[lxc-devel] Error "unshare: Operation not permitted" when trying to create user container
Stéphane Graber
stgraber at ubuntu.com
Sun Feb 16 17:53:16 UTC 2014
On Sun, Feb 16, 2014 at 12:49:44PM -0500, Brian Campbell wrote:
> On Feb 16, 2014, at 12:23 PM, Stéphane Graber <stgraber at ubuntu.com> wrote:
>
> > On Sun, Feb 16, 2014 at 03:51:50AM -0500, Brian Campbell wrote:
> >> I'm running Debian Jessie (testing), and compiled lxc from a fresh git clone (7da8ab1: close inherited fds when we still have proc mounted). I would like to create a user container without using root privileges, so I set up UID mappings such that my user ID would map to root within the container. From what I can tell, this is all that should be necessary to get it to use user namespaces to operate unprivileged:
> >>
> >> lambda at gherkin:lxc$ cat ~/.config/lxc/default.conf
> >> lxc.id_map = u 0 1000 9999
> >> lxc.id_map = g 0 1000 9999
> >> lambda at gherkin:lxc$ id
> >> uid=1000(lambda) gid=1000(lambda) groups=1000(lambda),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),104(scanner),109(bluetooth),112(netdev),125(vboxusers)
> >
> > From the above, it seems like you didn't configure /etc/subuid and
> > /etc/subgid. Without those (and a version of the shadow package which
> > supports them), you won't be able to switch to those UID ranges.
>
> Nope, I haven't done anything with them, and it looks like Debian's passwd doesn't have subuid/subgid support. Taking a look at the Ubuntu changelog, it looks like they were added as a patch to the Ubuntu package in 1:4.1.5.1-1ubuntu5. Is there a Debian package already available for this, or should I try to extract the patches from the Ubuntu package and build my own?
>
> Ah, looks like I should have read this: https://s3hh.wordpress.com/2013/07/19/creating-and-using-containers-without-privilege/ before trying this; all I had seen was https://www.mail-archive.com/lxc-users@lists.sourceforge.net/msg05859.html which didn't mention anything about /etc/subuid and /etc/subgid.
The shadow change was submitted to Debian at the same time we pushed it
to Ubuntu, but last I checked it was still in an unreleased git
branch...
For unprivileged containers with current kernel and LXC (and a distro
with the new shadow), there's also an article I wrote a little while
back at:
https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140216/e1895031/attachment.pgp>
More information about the lxc-devel
mailing list