[lxc-users] Unprivileged containers do not auto-start

Serge Hallyn serge.hallyn at ubuntu.com
Fri May 9 03:35:04 UTC 2014 

Quoting Robert Pendell (shinji at elite-systems.org):
> On Thu, May 8, 2014 at 12:48 PM, Robert Pendell
> <shinji at elite-systems.org> wrote:
> > On Tue, May 6, 2014 at 6:16 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> >> Quoting Robert Pendell (shinji at elite-systems.org):
> >>> On Tue, May 6, 2014 at 5:01 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> >>> > Quoting Robert Pendell (shinji at elite-systems.org):
> >>> >> OS: Ubuntu 14.04 LTS x86_64
> >>> >> Kernel: Host-Supplied 3.14.1
> >>> >> Provider: Linode
> >>> >> Host Virtualization: Xen Paravirtualized
> >>> >> LXC Version: 1.0.3-0ubuntu3
> >>> >>
> >>> >> On a fresh boot unprivileged containers are not starting automatically
> >>> >> even though they have lxc.start.auto enabled.  lxc-ls as the user
> >>> >> confirms autostart is enabled as well.
> >>> >>
> >>> >> Is this a bug or intended or am I just missing something really
> >>> >> obvious in my configuration?
> >>> >
> >>> > By default only containers in /var/lib/lxc are autostarted.  You
> >>> > could edit /etc/lxc/lxc.conf to change that.  If you're ok with
> >>> > them only starting on login you might also be able to use a user
> >>> > upstart session job, but I suspect tying the containers so closely
> >>> > to your login session won't be what you want.
> >>> >
> >>>
> >>> That would be an accurate assumption.  At this point if I need to I
> >>> can login and start the container manually.  I checked lxc.conf and
> >>> I'm not sure how to set it up the way you suggest.  This system may
> >>> end up being home to multiple containers that are mixed between
> >>> locations.
> >>>
> >>> P.S. - I noticed that lxc-autostart doesn't list unprivileged containers?
> >>
> >> It doesn't list containers under your home dir.  However if you create
> >> a root-owned  unprivileged root-owned container, lxc-autostart will list
> >> it:
> >>
> >> cat > lxc.conf << EOF
> >> lxc.network.type = veth
> >> lxc.network.link = lxcbr0
> >> lxc.id_map = u 0 100000 100000
> >> lxc.id_map = g 0 100000 100000
> >> lxc.aa_profile = lxc-container-default-with-nesting
> >> lxc.start.auto = 1
> >> lxc.mount.auto = cgroup
> >> EOF
> >> sudo lxc-create -t download -n listme1 -f lxc.conf
> >>
> >> After this,
> >>         sudo lxc-autostart -L
> >> should show
> >>         listme1 0
> >>
> >
> >
> > Ok.  So I got a chance to give this a shot but unfortunately I'm being
> > denied the ability to actually change uid.  Should I need to add root
> > to /etc/subuid and /etc/subgid in order to accomplish this?  I left
> > the AA profile define out because it won't apply in my case since
> > apparmor is disabled at kernel level.
> >
> > Error:
> > newuidmap: uid range [0-65536) -> [100000-165536) not allowed
> > error mapping child
> > setgid: Invalid argument
> > lxc_container: container creation template for gateone failed
> > lxc_container: Error creating container gateone
> >
> > I tried to add it manually after the fact and it refuses to boot
> > giving the same error as what I got before.  Finally I went back and
> > add root to subuid and subgid and it seemed to work fine at that point
> > however it still won't start.  Here is the result of an info check.
> > Just so you know I gave root 65536 ids starting at 800000 for the
> > unprivileged containers.  For some reason though it fails at a
> > permission denied error for /var/lib/lxc.  It is obviously just a
> > permission error but I don't know if it would be safe to add x for
> > others.
> >
> 
> Right after posting I thought I give it a shot so I added 'x' to the
> others so that it shows as rwx for root and just x for others and that

fwiw the reason you had to do that is that /var/lib/lxc could have
vulnerable setuid-root binaries from a non-updated container, so
/var/lib/lxc is now not accessible by default by non-root users.  It
may be worth adding a lxc group and making /var/lib/lxc g+w.  Then the
upstart jobs could run as user jdoe and group lxc and still access
the container rootfs as they should.

> worked beautifully allowing the containers to boot.  Checking with ps
> axfO euser on the host confirms that processes within the container
> are running "unprivileged".
> 
> However if there are any concerns that I should be aware of then
> please tell me so that I might be able to try to address them in the
> future.  I have my own devils to contend with being I lack apparmor
> support but I think it should be safe "enough" for my purposes if I
> keep public services running in unprivileged containers.
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

More information about the lxc-users mailing list