration found at /boot/config-3.12-1-amd64
> --- Namespaces ---
> Namespaces: enabled
> Utsname namespace: enabled
> Ipc namespace: enabled
> Pid namespace: enabled
> User namespace: enabled
> Network namespace: enabled
> Multiple /dev/pts instances: enabled
>
> --- Control groups ---
> Cgroup: enabled
> Cgroup clone_children flag: enabled
> Cgroup device: enabled
> Cgroup sched: enabled
> Cgroup cpu account: enabled
> Cgroup memory controller: enabled
> Cgroup cpuset: enabled
>
> --- Misc ---
> Veth pair device: enabled
> Macvlan: enabled
> Vlan: enabled
> File capabilities: enabled
>
> Note : Before booting a new kernel, you can check its configuration
> usage : CONFIG=/path/to/config /usr/local/bin/lxc-checkconfig
>
> -- Brian
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140216/c2f637db/attachment.pgp>
More information about the lxc-devel
mailing list