[Lxc-users] User Namespace Support in LXC

Serge Hallyn serge.hallyn at ubuntu.com
Wed Nov 13 22:31:33 UTC 2013 

Quoting Fajar A. Nugraha (list at fajar.net):
> On Wed, Nov 13, 2013 at 11:23 PM, Serge Hallyn <serge.hallyn at ubuntu.com>wrote:
> 
> > Quoting Fajar A. Nugraha (list at fajar.net):
> > > On Wed, Nov 13, 2013 at 5:11 PM, Daniel P. Berrange <berrange at redhat.com
> > >wrote:
> > >
> > > > For a start I think you should update to the curent Fedora 19
> > > > kernels which are version 3.11.6. Then I'd suggest taking thue
> > > > Fedora kernel src.rpm and just setting the CONFIG_USER_NS var
> > > > in its config file, rather than trying navigate the menus.
> > > >
> > > > We're not supporting user namespaces in Fedora until at least
> > > > Fedora 21, since we don't consider the implementation sufficiently
> > > > mature / secure to enable it sooner.
> > > >
> > > >
> > > Is there an example somewhere on how to enable user namespace in lxc,
> > > preferably using manual steps? e.g. which lxc configuration directive
> > > enables it?
> >
> > For non-libvirt lxc, I've shown a few times a more manual way to do it
> > on s3hh.wordpress.com, however, the pieces are there now so that you
> > should be able to just add
> >
> >         lxc.id_map = u 0 100000 9999
> >         lxc.id_map = g 0 100000 9999
> >
> > to a copy of /etc/lxc/lxc.conf, then do
> >
> >         lxc-create -t ubuntu-cloud -n u1 -f /copy/of/lxc.conf
> >
> > I've been focusing on unprivileged creation, and don't think I've
> > yet pushed the fixes needed for root to be able to do that.   (which
> > is complicated by newuidmap not letting root use arbitrary subuids)
> >
> >
> 
> Hmmm ... I got this on my system:
> as normal user:
> $ lxc-create -t ubuntu-cloud -n u1 -f /etc/lxc/user.conf
> You lack access to /var/lib/lxc
> 
> ... and after editing permission on /var/lib/lxc, I get this

Don't do that, rather use -P to use an lxcpath that you own.

> $ lxc-create -t ubuntu-cloud -n u1 -f /etc/lxc/user.conf
> lxc_container: No such file or directory - Failed executing usernsexec
> lxc_container: Error chowning /var/lib/lxc/u1/rootfs to container root
> 
> lxc_container: Error creating backing store type (none) for u1
> lxc_container: Error creating container u1
> 
> a "strace -f" shows it's looking for "lxc-usernsexec", which is not
> available. Which package has that?

It should ship with lxc.  If you've hand-built lxc, then you need
to have newuidmap (from the uidmap package which comes from the
shadow source package) to build it.

Like I say I'll blog some more after I hit my next milestone, and
this will all go into the server guide and manpages.

> when testing as root (which, if I read your post correctly, is not possible
> yet):
> # lxc-create -t ubuntu-cloud -n u1 -f /etc/lxc/user.conf
> ubuntu-cloudimg-query is /usr/bin/ubuntu-cloudimg-query
> wget is /usr/bin/wget
> --2013-11-14 04:34:08--
> https://cloud-images.ubuntu.com/server/releases/raring/release-20131022/ubuntu-13.04-server-cloudimg-amd64-root.tar.gz
> Resolving cloud-images.ubuntu.com (cloud-images.ubuntu.com)... 91.189.88.141
> Connecting to cloud-images.ubuntu.com
> (cloud-images.ubuntu.com)|91.189.88.141|:443...
> connected.
> HTTP request sent, awaiting response... 302 Found
> Location:
> https://cloud-images.ubuntu.com/releases/raring/release-20131022/ubuntu-13.04-server-cloudimg-amd64-root.tar.gz[following]
> --2013-11-14 04:34:10--
> https://cloud-images.ubuntu.com/releases/raring/release-20131022/ubuntu-13.04-server-cloudimg-amd64-root.tar.gz
> Reusing existing connection to cloud-images.ubuntu.com:443.
> HTTP request sent, awaiting response... 200 OK
> Length: 213508744 (204M) [application/x-gzip]
> Saving to: ‘ubuntu-13.04-server-cloudimg-amd64-root.tar.gz’
> 
> 100%[============================================================================================================>]
> 213,508,744  503KB/s   in 9m 27s
> 
> 2013-11-14 04:43:37 (368 KB/s) -
> ‘ubuntu-13.04-server-cloudimg-amd64-root.tar.gz’ saved [213508744/213508744]
> 
> Extracting container rootfs
> Container u1 created.
> 
> # lxc-start -n u1
> lxc-start: Operation not permitted - failed to mount 'proc' on
> '/usr/lib/x86_64-linux-gnu/lxc/proc'
> lxc-start: failed to setup the mounts for 'u1'
> lxc-start: failed to setup the container
> lxc-start: invalid sequence number 1. expected 2
> lxc-start: failed to spawn 'u1'
> 
> 
> 
> This is my /etc/lxc/user.conf:
> lxc.network.type = veth
> lxc.network.link = lxcbr0
> lxc.network.flags = up
> 
> lxc.id_map = u 0 100000 9999
> lxc.id_map = g 0 100000 9999
> 
> 
> test system is ubuntu raring,
> lxc 1.0.0~alpha2+master~20131112-2220-0ubuntu1~ppa1~raring1 from daily
> ppa, linux-image-3.12.0-2-generic from trusty.
> 
> -- 
> Fajar

More information about the lxc-users mailing list