[lxc-devel] Error "unshare: Operation not permitted" when trying to create user container

Brian Campbell lambda at continuation.org
Mon Feb 17 17:50:37 UTC 2014


On Feb 17, 2014, at 11:11 AM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:

> Quoting Brian Campbell (lambda at continuation.org):
>> I tried the demo_userns.c example code from this LWN article https://lwn.net/Articles/532593/ and got the same result:
>> 
>> lambda at gherkin:userns$ ./demo_userns
>> clone: Operation not permitted
>> 
>> So it looks like something is preventing me from calling clone(CLONE_NEWUSER) or unshare(CLONE_NEWUSER).
>> 
>> I can't find any documentation on CLONE_NEWUSER outside of that LWN article, and it indicates that as of 3.8, no privilege should be needed to call clone(CLONE_NEWUSER), so I'm somewhat puzzled as to why this is failing.
> 
> Without looking at the rest of this thread, it basically has to be
> either your kernel doesn't have CONFIG_USER_NS=y (which I wouldn't
> expect before a 3.13 or at least 3.12 kernel), or your distro kernel
> has a sysctl patch to turn off unprivileged CLONE_NEWUSER by default.
> You can find out whether it's the latter by just trying CLONE_NEWUSER
> as root.  If that works, then look under /proc/sys/kernel for something
> called *userns* or *unpriv* and set it to 1 :)

Ah, that's the ticket:

lambda at gherkin:~$ cat /proc/sys/kernel/unprivileged_userns_clone
0

Looks like this is a Debian specific patch, which is why looking at the upstream kernel source left me puzzled about why I'd be getting an EPERM.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712870

* namespaces: Enable USER_NS (Closes: #712870)
     - Restrict creation of user namespaces to root (CAP_SYS_ADMIN) by
       default (sysctl: kernel.unprivileged_userns_clone)

Works much better when I flip that to 1!

    lambda at gherkin:lxc$ lxc-create -l DEBUG -o lxc.log --name precise-test -t download -- -d ubuntu -r precise -a amd64Setting up the GPG keyring
    Downloading the image index
    Downloading the rootfs
    Downloading the metadata
    The image cache is now ready
    Unpacking the rootfs

    ---
    You just created an Ubuntu container (release=precise, arch=amd64).
    The default username/password is: ubuntu / ubuntu
    To gain root privileges, please use sudo.

Now I need to figure out what is required for the setup of cgroups, since now that's failing. It looks like it's trying to clear out the cgroup hierarchy to be able to set it up differently, but obviously doesn't have permissions to do so. I'm running systemd, which uses the cgroup hierarchy already. I've seen references to cgroup-lite, cgroup-bin, and cgroup-tools; do I need one of these to packages to set up cgroups appropriately for unprivileged containers? Or is it possible to do natively with systemd?

lambda at gherkin:lxc$ lxc-start -n precise-test
lxc_container: Could not set clone_children to 1 for cpuset hierarchy in parent cgroup.
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/perf_event/
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/blkio/
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/net_cls/
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/freezer/
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/devices/
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/cups.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/gdomap.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/cups-browsed.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/netatalk.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/udisks2.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/colord.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/upower.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/winbind.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/smbd.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/console-kit-daemon.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/acpid.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/polkitd.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/gdm3.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/getty at .service/getty at tty1.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/getty at .service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/accounts-daemon.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/network-manager.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/dbus.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/rsyslog.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/systemd-logind.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/ntp.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/ssh.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/cron.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/nmbd.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/avahi-daemon.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/incron.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/atd.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/minissdpd.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/exim4.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/mdadm.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/ifup at .service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/nfs-common.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/rpcbind.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/systemd-fsck at .service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/systemd-udevd.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/systemd-journald.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct/
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpuset/
lxc_container: failed creating cgroups
lxc_container: failed to spawn 'precise-test'

-- Brian


More information about the lxc-devel mailing list