[lxc-devel] Error "unshare: Operation not permitted" when trying to create user container

Serge Hallyn serge.hallyn at ubuntu.com
Tue Feb 18 15:25:26 UTC 2014


Quoting Brian Campbell (lambda at continuation.org):
> On Feb 18, 2014, at 12:16 AM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> 
> >> Ah, that's the ticket:
> >> 
> >> lambda at gherkin:~$ cat /proc/sys/kernel/unprivileged_userns_clone
> >> 0
> >> 
> >> Looks like this is a Debian specific patch,
> > 
> > *cough* pls not to ask how i knew to query it kthx
> > 
> >> which is why looking at the upstream kernel source left me puzzled about why I'd be getting an EPERM.
> >> 
> >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712870
> >> 
> >> * namespaces: Enable USER_NS (Closes: #712870)
> >>     - Restrict creation of user namespaces to root (CAP_SYS_ADMIN) by
> >>       default (sysctl: kernel.unprivileged_userns_clone)
> >> 
> >> Works much better when I flip that to 1!
> >> 
> >>    lambda at gherkin:lxc$ lxc-create -l DEBUG -o lxc.log --name precise-test -t download -- -d ubuntu -r precise -a amd64Setting up the GPG keyring
> >>    Downloading the image index
> >>    Downloading the rootfs
> >>    Downloading the metadata
> >>    The image cache is now ready
> >>    Unpacking the rootfs
> >> 
> >>    ---
> >>    You just created an Ubuntu container (release=precise, arch=amd64).
> >>    The default username/password is: ubuntu / ubuntu
> >>    To gain root privileges, please use sudo.
> >> 
> >> Now I need to figure out what is required for the setup of cgroups,
> >> since now that's failing. It looks like it's trying to clear out the
> >> cgroup hierarchy to be able to set it up differently, but obviously
> >> doesn't have permissions to do so. I'm running systemd, which uses the
> >> cgroup hierarchy already. I've seen references to cgroup-lite,
> >> cgroup-bin, and cgroup-tools; do I need one of these to packages to
> >> set up cgroups appropriately for unprivileged containers? Or is it
> >> possible to do natively with systemd?
> >> 
> >> lambda at gherkin:lxc$ lxc-start -n precise-test
> >> lxc_container: Could not set clone_children to 1 for cpuset hierarchy in parent cgroup.
> > 
> > I thought we'd stopped doing that, but I guess not fully.
> > Could you try this patch?
> > 
> > Subject: [PATCH 1/1] continue if we cannot set cpuset.clonechildren
> > 
> > Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
> 
> It does get rid of that specific error, but still goes on to fail:
> 
> lambda at gherkin:lxc (master)$ lxc-start -n precise-test
> lxc_container: Permission denied - Could not create cgroup /precise-test
> lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/perf_event/

It looks like you're in the root cgroup and starting as non-root.
Without being root you indeed do not have the rights to create new
cgroups there.  You'll need to either use lxc as root, or do something
like

for d in /sys/fs/cgroup/*; do
	sudo mkdir $d/lambda
	sudo chown -R lambda: $d/lambda
	echo $$ > $d/lambda/tasks
done

-serge


More information about the lxc-devel mailing list