[lxc-devel] Last minute template addition - universal image based template

S.Çağlar Onur caglar at 10ur.org
Wed Jan 15 02:12:31 UTC 2014 

Hey Stéphane,

On Tue, Jan 14, 2014 at 6:52 PM, Stéphane Graber <stgraber at ubuntu.com> wrote:
> On Tue, Jan 14, 2014 at 06:38:43PM -0500, Dwight Engen wrote:
>> On Mon, 13 Jan 2014 20:56:23 -0500
>> Stéphane Graber <stgraber at ubuntu.com> wrote:
>>
>> [...]
>> >
>> > Yeah, I did a few last-minute changes.
>> >
>> > fstab is no longer required (only copied over if it's there).
>> >
>> > If the expiry file is messing, it's simply assumed that the container
>> > won't expire.
>>
>> Nice, that makes sense.
>>
>> [...]
>> > Now for Oracle, I guess it depends what's most useful for your users.
>> >
>> > Is there actually still a demand for 4.x? I thought at least RHEL 4.x
>> > went out of support last year.
>> >
>> > In any case, I suspect that starting with the latest of each supported
>> > release on i386 and amd64 is probably a good start.
>> > We can then expand that to include popular minor releases, possibly
>> > the last few 6.x?
>>
>> Yeah I think it makes sense to start with just x86_64 6.latest, and
>> we'll see how it goes from there.
>>
>> > > One question I have on this is that the rootfs (at least that the
>> > > Oracle template makes, not sure about others) isn't quite right
>> > > since the host name will have already been injected into config
>> > > files (for example /etc/hosts), but lxc-download wants to template
>> > > them itself. Should we add a switch to the distro template so it
>> > > knows when its being called to create a rootfs for lxc-download to
>> > > put LXC_NAME in there instead the --name it was passed?
>> >
>> > So currently my build script (Jenkins job) will call the template
>> > with:
>> >  - --rootfs=/build-lxc/container/LXC_NAME/rootfs
>> >  - --path=/build-lxc/container/LXC_NAME
>> >  - --name=LXC_NAME
>>
>> Oh yeah, doh! Clever, that should make it work fine.
>>
>> [...]
>> > > I have not tried from a normal user account yet. Is it basically
>> > > that you expect the template to be run by a normal user, but be
>> > > running in a userns? Can you describe how mapped_uid is supposed to
>> > > be set? Thanks!
>> > -d oracle -r 6.5 -a x86_64 --server phocis/lxc-images --no-validate
>> > Yeah, lxc-create basically does all the magic we need there.
>> > When run as a user, it'll run the template in a userns mapped with the
>> > container's range.
>> >
>> > $mapped_uid appears to be set to the uid in the userns which maps back
>> > to the user's own uid outside of it and makes it possible to chown
>> > files back to the actual user.
>>
>> So I had to dig into the source to see how I could get this to work,
>> and tried passing a line like:
>>
>> lxc-create -P /home/dengen/ct -f /home/dengen/ct/dengen_id_map.conf -n ol65 -t download -- -d oracle -r 6.5 -a x86_64 --server lxchttp/lxc-images --no-validate
>>
>> where /home/dengen/ct/dengen_id_map.conf just has:
>>  lxc.id_map = u 0 100000 10000
>>  lxc.id_map = g 0 100000 10000
>>
>> in order to get mapped_uid in lxc-create to kick in. Sadly this didn't
>> work because lxc.spec is still installing lxc-create (and a lot more)
>> setuid, so the geteuid() check in create_run_template() isn't firing.
>> So my question is: which lxc binaries are supposed to be installed
>> setuid these days? Is it just lxc-user-nic? Once I know, I can go ahead
>> and fixup lxc.spec. Thanks.
>
> Oh, wow, I didn't realize some distros were still installing anything
> setuid these days, especially after we drop lxc-setuid and lxc-setcap
> from the upstream tree.
>
> So anyway, nowadays, the recommendation is for only lxc-user-nic to be
> setuid, everything else should always run as the user. When run as root,
> you'll end up with system containers, when run as a user, you'll get an
> unprivileged container.

Should I expect [1] to work on saucy with trusty kernel? Here is what
I'm getting

[caglar at oOo:~] ./unprivileged.sh
Creating unpriv with dir
Using image from local cache
Unpacking the rootfs
chown: invalid user: ‘-f’

---
You just created an Ubuntu container (release=saucy, arch=amd64).
The default username/password is: ubuntu / ubuntu
To gain root privileges, please use sudo.
Starting/Attaching/Stopping to unpriv
lxc-start: command get_cgroup failed to receive response
lxc-attach: failed to get the init pid
unpriv is not running
Destroying unpriv

[caglar at oOo:~] grep ERROR unpriv.log
      lxc-start 1389751901.034 ERROR    lxc_cgroup - Permission denied
- Could not create cgroup /unpriv
      lxc-start 1389751901.034 ERROR    lxc_cgroup - Permission denied
- cgroup_rmdir: failed to delete /sys/fs/cgroup/hugetlb//lxc
      lxc-start 1389751901.035 ERROR    lxc_cgroup - Permission denied
- cgroup_rmdir: failed to delete /sys/fs/cgroup/hugetlb/
      lxc-start 1389751901.035 ERROR    lxc_cgroup - Permission denied
- cgroup_rmdir: failed to delete /sys/fs/cgroup/perf_event//lxc
      lxc-start 1389751901.035 ERROR    lxc_cgroup - Permission denied
- cgroup_rmdir: failed to delete /sys/fs/cgroup/perf_event/
      lxc-start 1389751901.035 ERROR    lxc_cgroup - Permission denied
- cgroup_rmdir: failed to delete /sys/fs/cgroup/blkio//lxc
      lxc-start 1389751901.036 ERROR    lxc_cgroup - Permission denied
- cgroup_rmdir: failed to delete /sys/fs/cgroup/blkio/
      lxc-start 1389751901.036 ERROR    lxc_cgroup - Permission denied
- cgroup_rmdir: failed to delete /sys/fs/cgroup/freezer//lxc
      lxc-start 1389751901.036 ERROR    lxc_cgroup - Permission denied
- cgroup_rmdir: failed to delete /sys/fs/cgroup/freezer/
      lxc-start 1389751901.036 ERROR    lxc_cgroup - Permission denied
- cgroup_rmdir: failed to delete /sys/fs/cgroup/devices//lxc
      lxc-start 1389751901.036 ERROR    lxc_cgroup - Permission denied
- cgroup_rmdir: failed to delete /sys/fs/cgroup/devices/
      lxc-start 1389751901.036 ERROR    lxc_cgroup - Permission denied
- cgroup_rmdir: failed to delete /sys/fs/cgroup/memory//lxc
      lxc-start 1389751901.037 ERROR    lxc_cgroup - Permission denied
- cgroup_rmdir: failed to delete /sys/fs/cgroup/memory/
      lxc-start 1389751901.037 ERROR    lxc_cgroup - Permission denied
- cgroup_rmdir: failed to delete /sys/fs/cgroup/cpuacct//lxc
      lxc-start 1389751901.037 ERROR    lxc_cgroup - Permission denied
- cgroup_rmdir: failed to delete /sys/fs/cgroup/cpuacct/
      lxc-start 1389751901.037 ERROR    lxc_cgroup - Permission denied
- cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu//lxc
      lxc-start 1389751901.037 ERROR    lxc_cgroup - Permission denied
- cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu/
      lxc-start 1389751901.038 ERROR    lxc_cgroup - Permission denied
- cgroup_rmdir: failed to delete /sys/fs/cgroup/cpuset//lxc
      lxc-start 1389751901.038 ERROR    lxc_cgroup - Permission denied
- cgroup_rmdir: failed to delete /sys/fs/cgroup/cpuset/
      lxc-start 1389751901.038 ERROR    lxc_start - failed to create
cgroups for 'unpriv'
      lxc-start 1389751901.038 ERROR    lxc_start - failed to spawn 'unpriv'
      lxc-start 1389751901.039 ERROR    lxc_commands - command
get_cgroup failed to receive response

[1] https://gist.github.com/caglar10ur/8429502

> --
> Stéphane Graber
> Ubuntu developer
> http://www.ubuntu.com
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
>



-- 
S.Çağlar Onur <caglar at 10ur.org>

More information about the lxc-devel mailing list