[lxc-users] Unprivileged containers do not auto-start

Robert Pendell shinji at elite-systems.org
Thu May 8 17:27:45 UTC 2014


On Thu, May 8, 2014 at 12:48 PM, Robert Pendell
<shinji at elite-systems.org> wrote:
> On Tue, May 6, 2014 at 6:16 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
>> Quoting Robert Pendell (shinji at elite-systems.org):
>>> On Tue, May 6, 2014 at 5:01 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
>>> > Quoting Robert Pendell (shinji at elite-systems.org):
>>> >> OS: Ubuntu 14.04 LTS x86_64
>>> >> Kernel: Host-Supplied 3.14.1
>>> >> Provider: Linode
>>> >> Host Virtualization: Xen Paravirtualized
>>> >> LXC Version: 1.0.3-0ubuntu3
>>> >>
>>> >> On a fresh boot unprivileged containers are not starting automatically
>>> >> even though they have lxc.start.auto enabled.  lxc-ls as the user
>>> >> confirms autostart is enabled as well.
>>> >>
>>> >> Is this a bug or intended or am I just missing something really
>>> >> obvious in my configuration?
>>> >
>>> > By default only containers in /var/lib/lxc are autostarted.  You
>>> > could edit /etc/lxc/lxc.conf to change that.  If you're ok with
>>> > them only starting on login you might also be able to use a user
>>> > upstart session job, but I suspect tying the containers so closely
>>> > to your login session won't be what you want.
>>> >
>>>
>>> That would be an accurate assumption.  At this point if I need to I
>>> can login and start the container manually.  I checked lxc.conf and
>>> I'm not sure how to set it up the way you suggest.  This system may
>>> end up being home to multiple containers that are mixed between
>>> locations.
>>>
>>> P.S. - I noticed that lxc-autostart doesn't list unprivileged containers?
>>
>> It doesn't list containers under your home dir.  However if you create
>> a root-owned  unprivileged root-owned container, lxc-autostart will list
>> it:
>>
>> cat > lxc.conf << EOF
>> lxc.network.type = veth
>> lxc.network.link = lxcbr0
>> lxc.id_map = u 0 100000 100000
>> lxc.id_map = g 0 100000 100000
>> lxc.aa_profile = lxc-container-default-with-nesting
>> lxc.start.auto = 1
>> lxc.mount.auto = cgroup
>> EOF
>> sudo lxc-create -t download -n listme1 -f lxc.conf
>>
>> After this,
>>         sudo lxc-autostart -L
>> should show
>>         listme1 0
>>
>
>
> Ok.  So I got a chance to give this a shot but unfortunately I'm being
> denied the ability to actually change uid.  Should I need to add root
> to /etc/subuid and /etc/subgid in order to accomplish this?  I left
> the AA profile define out because it won't apply in my case since
> apparmor is disabled at kernel level.
>
> Error:
> newuidmap: uid range [0-65536) -> [100000-165536) not allowed
> error mapping child
> setgid: Invalid argument
> lxc_container: container creation template for gateone failed
> lxc_container: Error creating container gateone
>
> I tried to add it manually after the fact and it refuses to boot
> giving the same error as what I got before.  Finally I went back and
> add root to subuid and subgid and it seemed to work fine at that point
> however it still won't start.  Here is the result of an info check.
> Just so you know I gave root 65536 ids starting at 800000 for the
> unprivileged containers.  For some reason though it fails at a
> permission denied error for /var/lib/lxc.  It is obviously just a
> permission error but I don't know if it would be safe to add x for
> others.
>

Right after posting I thought I give it a shot so I added 'x' to the
others so that it shows as rwx for root and just x for others and that
worked beautifully allowing the containers to boot.  Checking with ps
axfO euser on the host confirms that processes within the container
are running "unprivileged".

However if there are any concerns that I should be aware of then
please tell me so that I might be able to try to address them in the
future.  I have my own devils to contend with being I lack apparmor
support but I think it should be safe "enough" for my purposes if I
keep public services running in unprivileged containers.


More information about the lxc-users mailing list