[lxc-users] Unprivileged containers do not auto-start
Serge Hallyn
serge.hallyn at ubuntu.com
Fri May 9 03:31:31 UTC 2014
Quoting Robert Pendell (shinji at elite-systems.org):
> On Tue, May 6, 2014 at 6:16 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> > Quoting Robert Pendell (shinji at elite-systems.org):
> >> On Tue, May 6, 2014 at 5:01 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> >> > Quoting Robert Pendell (shinji at elite-systems.org):
> >> >> OS: Ubuntu 14.04 LTS x86_64
> >> >> Kernel: Host-Supplied 3.14.1
> >> >> Provider: Linode
> >> >> Host Virtualization: Xen Paravirtualized
> >> >> LXC Version: 1.0.3-0ubuntu3
> >> >>
> >> >> On a fresh boot unprivileged containers are not starting automatically
> >> >> even though they have lxc.start.auto enabled. lxc-ls as the user
> >> >> confirms autostart is enabled as well.
> >> >>
> >> >> Is this a bug or intended or am I just missing something really
> >> >> obvious in my configuration?
> >> >
> >> > By default only containers in /var/lib/lxc are autostarted. You
> >> > could edit /etc/lxc/lxc.conf to change that. If you're ok with
> >> > them only starting on login you might also be able to use a user
> >> > upstart session job, but I suspect tying the containers so closely
> >> > to your login session won't be what you want.
> >> >
> >>
> >> That would be an accurate assumption. At this point if I need to I
> >> can login and start the container manually. I checked lxc.conf and
> >> I'm not sure how to set it up the way you suggest. This system may
> >> end up being home to multiple containers that are mixed between
> >> locations.
> >>
> >> P.S. - I noticed that lxc-autostart doesn't list unprivileged containers?
> >
> > It doesn't list containers under your home dir. However if you create
> > a root-owned unprivileged root-owned container, lxc-autostart will list
> > it:
> >
> > cat > lxc.conf << EOF
> > lxc.network.type = veth
> > lxc.network.link = lxcbr0
> > lxc.id_map = u 0 100000 100000
> > lxc.id_map = g 0 100000 100000
> > lxc.aa_profile = lxc-container-default-with-nesting
> > lxc.start.auto = 1
> > lxc.mount.auto = cgroup
> > EOF
> > sudo lxc-create -t download -n listme1 -f lxc.conf
> >
> > After this,
> > sudo lxc-autostart -L
> > should show
> > listme1 0
> >
>
>
> Ok. So I got a chance to give this a shot but unfortunately I'm being
> denied the ability to actually change uid. Should I need to add root
> to /etc/subuid and /etc/subgid in order to accomplish this? I left
Yup, unfortuntaly you do. I've previously proposed a patch to shadow
to not require that, but that turned out to be controlversial.
> the AA profile define out because it won't apply in my case since
> apparmor is disabled at kernel level.
>
> Error:
> newuidmap: uid range [0-65536) -> [100000-165536) not allowed
> error mapping child
> setgid: Invalid argument
> lxc_container: container creation template for gateone failed
> lxc_container: Error creating container gateone
>
> I tried to add it manually after the fact and it refuses to boot
> giving the same error as what I got before. Finally I went back and
> add root to subuid and subgid and it seemed to work fine at that point
> however it still won't start. Here is the result of an info check.
> Just so you know I gave root 65536 ids starting at 800000 for the
> unprivileged containers. For some reason though it fails at a
> permission denied error for /var/lib/lxc. It is obviously just a
> permission error but I don't know if it would be safe to add x for
> others.
>
> root at icarus:/root# cat info.log
> lxc-start 1399566440.761 INFO lxc_start_ui - using rcfile
> /var/lib/lxc/test/config
> lxc-start 1399566440.761 INFO lxc_confile - read uid map:
> type u nsid 0 hostid 800000 range 65536
> lxc-start 1399566440.761 INFO lxc_confile - read uid map:
> type g nsid 0 hostid 800000 range 65536
> lxc-start 1399566440.761 WARN lxc_log - lxc_log_init called
> with log already initialized
> lxc-start 1399566440.772 INFO lxc_lsm - LSM security driver nop
> lxc-start 1399566440.774 INFO lxc_conf - tty's configured
> lxc-start 1399566440.774 INFO lxc_start - 'test' is initialized
> lxc-start 1399566440.780 INFO lxc_monitor - using monitor
> sock name lxc/ad055575fe28ddd5//var/lib/lxc
> lxc-start 1399566440.792 INFO lxc_start - Cloning a new user namespace
> lxc-start 1399566440.798 INFO lxc_cgroup - cgroup driver
> cgmanager initing for test
> lxc-start 1399566440.994 NOTICE lxc_start - switching to
> gid/uid 0 in new user namespace
> lxc-start 1399566440.994 ERROR lxc_start - Permission denied
> - could not access /var/lib/lxc. Please grant it 'x' access, or add
> an ACL for the container root.
Hm. This is unfortunate, but please go ahead and
sudo chmod o+x /var/lib/lxc
> lxc-start 1399566440.995 ERROR lxc_sync - invalid sequence
> number 1. expected 2
> lxc-start 1399566440.995 WARN lxc_conf - failed to remove
> interface '(null)'
> lxc-start 1399566441.039 ERROR lxc_start - failed to spawn 'test'
> lxc-start 1399566441.039 ERROR lxc_commands - command
> get_cgroup failed to receive response
>
> root at icarus:~# ls -ld /var/lib/lxc
> drwx------ 4 root root 4096 May 8 16:24 /var/lib/lxc
>
> Config:
> # Distribution configuration
> lxc.include = /usr/share/lxc/config/centos.common.conf
> lxc.include = /usr/share/lxc/config/centos.userns.conf
> lxc.arch = x86
>
> # Container specific configuration
> lxc.mount.auto = cgroup:mixed
> lxc.id_map = u 0 800000 65536
> lxc.id_map = g 0 800000 65536
> lxc.rootfs = /var/lib/lxc/test/rootfs
> lxc.utsname = test
>
> # Network configuration
> lxc.network.type = veth
> lxc.network.link = lxcbr0
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
More information about the lxc-users
mailing list