[Lxc-users] User Namespace Support in LXC

Fajar A. Nugraha list at fajar.net
Wed Nov 13 22:05:48 UTC 2013 

On Wed, Nov 13, 2013 at 11:23 PM, Serge Hallyn <serge.hallyn at ubuntu.com>wrote:

> Quoting Fajar A. Nugraha (list at fajar.net):
> > On Wed, Nov 13, 2013 at 5:11 PM, Daniel P. Berrange <berrange at redhat.com
> >wrote:
> >
> > > For a start I think you should update to the curent Fedora 19
> > > kernels which are version 3.11.6. Then I'd suggest taking thue
> > > Fedora kernel src.rpm and just setting the CONFIG_USER_NS var
> > > in its config file, rather than trying navigate the menus.
> > >
> > > We're not supporting user namespaces in Fedora until at least
> > > Fedora 21, since we don't consider the implementation sufficiently
> > > mature / secure to enable it sooner.
> > >
> > >
> > Is there an example somewhere on how to enable user namespace in lxc,
> > preferably using manual steps? e.g. which lxc configuration directive
> > enables it?
>
> For non-libvirt lxc, I've shown a few times a more manual way to do it
> on s3hh.wordpress.com, however, the pieces are there now so that you
> should be able to just add
>
>         lxc.id_map = u 0 100000 9999
>         lxc.id_map = g 0 100000 9999
>
> to a copy of /etc/lxc/lxc.conf, then do
>
>         lxc-create -t ubuntu-cloud -n u1 -f /copy/of/lxc.conf
>
> I've been focusing on unprivileged creation, and don't think I've
> yet pushed the fixes needed for root to be able to do that.   (which
> is complicated by newuidmap not letting root use arbitrary subuids)
>
>

Hmmm ... I got this on my system:
as normal user:
$ lxc-create -t ubuntu-cloud -n u1 -f /etc/lxc/user.conf
You lack access to /var/lib/lxc

... and after editing permission on /var/lib/lxc, I get this
$ lxc-create -t ubuntu-cloud -n u1 -f /etc/lxc/user.conf
lxc_container: No such file or directory - Failed executing usernsexec
lxc_container: Error chowning /var/lib/lxc/u1/rootfs to container root

lxc_container: Error creating backing store type (none) for u1
lxc_container: Error creating container u1

a "strace -f" shows it's looking for "lxc-usernsexec", which is not
available. Which package has that?



when testing as root (which, if I read your post correctly, is not possible
yet):
# lxc-create -t ubuntu-cloud -n u1 -f /etc/lxc/user.conf
ubuntu-cloudimg-query is /usr/bin/ubuntu-cloudimg-query
wget is /usr/bin/wget
--2013-11-14 04:34:08--
https://cloud-images.ubuntu.com/server/releases/raring/release-20131022/ubuntu-13.04-server-cloudimg-amd64-root.tar.gz
Resolving cloud-images.ubuntu.com (cloud-images.ubuntu.com)... 91.189.88.141
Connecting to cloud-images.ubuntu.com
(cloud-images.ubuntu.com)|91.189.88.141|:443...
connected.
HTTP request sent, awaiting response... 302 Found
Location:
https://cloud-images.ubuntu.com/releases/raring/release-20131022/ubuntu-13.04-server-cloudimg-amd64-root.tar.gz[following]
--2013-11-14 04:34:10--
https://cloud-images.ubuntu.com/releases/raring/release-20131022/ubuntu-13.04-server-cloudimg-amd64-root.tar.gz
Reusing existing connection to cloud-images.ubuntu.com:443.
HTTP request sent, awaiting response... 200 OK
Length: 213508744 (204M) [application/x-gzip]
Saving to: ‘ubuntu-13.04-server-cloudimg-amd64-root.tar.gz’

100%[============================================================================================================>]
213,508,744  503KB/s   in 9m 27s

2013-11-14 04:43:37 (368 KB/s) -
‘ubuntu-13.04-server-cloudimg-amd64-root.tar.gz’ saved [213508744/213508744]

Extracting container rootfs
Container u1 created.

# lxc-start -n u1
lxc-start: Operation not permitted - failed to mount 'proc' on
'/usr/lib/x86_64-linux-gnu/lxc/proc'
lxc-start: failed to setup the mounts for 'u1'
lxc-start: failed to setup the container
lxc-start: invalid sequence number 1. expected 2
lxc-start: failed to spawn 'u1'



This is my /etc/lxc/user.conf:
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up

lxc.id_map = u 0 100000 9999
lxc.id_map = g 0 100000 9999


test system is ubuntu raring,
lxc 1.0.0~alpha2+master~20131112-2220-0ubuntu1~ppa1~raring1 from daily
ppa, linux-image-3.12.0-2-generic from trusty.

-- 
Fajar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20131114/c60e89a9/attachment.html>

More information about the lxc-users mailing list