[lxc-users] Do nested containers require that unprivileged container creation be supported?

Michael H. Warfield mhw at WittsEnd.com
Sat Apr 5 23:03:37 UTC 2014 

On Sun, 2014-04-06 at 01:40 +0300, Rami Rosen wrote:
> Hi,
> First, thanks Michael, for drawing my attention to it. I knew that
> Fedora 21 is going to enable user namespaces.

> Still, I wanted to reiterate my point: with my Fedora 20, where I ran
> update a while ago, user namespaces were not available, according to
> lxc-checkonfig, and still nesting with a busybox container did work.

So lxc-checkconfig indicated that it was NOT available?  That's weird.
Hydra (my server) was a Fedora 19 system until I recently did an upgrade
using the "yum update" method...

http://fedoraproject.org/wiki/Upgrading_Fedora_using_yum

It's now a Fedora 20 server and I have NOT installed a custom kernel on
it.  So, I'm on a stock Fedora Project kernel on Fedora 20 and it is
enabled.  I haven't tried any of the "nested containers" or a busybox
container, though.

Could you post the "uname -a" of your system in question?

> Btw, I heard that in the first release of RHEL 7, user namespaces will
> be enabled in kernel, for ABI compatibility, but using them will be
> disabled in userspace, because of security concerns. Only in later
> updates it will be enabled. I hope that this scheme is not used with
> Fedora 20.
> 
> Regards,
> Rami Rosen
> 
> 
 <בתאריך 5 באפר 2014 23:15, "Michael H. Warfield" <mhw at wittsend.com>
 <כתב:
>         On Sat, 2014-04-05 at 22:37 +0300, Rami Rosen wrote:
>         > Hi, Nels,
>         >
>         > Regarding you question, as appeared as the subject of your
>         post:
>         > "Do nested containers require that unprivileged container
>         creation be
>         > supported?"
>         
>         > Fedora 20 does not support user namespaces, as
>         lxc-checkconfig shows;
>         > so it does not support unprivileged containers. However, I
>         had created
>         > (with lxc-create) an LXC fedora container under Fedora 20.
>         From within
>         > that container I created a nested LXC busybox container, and
>         I could
>         > start that nested container successfully.
>         
>         Time out!  Breaking news...  Fedora 20 originally did not
>         support user
>         namespaces on initial install.  Run yum update and reboot...
>          Then...
>         
>         [root at hydra mhw]# cat /etc/redhat-release
>         Fedora release 20 (Heisenbug)
>         [root at hydra mhw]# uname -a
>         Linux hydra.wittsend.com 3.13.7-200.fc20.x86_64 #1 SMP Mon Mar
>         24 22:01:49 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
>         [root at hydra mhw]# lxc-checkconfig
>         Kernel configuration not found at /proc/config.gz;
>         searching...
>         Kernel configuration found
>         at /boot/config-3.13.7-200.fc20.x86_64
>         --- Namespaces ---
>         Namespaces: enabled
>         Utsname namespace: enabled
>         Ipc namespace: enabled
>         Pid namespace: enabled
>         User namespace: enabled
>         Network namespace: enabled
>         Multiple /dev/pts instances: enabled
>         
>         Looks to be enabled to me.
>         
>         > Best regards,
>         > Rami Rosen
>         > http://ramirose.wix.com/ramirosen
>         
>         Always check on the latest update.  Things do change in the
>         Fedora
>         sphere.
>         
>         Regards,
>         Mike
>         
>         > On Fri, Apr 4, 2014 at 8:02 PM, Nels Nelson
>         <nels.n.nelson at gmail.com> wrote:
>         > > Hi, I'm trying to create a container nested within
>         another.  I'm sure I'm
>         > > probably going about it incorrectly.  Here's what I have
>         so far:
>         > >
>         > > https://gist.github.com/nelsnelson/9978457
>         > >
>         > > The error I encounter seems to be
>         > >
>         > >     lxc-create: No such file or directory - failed to
>         create container path
>         > > for inner
>         > >     lxc-create: Error creating container inner
>         > >
>         > > Is this because the privileges in the outer container are
>         not sufficient?
>         > >
>         > > Thanks,
>         > > -Nels
>         
>         --
>         Michael H. Warfield (AI4NB) | (770) 978-7061 |
>          mhw at WittsEnd.com
>            /\/\|=mhw=|\/\/          | (678) 463-0932 |
>          http://www.wittsend.com/mhw/
>            NIC whois: MHW9          | An optimist believes we live in
>         the best of all
>          PGP Key: 0x674627FF        | possible worlds.  A pessimist is
>         sure of it!
>         
>         
>         _______________________________________________
>         lxc-users mailing list
>         lxc-users at lists.linuxcontainers.org
>         http://lists.linuxcontainers.org/listinfo/lxc-users
> 
> -- 
> This message has been scanned for viruses and 
> dangerous content by MailScanner, and is 
> believed to be clean. 
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

-- 
Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140405/b631d818/attachment.pgp>

More information about the lxc-users mailing list