[lxc-devel] Unprivilege containers do not work on kernel 3.14.8, 3.15.1

Serge Hallyn serge.hallyn at ubuntu.com
Thu Jun 19 21:16:51 UTC 2014 

Quoting KATOH Yasufumi (karma at jazz.email.ne.jp):
> Hi,
> 
> I've used 3.14.5 and 3.15.0 vanilla kernel (on plamolinux). And on
> that host, I can use unprivilege containers.
> 
> But, I update the kernel to 3.14.8 and 3.15.1, then unpriv containers
> don't work.
> 
>   $ lxc-start -n ct01 -l debug -o log
>   chown: changing ownership of '/dev/pts/1': Operation not permitted
>   lxc-start: Failed to chown /dev/pts/1
>   lxc-start: Failed to shift tty into container
>   lxc-start: failed to initialize the container
> 
> log is:
>   lxc-start 1403175346.553 INFO     lxc_start_ui - using rcfile /home/karma/.local/share/lxc/ct01/config
>   lxc-start 1403175346.592 INFO     lxc_utils - XDG_RUNTIME_DIR isn't set in the environment.
>   lxc-start 1403175346.734 INFO     lxc_confile - read uid map: type u nsid 0 hostid 100000 range 65536
>   lxc-start 1403175346.734 INFO     lxc_confile - read uid map: type g nsid 0 hostid 100000 range 65536
>   lxc-start 1403175346.734 WARN     lxc_log - lxc_log_init called with log already initialized
>   lxc-start 1403175346.734 INFO     lxc_utils - XDG_RUNTIME_DIR isn't set in the environment.
>   lxc-start 1403175346.773 DEBUG    lxc_conf - allocated pty '/dev/pts/1' (7/8)
>   lxc-start 1403175346.773 DEBUG    lxc_conf - allocated pty '/dev/pts/2' (9/10)
>   lxc-start 1403175346.773 DEBUG    lxc_conf - allocated pty '/dev/pts/3' (11/12)
>   lxc-start 1403175346.773 DEBUG    lxc_conf - allocated pty '/dev/pts/4' (13/14)
>   lxc-start 1403175346.773 INFO     lxc_conf - tty's configured
>   lxc-start 1403175346.773 DEBUG    lxc_start - sigchild handler set
>   lxc-start 1403175346.774 DEBUG    lxc_console - opening /dev/tty for console peer
>   lxc-start 1403175346.774 INFO     lxc_caps - Last supported cap was 34
>   lxc-start 1403175346.774 DEBUG    lxc_console - using '/dev/tty' as console
>   lxc-start 1403175346.774 DEBUG    lxc_console - 5324 got SIGWINCH fd 19
>   lxc-start 1403175346.774 DEBUG    lxc_console - set winsz dstfd:16 cols:80 rows:24
>   lxc-start 1403175346.882 ERROR    lxc_conf - Failed to chown /dev/pts/1
>   lxc-start 1403175346.882 ERROR    lxc_start - Failed to shift tty into container
>   lxc-start 1403175346.882 INFO     lxc_utils - XDG_RUNTIME_DIR isn't set in the environment.
>   lxc-start 1403175346.882 ERROR    lxc_start - failed to initialize the container
> 
> In those versions, the fix related to userns have been made. 
>   https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=d3c8656bc29be81894dc78a300c37b84d281ec03
> So I tried to apply the reversed patch of the fix, then unpriv
> containers work.
> 
> The above was just a quick report.
> Thanks.

oh - yeah, if you want to send a patch to fix this, what you'll need to do is
edit chown_mapped_root() to map in both the root uid and gid, not just the
uid.  Until this kernel patch we were able to be sloppy and only do the uid.
There may be other places where we have to make this change, especially
during container creation and perhaps templates.

More information about the lxc-devel mailing list