[lxc-users] "No mapping for container root" error when non root creates a container (was: Re: Creating a container as non root)

Kevin Wilson wkevils at gmail.com
Sun Feb 2 12:24:42 UTC 2014


Hi,
May I ask: which Ubuntu are you using when create and run ubuntu-cloud
images without being root?
I tried with latest LXC git in  Ubuntu 13.04;

I first run: adduser test
and then
su test
and I ran:
lxc-create -t ubuntu-cloud -n myCloud

And I get:

lxc_container: No mapping for container root
lxc_container: Error chowning
/home/test/.local/share/lxc/myCloud/rootfs to container root

lxc_container: Error creating backing store type (none) for myCloud
lxc_container: Error creating container myCloud

Should I install anything else?

Regards,
Kevin

On Thu, Jan 9, 2014 at 6:11 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> Sounds good.  It might be worthwhile having a 'lxc-setup-images' command
> which requires root and builds the base images.  Then unprileged users
> could untar/unsquash those images.
>
> To be clear, I absolutely *can* create and run ubuntu-cloud images
> without being root.
>
> -serge
>
> Quoting Cal Leeming [Simplicity Media Ltd] (cal.leeming at simplicitymedialtd.co.uk):
>> It's also worth mentioning that fakeroot/fakechroot have some nasty issues
>> with debootstrap;
>> https://bugs.launchpad.net/ubuntu/+source/fakechroot/+bug/1265857
>>
>> One theory I'm exploring is building "base images" on a machine that does
>> have root, by running debootstrap on every flavor/arch then using
>> mksquashfs to compress it down into an image. You could then use unsquashfs
>> to force whatever uid/gid you wanted, then fakechroot/fakeroot to make
>> whatever changes you need to the container before launching. The downside
>> is that there is no public mirror that offers this at the moment (other
>> than the latest 13.x ubuntu, which contains a filesystem.squashfs you can
>> extract, but it's 700mb). You could create your own set of base images,
>> then wrap scripts around them to create the templates, but this is
>> absolutely not going to work out of the box, there is a lot of tedious work
>> involved.
>>
>> I'm planning on doing a better write up about this (as its something I'm
>> actively working on), will update this thread at a later date.
>>
>> Hope this helps a bit
>>
>> Cal
>>
>>
>>
>>
>> On Thu, Jan 9, 2014 at 3:39 PM, Michael H. Warfield <mhw at wittsend.com>wrote:
>>
>> > On Thu, 2014-01-09 at 08:08 +0200, Kevin Wilson wrote:
>> > > Hello,
>> > > I believe that creating a container as non root user should be
>> > straight-forward.
>> >
>> > Sigh...  I'm afraid not...
>> >
>> > Funny, Serge and I just had a couple of comments in exchange about this
>> > very thing with regards to templates.  He's been working on getting
>> > containers to run under unprivileged users and I know the Fedora and
>> > CentOS templates will not even run under a non-user (they check).  His
>> > remark was that most templates will not and can not, including the
>> > Ubuntu template.  Problem with the Ubuntu template (and, presumably the
>> > Debian template) is the use of debboot which, in turn, uses mknod to
>> > create devices for the container - and you're then toast.
>> >
>> > The problem there is that there are going to be privileged operations
>> > (chown, mknod, etc) that are simply going to require privileges in the
>> > host which are not available to the non-priv user.
>> >
>> > I'm not so sure about the busybox template but I wouldn't be optimistic.
>> > It does look like it checks to see if it's in a user namespace and uses
>> > mknod if not and does something else if it is.  So, it looks like it
>> > SHOULD work.  But you have to have user namespaces set up to work.
>> >
>> > Once a container is created, it should be possible to run it under a
>> > non-priv user if you have a recent enough kernel along with the latest
>> > lxc tools.  But it seems likely we could ever navigate the morass of
>> > creating a template using lxc-create as a non-priv user.
>> >
>> > > I added a user named "test" and I am trying to create a container (see
>> > > below the sequence). I am running latest lxc git
>> > > (built from source, as root)  on Fedora 20.
>> >
>> > > useradd test
>> > > su test
>> > >
>> > > lxc-create -t busybox -n busyboxTest
>> > > I get:
>> > >
>> > > You lack access to /home/test/.local/share/lxc/
>> > > I ran;
>> > > mkdir -p /home/test/.local/share/lxc/
>> > >
>> > > Then again:
>> > > lxc-create -t busybox -n busyboxTest
>> > > lxc-create: Permission denied - failed to create directory
>> > '/run/user/0/lock/'
>> > >
>> > > failed to create lock
>> > > System error loading container
>> > >
>> > > What should I do ?
>> > >
>> > > Regards,
>> > > Kevin
>> >
>> > Regards,
>> > Mike
>> > --
>> > Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
>> >    /\/\|=mhw=|\/\/          | (678) 463-0932 |
>> > http://www.wittsend.com/mhw/
>> >    NIC whois: MHW9          | An optimist believes we live in the best of
>> > all
>> >  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
>> >
>> >
>> > _______________________________________________
>> > lxc-users mailing list
>> > lxc-users at lists.linuxcontainers.org
>> > http://lists.linuxcontainers.org/listinfo/lxc-users
>> >
>
>> _______________________________________________
>> lxc-users mailing list
>> lxc-users at lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-users
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users


More information about the lxc-users mailing list