[lxc-users] Unprivileged containers do not auto-start

Robert Pendell shinji at elite-systems.org
Thu May 8 16:48:19 UTC 2014 

On Tue, May 6, 2014 at 6:16 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> Quoting Robert Pendell (shinji at elite-systems.org):
>> On Tue, May 6, 2014 at 5:01 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
>> > Quoting Robert Pendell (shinji at elite-systems.org):
>> >> OS: Ubuntu 14.04 LTS x86_64
>> >> Kernel: Host-Supplied 3.14.1
>> >> Provider: Linode
>> >> Host Virtualization: Xen Paravirtualized
>> >> LXC Version: 1.0.3-0ubuntu3
>> >>
>> >> On a fresh boot unprivileged containers are not starting automatically
>> >> even though they have lxc.start.auto enabled.  lxc-ls as the user
>> >> confirms autostart is enabled as well.
>> >>
>> >> Is this a bug or intended or am I just missing something really
>> >> obvious in my configuration?
>> >
>> > By default only containers in /var/lib/lxc are autostarted.  You
>> > could edit /etc/lxc/lxc.conf to change that.  If you're ok with
>> > them only starting on login you might also be able to use a user
>> > upstart session job, but I suspect tying the containers so closely
>> > to your login session won't be what you want.
>> >
>>
>> That would be an accurate assumption.  At this point if I need to I
>> can login and start the container manually.  I checked lxc.conf and
>> I'm not sure how to set it up the way you suggest.  This system may
>> end up being home to multiple containers that are mixed between
>> locations.
>>
>> P.S. - I noticed that lxc-autostart doesn't list unprivileged containers?
>
> It doesn't list containers under your home dir.  However if you create
> a root-owned  unprivileged root-owned container, lxc-autostart will list
> it:
>
> cat > lxc.conf << EOF
> lxc.network.type = veth
> lxc.network.link = lxcbr0
> lxc.id_map = u 0 100000 100000
> lxc.id_map = g 0 100000 100000
> lxc.aa_profile = lxc-container-default-with-nesting
> lxc.start.auto = 1
> lxc.mount.auto = cgroup
> EOF
> sudo lxc-create -t download -n listme1 -f lxc.conf
>
> After this,
>         sudo lxc-autostart -L
> should show
>         listme1 0
>


Ok.  So I got a chance to give this a shot but unfortunately I'm being
denied the ability to actually change uid.  Should I need to add root
to /etc/subuid and /etc/subgid in order to accomplish this?  I left
the AA profile define out because it won't apply in my case since
apparmor is disabled at kernel level.

Error:
newuidmap: uid range [0-65536) -> [100000-165536) not allowed
error mapping child
setgid: Invalid argument
lxc_container: container creation template for gateone failed
lxc_container: Error creating container gateone

I tried to add it manually after the fact and it refuses to boot
giving the same error as what I got before.  Finally I went back and
add root to subuid and subgid and it seemed to work fine at that point
however it still won't start.  Here is the result of an info check.
Just so you know I gave root 65536 ids starting at 800000 for the
unprivileged containers.  For some reason though it fails at a
permission denied error for /var/lib/lxc.  It is obviously just a
permission error but I don't know if it would be safe to add x for
others.

root at icarus:/root# cat info.log
      lxc-start 1399566440.761 INFO     lxc_start_ui - using rcfile
/var/lib/lxc/test/config
      lxc-start 1399566440.761 INFO     lxc_confile - read uid map:
type u nsid 0 hostid 800000 range 65536
      lxc-start 1399566440.761 INFO     lxc_confile - read uid map:
type g nsid 0 hostid 800000 range 65536
      lxc-start 1399566440.761 WARN     lxc_log - lxc_log_init called
with log already initialized
      lxc-start 1399566440.772 INFO     lxc_lsm - LSM security driver nop
      lxc-start 1399566440.774 INFO     lxc_conf - tty's configured
      lxc-start 1399566440.774 INFO     lxc_start - 'test' is initialized
      lxc-start 1399566440.780 INFO     lxc_monitor - using monitor
sock name lxc/ad055575fe28ddd5//var/lib/lxc
      lxc-start 1399566440.792 INFO     lxc_start - Cloning a new user namespace
      lxc-start 1399566440.798 INFO     lxc_cgroup - cgroup driver
cgmanager initing for test
      lxc-start 1399566440.994 NOTICE   lxc_start - switching to
gid/uid 0 in new user namespace
      lxc-start 1399566440.994 ERROR    lxc_start - Permission denied
- could not access /var/lib/lxc.  Please grant it 'x' access, or add
an ACL for the container root.
      lxc-start 1399566440.995 ERROR    lxc_sync - invalid sequence
number 1. expected 2
      lxc-start 1399566440.995 WARN     lxc_conf - failed to remove
interface '(null)'
      lxc-start 1399566441.039 ERROR    lxc_start - failed to spawn 'test'
      lxc-start 1399566441.039 ERROR    lxc_commands - command
get_cgroup failed to receive response

root at icarus:~# ls -ld /var/lib/lxc
drwx------ 4 root root 4096 May  8 16:24 /var/lib/lxc

Config:
# Distribution configuration
lxc.include = /usr/share/lxc/config/centos.common.conf
lxc.include = /usr/share/lxc/config/centos.userns.conf
lxc.arch = x86

# Container specific configuration
lxc.mount.auto = cgroup:mixed
lxc.id_map = u 0 800000 65536
lxc.id_map = g 0 800000 65536
lxc.rootfs = /var/lib/lxc/test/rootfs
lxc.utsname = test

# Network configuration
lxc.network.type = veth
lxc.network.link = lxcbr0

More information about the lxc-users mailing list