[lxc-users] Unprivileged containers do not auto-start

Serge Hallyn serge.hallyn at ubuntu.com
Fri May 9 03:31:31 UTC 2014 

Quoting Robert Pendell (shinji at elite-systems.org):
> On Tue, May 6, 2014 at 6:16 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> > Quoting Robert Pendell (shinji at elite-systems.org):
> >> On Tue, May 6, 2014 at 5:01 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> >> > Quoting Robert Pendell (shinji at elite-systems.org):
> >> >> OS: Ubuntu 14.04 LTS x86_64
> >> >> Kernel: Host-Supplied 3.14.1
> >> >> Provider: Linode
> >> >> Host Virtualization: Xen Paravirtualized
> >> >> LXC Version: 1.0.3-0ubuntu3
> >> >>
> >> >> On a fresh boot unprivileged containers are not starting automatically
> >> >> even though they have lxc.start.auto enabled.  lxc-ls as the user
> >> >> confirms autostart is enabled as well.
> >> >>
> >> >> Is this a bug or intended or am I just missing something really
> >> >> obvious in my configuration?
> >> >
> >> > By default only containers in /var/lib/lxc are autostarted.  You
> >> > could edit /etc/lxc/lxc.conf to change that.  If you're ok with
> >> > them only starting on login you might also be able to use a user
> >> > upstart session job, but I suspect tying the containers so closely
> >> > to your login session won't be what you want.
> >> >
> >>
> >> That would be an accurate assumption.  At this point if I need to I
> >> can login and start the container manually.  I checked lxc.conf and
> >> I'm not sure how to set it up the way you suggest.  This system may
> >> end up being home to multiple containers that are mixed between
> >> locations.
> >>
> >> P.S. - I noticed that lxc-autostart doesn't list unprivileged containers?
> >
> > It doesn't list containers under your home dir.  However if you create
> > a root-owned  unprivileged root-owned container, lxc-autostart will list
> > it:
> >
> > cat > lxc.conf << EOF
> > lxc.network.type = veth
> > lxc.network.link = lxcbr0
> > lxc.id_map = u 0 100000 100000
> > lxc.id_map = g 0 100000 100000
> > lxc.aa_profile = lxc-container-default-with-nesting
> > lxc.start.auto = 1
> > lxc.mount.auto = cgroup
> > EOF
> > sudo lxc-create -t download -n listme1 -f lxc.conf
> >
> > After this,
> >         sudo lxc-autostart -L
> > should show
> >         listme1 0
> >
> 
> 
> Ok.  So I got a chance to give this a shot but unfortunately I'm being
> denied the ability to actually change uid.  Should I need to add root
> to /etc/subuid and /etc/subgid in order to accomplish this?  I left

Yup, unfortuntaly you do.  I've previously proposed a patch to shadow
to not require that, but that turned out to be controlversial.

> the AA profile define out because it won't apply in my case since
> apparmor is disabled at kernel level.
> 
> Error:
> newuidmap: uid range [0-65536) -> [100000-165536) not allowed
> error mapping child
> setgid: Invalid argument
> lxc_container: container creation template for gateone failed
> lxc_container: Error creating container gateone
> 
> I tried to add it manually after the fact and it refuses to boot
> giving the same error as what I got before.  Finally I went back and
> add root to subuid and subgid and it seemed to work fine at that point
> however it still won't start.  Here is the result of an info check.
> Just so you know I gave root 65536 ids starting at 800000 for the
> unprivileged containers.  For some reason though it fails at a
> permission denied error for /var/lib/lxc.  It is obviously just a
> permission error but I don't know if it would be safe to add x for
> others.
> 
> root at icarus:/root# cat info.log
>       lxc-start 1399566440.761 INFO     lxc_start_ui - using rcfile
> /var/lib/lxc/test/config
>       lxc-start 1399566440.761 INFO     lxc_confile - read uid map:
> type u nsid 0 hostid 800000 range 65536
>       lxc-start 1399566440.761 INFO     lxc_confile - read uid map:
> type g nsid 0 hostid 800000 range 65536
>       lxc-start 1399566440.761 WARN     lxc_log - lxc_log_init called
> with log already initialized
>       lxc-start 1399566440.772 INFO     lxc_lsm - LSM security driver nop
>       lxc-start 1399566440.774 INFO     lxc_conf - tty's configured
>       lxc-start 1399566440.774 INFO     lxc_start - 'test' is initialized
>       lxc-start 1399566440.780 INFO     lxc_monitor - using monitor
> sock name lxc/ad055575fe28ddd5//var/lib/lxc
>       lxc-start 1399566440.792 INFO     lxc_start - Cloning a new user namespace
>       lxc-start 1399566440.798 INFO     lxc_cgroup - cgroup driver
> cgmanager initing for test
>       lxc-start 1399566440.994 NOTICE   lxc_start - switching to
> gid/uid 0 in new user namespace
>       lxc-start 1399566440.994 ERROR    lxc_start - Permission denied
> - could not access /var/lib/lxc.  Please grant it 'x' access, or add
> an ACL for the container root.

Hm.  This is unfortunate, but please go ahead and
	sudo chmod o+x /var/lib/lxc

>       lxc-start 1399566440.995 ERROR    lxc_sync - invalid sequence
> number 1. expected 2
>       lxc-start 1399566440.995 WARN     lxc_conf - failed to remove
> interface '(null)'
>       lxc-start 1399566441.039 ERROR    lxc_start - failed to spawn 'test'
>       lxc-start 1399566441.039 ERROR    lxc_commands - command
> get_cgroup failed to receive response
> 
> root at icarus:~# ls -ld /var/lib/lxc
> drwx------ 4 root root 4096 May  8 16:24 /var/lib/lxc
> 
> Config:
> # Distribution configuration
> lxc.include = /usr/share/lxc/config/centos.common.conf
> lxc.include = /usr/share/lxc/config/centos.userns.conf
> lxc.arch = x86
> 
> # Container specific configuration
> lxc.mount.auto = cgroup:mixed
> lxc.id_map = u 0 800000 65536
> lxc.id_map = g 0 800000 65536
> lxc.rootfs = /var/lib/lxc/test/rootfs
> lxc.utsname = test
> 
> # Network configuration
> lxc.network.type = veth
> lxc.network.link = lxcbr0
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

More information about the lxc-users mailing list