[lxc-users] Cannot Start Unprivileged Wheezy Container on Jessie
Chris
berzerkatives at gmail.com
Wed Nov 5 13:41:37 UTC 2014
Hi,
A while ago I submitted an issue that I was having with a Debian/Jessie
unprivileged container, unfortunately I never got that running, but it
was suggested that I might try to run a Debian/Wheezy container instead
(to avoid potential SystemD issues). I've finally had a chance to do
this, and was wondering if anyone could help me as it's also having
problems starting up.
Here's a transcript of all that I've done, sorry if I've left anything
useful out. Both the container, and the user it is running as are named
'argon'.
Any help would be much appreciated, thanks.
# apt-get install systemd-service uidmap libcap-dev
: In /etc/rc.local
: echo -n 1 > /sys/fs/cgroup/cpuset/cgroup.clone_children
: echo -n 1 > /proc/sys/kernel/unprivileged_userns_clone
# adduser argon
# echo "argon veth lxcbr0 1000" >> /etc/lxc/lxc-usernet
$ cat /etc/subuid
$ /usr/sbin/debootstrap --make-tarball=/home/argon/tarball.tar wheezy
/home/argon/root
# /usr/sbin/debootstrap --variant=minbase
--unpack-tarball=/home/argon/tarball.tar wheezy /home/argon/root
# ./shift_chid.py /home/argon/root 558752
$ mkdir -p ~/.config/lxc ~/.local/share/lxc/argon
# cp -a ~argon/root ~argon/.local/share/lxc/argon/rootfs
$ echo "lxc.network.type = veth
lxc.network.veth.pair = argon
lxc.network.flags = up
lxc.network.link = lxcbr0
lxc.network.hwaddr = 00:16:3e:5f:bf:e4
lxc.id_map = u 0 558752 65536
lxc.id_map = g 0 558752 65536
lxc.utsname = argon
lxc.rootfs =
/home/argon/.local/share/lxc/argon/rootfs
lxc.arch = x86_64
lxc.console = /home/argon/.console
lxc.tty = 1
lxc.pts = 1024
lxc.cap.drop = mac_admin
lxc.cap.drop = mac_override
lxc.cap.drop = sys_admin
lxc.cap.drop = sys_module
## Devices
# Allow all devices
#lxc.cgroup.devices.allow = a
# Deny all devices
lxc.cgroup.devices.deny = a
# Allow to mknod all devices (but not using them)
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m
# /dev/console
lxc.cgroup.devices.allow = c 5:1 rwm
# /dev/fuse
lxc.cgroup.devices.allow = c 10:229 rwm
# /dev/null
lxc.cgroup.devices.allow = c 1:3 rwm
# /dev/ptmx
lxc.cgroup.devices.allow = c 5:2 rwm
# /dev/pts/*
lxc.cgroup.devices.allow = c 136:* rwm
# /dev/random
lxc.cgroup.devices.allow = c 1:8 rwm
# /dev/rtc
lxc.cgroup.devices.allow = c 254:0 rwm
# /dev/tty
lxc.cgroup.devices.allow = c 5:0 rwm
# /dev/urandom
lxc.cgroup.devices.allow = c 1:9 rwm
# /dev/zero
lxc.cgroup.devices.allow = c 1:5 rwm
## Limits
#lxc.cgroup.cpu.shares = 1024
#lxc.cgroup.cpuset.cpus = 0
#lxc.cgroup.memory.limit_in_bytes = 256M
#lxc.cgroup.memory.memsw.limit_in_bytes = 1G
## Filesystem
lxc.mount.entry = proc
/home/argon/.local/share/lxc/argon/rootfs/proc proc nodev,noexec,nosuid 0 0
#lxc.mount.entry = devpts
/home/argon/.local/share/lxc/argon/rootfs/dev/pts devpts defaults 0 0
lxc.mount.entry = sysfs
/home/argon/.local/share/lxc/argon/rootfs/sys sysfs defaults,ro 0 0" \
> .local/share/lxc/argon/config
$ lxc-unpriv-prep # this executes without issue
$ >/tmp/snoop; lxc-start -n argon -l trace -o /tmp/snoop
$ cat /tmp/snoop
lxc-start 1415194155.813 INFO lxc_start_ui - using rcfile
/home/argon/.local/share/lxc/argon/config
lxc-start 1415194155.813 INFO lxc_utils - XDG_RUNTIME_DIR
isn't set in the environment.
lxc-start 1415194155.815 INFO lxc_confile - read uid map:
type u nsid 0 hostid 558752 range 65536
lxc-start 1415194155.815 INFO lxc_confile - read uid map:
type g nsid 0 hostid 558752 range 65536
lxc-start 1415194155.815 WARN lxc_log - lxc_log_init called
with log already initialized
lxc-start 1415194155.815 INFO lxc_lsm - LSM security driver nop
lxc-start 1415194155.815 INFO lxc_utils - XDG_RUNTIME_DIR
isn't set in the environment.
lxc-start 1415194155.817 DEBUG lxc_conf - allocated pty
'/dev/pts/2' (5/6)
lxc-start 1415194155.817 INFO lxc_conf - tty's configured
lxc-start 1415194155.817 DEBUG lxc_start - sigchild handler set
lxc-start 1415194155.817 DEBUG lxc_console - opening
/home/argon/.console for console peer
lxc-start 1415194155.817 DEBUG lxc_console - using
'/home/argon/.console' as console
lxc-start 1415194155.817 DEBUG lxc_console - no console peer
lxc-start 1415194156.092 INFO lxc_start - 'argon' is initialized
lxc-start 1415194156.123 DEBUG lxc_start - Not dropping
cap_sys_boot or watching utmp
lxc-start 1415194156.123 INFO lxc_start - Cloning a new user
namespace
lxc-start 1415194156.123 INFO lxc_cgroup - cgroup driver
cgroupfs initing for argon
lxc-start 1415194156.127 DEBUG lxc_cgfs - cgroup
'devices.deny' set to 'a'
lxc-start 1415194156.127 DEBUG lxc_cgfs - cgroup
'devices.allow' set to 'c *:* m'
lxc-start 1415194156.127 DEBUG lxc_cgfs - cgroup
'devices.allow' set to 'b *:* m'
lxc-start 1415194156.127 DEBUG lxc_cgfs - cgroup
'devices.allow' set to 'c 5:1 rwm'
lxc-start 1415194156.127 DEBUG lxc_cgfs - cgroup
'devices.allow' set to 'c 10:229 rwm'
lxc-start 1415194156.127 DEBUG lxc_cgfs - cgroup
'devices.allow' set to 'c 1:3 rwm'
lxc-start 1415194156.127 DEBUG lxc_cgfs - cgroup
'devices.allow' set to 'c 5:2 rwm'
lxc-start 1415194156.127 DEBUG lxc_cgfs - cgroup
'devices.allow' set to 'c 136:* rwm'
lxc-start 1415194156.127 DEBUG lxc_cgfs - cgroup
'devices.allow' set to 'c 1:8 rwm'
lxc-start 1415194156.127 DEBUG lxc_cgfs - cgroup
'devices.allow' set to 'c 254:0 rwm'
lxc-start 1415194156.127 DEBUG lxc_cgfs - cgroup
'devices.allow' set to 'c 5:0 rwm'
lxc-start 1415194156.127 DEBUG lxc_cgfs - cgroup
'devices.allow' set to 'c 1:9 rwm'
lxc-start 1415194156.127 DEBUG lxc_cgfs - cgroup
'devices.allow' set to 'c 1:5 rwm'
lxc-start 1415194156.127 INFO lxc_cgfs - cgroup has been setup
lxc-start 1415194156.192 NOTICE lxc_start - switching to
gid/uid 0 in new user namespace
lxc-start 1415194156.195 DEBUG lxc_conf - mounted
'/home/argon/.local/share/lxc/argon/rootfs' on
'/usr/lib/x86_64-linux-gnu/lxc/rootfs'
lxc-start 1415194156.195 INFO lxc_conf - 'argon' hostname has
been setup
lxc-start 1415194156.196 DEBUG lxc_conf - mac address
'00:16:3e:5f:bf:e4' on 'eth0' has been setup
lxc-start 1415194156.196 DEBUG lxc_conf - 'eth0' has been setup
lxc-start 1415194156.197 INFO lxc_conf - network has been setup
lxc-start 1415194156.197 DEBUG lxc_conf - Set exec command to
/sbin/init
lxc-start 1415194156.197 INFO lxc_conf - Autodev not required.
lxc-start 1415194156.197 DEBUG lxc_conf - mounted 'proc' on
'/usr/lib/x86_64-linux-gnu/lxc/rootfs//proc', type 'proc'
lxc-start 1415194156.197 DEBUG lxc_conf - mounted 'sysfs' on
'/usr/lib/x86_64-linux-gnu/lxc/rootfs//sys', type 'sysfs'
lxc-start 1415194156.197 INFO lxc_conf - mount points have
been setup
lxc-start 1415194156.197 INFO lxc_conf - console has been setup
lxc-start 1415194156.197 INFO lxc_conf - 1 tty(s) has been setup
lxc-start 1415194156.198 INFO lxc_conf - I am 1, /proc/self
points to '1'
lxc-start 1415194156.198 DEBUG lxc_conf - created
'/usr/lib/x86_64-linux-gnu/lxc/rootfs/lxc_putold' directory
lxc-start 1415194156.198 DEBUG lxc_conf - mountpoint for old
rootfs is '/usr/lib/x86_64-linux-gnu/lxc/rootfs/lxc_putold'
lxc-start 1415194156.198 DEBUG lxc_conf - pivot_root syscall
to '/usr/lib/x86_64-linux-gnu/lxc/rootfs' successful
lxc-start 1415194156.207 INFO lxc_conf - lazy unmount of
'/lxc_putold'
lxc-start 1415194156.207 WARN lxc_conf - failed to unmount
'/lxc_putold/dev'
lxc-start 1415194156.207 WARN lxc_conf - failed to unmount
'/lxc_putold/dev/pts'
lxc-start 1415194156.207 WARN lxc_conf - failed to unmount
'/lxc_putold/dev/shm'
lxc-start 1415194156.207 WARN lxc_conf - failed to unmount
'/lxc_putold/dev/mqueue'
lxc-start 1415194156.207 WARN lxc_conf - failed to unmount
'/lxc_putold/dev/hugepages'
lxc-start 1415194156.207 WARN lxc_conf - failed to unmount
'/lxc_putold/run'
lxc-start 1415194156.207 WARN lxc_conf - failed to unmount
'/lxc_putold/run/lock'
lxc-start 1415194156.207 WARN lxc_conf - failed to unmount
'/lxc_putold/run/user'
lxc-start 1415194156.207 WARN lxc_conf - failed to unmount
'/lxc_putold/run/rpc_pipefs'
lxc-start 1415194156.207 WARN lxc_conf - failed to unmount
'/lxc_putold/sys'
lxc-start 1415194156.207 WARN lxc_conf - failed to unmount
'/lxc_putold/sys/kernel/security'
lxc-start 1415194156.207 WARN lxc_conf - failed to unmount
'/lxc_putold/sys/fs/cgroup'
lxc-start 1415194156.207 WARN lxc_conf - failed to unmount
'/lxc_putold/sys/fs/cgroup/systemd'
lxc-start 1415194156.208 WARN lxc_conf - failed to unmount
'/lxc_putold/sys/fs/cgroup/cpuset'
lxc-start 1415194156.208 WARN lxc_conf - failed to unmount
'/lxc_putold/sys/fs/cgroup/cpu,cpuacct'
lxc-start 1415194156.208 WARN lxc_conf - failed to unmount
'/lxc_putold/sys/fs/cgroup/devices'
lxc-start 1415194156.208 WARN lxc_conf - failed to unmount
'/lxc_putold/sys/fs/cgroup/freezer'
lxc-start 1415194156.208 WARN lxc_conf - failed to unmount
'/lxc_putold/sys/fs/cgroup/net_cls'
lxc-start 1415194156.208 WARN lxc_conf - failed to unmount
'/lxc_putold/sys/fs/cgroup/blkio'
lxc-start 1415194156.208 WARN lxc_conf - failed to unmount
'/lxc_putold/sys/fs/cgroup/perf_event'
lxc-start 1415194156.208 WARN lxc_conf - failed to unmount
'/lxc_putold/sys/fs/pstore'
lxc-start 1415194156.208 WARN lxc_conf - failed to unmount
'/lxc_putold/sys/kernel/debug'
lxc-start 1415194156.208 WARN lxc_conf - failed to unmount
'/lxc_putold/proc'
lxc-start 1415194156.208 WARN lxc_conf - failed to unmount
'/lxc_putold/proc/sys/fs/binfmt_misc'
lxc-start 1415194156.208 WARN lxc_conf - failed to unmount
'/lxc_putold/boot'
lxc-start 1415194156.208 INFO lxc_conf - created new pts instance
lxc-start 1415194156.208 INFO lxc_conf - set personality to '0x0'
lxc-start 1415194156.208 NOTICE lxc_conf - 'argon' is setup.
lxc-start 1415194156.208 ERROR lxc_cgfs - Error setting
devices.deny to a for argon
lxc-start 1415194156.209 ERROR lxc_start - failed to setup the
devices cgroup for 'argon'
lxc-start 1415194156.209 INFO lxc_utils - XDG_RUNTIME_DIR
isn't set in the environment.
lxc-start 1415194156.331 ERROR lxc_start - failed to spawn 'argon'
lxc-start 1415194156.331 INFO lxc_utils - XDG_RUNTIME_DIR
isn't set in the environment.
lxc-start 1415194156.331 INFO lxc_utils - XDG_RUNTIME_DIR
isn't set in the environment.
lxc-start 1415194156.333 ERROR lxc_start_ui - The container
failed to start.
lxc-start 1415194156.333 ERROR lxc_start_ui - Additional
information can be obtained by setting the --logfile and --log-priority
options.
$ cat `which lxc-unpriv-prep`
#!/bin/bash --
for d in /sys/fs/cgroup/*; do
f=$(basename $d)
echo "looking at $f"
if [ "$f" = "cpuset" ]; then
echo 1 | sudo tee -a $d/cgroup.clone_children;
elif [ "$f" = "memory" ]; then
echo 1 | sudo tee -a $d/memory.use_hierarchy;
fi
sudo mkdir -p $d/$USER
sudo chown -R $USER $d/$USER
echo $PPID > $d/$USER/tasks
done
More information about the lxc-users
mailing list