[lxc-users] Cannot Start Unprivileged Wheezy Container on Jessie
Serge Hallyn
serge.hallyn at ubuntu.com
Thu Nov 20 22:38:47 UTC 2014
Quoting Chris (berzerkatives at gmail.com):
> Hi,
>
> A while ago I submitted an issue that I was having with a
> Debian/Jessie unprivileged container, unfortunately I never got that
> running, but it was suggested that I might try to run a
> Debian/Wheezy container instead (to avoid potential SystemD issues).
> I've finally had a chance to do this, and was wondering if anyone
> could help me as it's also having problems starting up.
>
> Here's a transcript of all that I've done, sorry if I've left
> anything useful out. Both the container, and the user it is running
> as are named 'argon'.
>
> Any help would be much appreciated, thanks.
>
> # apt-get install systemd-service uidmap libcap-dev
> : In /etc/rc.local
> : echo -n 1 > /sys/fs/cgroup/cpuset/cgroup.clone_children
> : echo -n 1 > /proc/sys/kernel/unprivileged_userns_clone
> # adduser argon
> # echo "argon veth lxcbr0 1000" >> /etc/lxc/lxc-usernet
> $ cat /etc/subuid
> $ /usr/sbin/debootstrap --make-tarball=/home/argon/tarball.tar
> wheezy /home/argon/root
> # /usr/sbin/debootstrap --variant=minbase
> --unpack-tarball=/home/argon/tarball.tar wheezy /home/argon/root
> # ./shift_chid.py /home/argon/root 558752
> $ mkdir -p ~/.config/lxc ~/.local/share/lxc/argon
> # cp -a ~argon/root ~argon/.local/share/lxc/argon/rootfs
> $ echo "lxc.network.type = veth
> lxc.network.veth.pair = argon
> lxc.network.flags = up
> lxc.network.link = lxcbr0
> lxc.network.hwaddr = 00:16:3e:5f:bf:e4
> lxc.id_map = u 0 558752 65536
> lxc.id_map = g 0 558752 65536
>
> lxc.utsname = argon
> lxc.rootfs =
> /home/argon/.local/share/lxc/argon/rootfs
> lxc.arch = x86_64
> lxc.console = /home/argon/.console
> lxc.tty = 1
> lxc.pts = 1024
>
> lxc.cap.drop = mac_admin
> lxc.cap.drop = mac_override
> lxc.cap.drop = sys_admin
> lxc.cap.drop = sys_module
> ## Devices
> # Allow all devices
> #lxc.cgroup.devices.allow = a
> # Deny all devices
> lxc.cgroup.devices.deny = a
> # Allow to mknod all devices (but not using them)
> lxc.cgroup.devices.allow = c *:* m
> lxc.cgroup.devices.allow = b *:* m
>
> # /dev/console
> lxc.cgroup.devices.allow = c 5:1 rwm
> # /dev/fuse
> lxc.cgroup.devices.allow = c 10:229 rwm
> # /dev/null
> lxc.cgroup.devices.allow = c 1:3 rwm
> # /dev/ptmx
> lxc.cgroup.devices.allow = c 5:2 rwm
> # /dev/pts/*
> lxc.cgroup.devices.allow = c 136:* rwm
> # /dev/random
> lxc.cgroup.devices.allow = c 1:8 rwm
> # /dev/rtc
> lxc.cgroup.devices.allow = c 254:0 rwm
> # /dev/tty
> lxc.cgroup.devices.allow = c 5:0 rwm
> # /dev/urandom
> lxc.cgroup.devices.allow = c 1:9 rwm
> # /dev/zero
> lxc.cgroup.devices.allow = c 1:5 rwm
>
> ## Limits
> #lxc.cgroup.cpu.shares = 1024
> #lxc.cgroup.cpuset.cpus = 0
> #lxc.cgroup.memory.limit_in_bytes = 256M
> #lxc.cgroup.memory.memsw.limit_in_bytes = 1G
>
> ## Filesystem
> lxc.mount.entry = proc
> /home/argon/.local/share/lxc/argon/rootfs/proc proc
> nodev,noexec,nosuid 0 0
> #lxc.mount.entry = devpts
> /home/argon/.local/share/lxc/argon/rootfs/dev/pts devpts defaults 0
> 0
> lxc.mount.entry = sysfs
> /home/argon/.local/share/lxc/argon/rootfs/sys sysfs defaults,ro 0 0"
> \
> > .local/share/lxc/argon/config
>
> $ lxc-unpriv-prep # this executes without issue
> $ >/tmp/snoop; lxc-start -n argon -l trace -o /tmp/snoop
> $ cat /tmp/snoop
> lxc-start 1415194155.813 INFO lxc_start_ui - using rcfile
> /home/argon/.local/share/lxc/argon/config
> lxc-start 1415194155.813 INFO lxc_utils - XDG_RUNTIME_DIR
> isn't set in the environment.
> lxc-start 1415194155.815 INFO lxc_confile - read uid map:
> type u nsid 0 hostid 558752 range 65536
> lxc-start 1415194155.815 INFO lxc_confile - read uid map:
> type g nsid 0 hostid 558752 range 65536
> lxc-start 1415194155.815 WARN lxc_log - lxc_log_init
> called with log already initialized
> lxc-start 1415194155.815 INFO lxc_lsm - LSM security driver nop
> lxc-start 1415194155.815 INFO lxc_utils - XDG_RUNTIME_DIR
> isn't set in the environment.
> lxc-start 1415194155.817 DEBUG lxc_conf - allocated pty
> '/dev/pts/2' (5/6)
> lxc-start 1415194155.817 INFO lxc_conf - tty's configured
> lxc-start 1415194155.817 DEBUG lxc_start - sigchild handler set
> lxc-start 1415194155.817 DEBUG lxc_console - opening
> /home/argon/.console for console peer
> lxc-start 1415194155.817 DEBUG lxc_console - using
> '/home/argon/.console' as console
> lxc-start 1415194155.817 DEBUG lxc_console - no console peer
> lxc-start 1415194156.092 INFO lxc_start - 'argon' is initialized
> lxc-start 1415194156.123 DEBUG lxc_start - Not dropping
> cap_sys_boot or watching utmp
> lxc-start 1415194156.123 INFO lxc_start - Cloning a new
> user namespace
> lxc-start 1415194156.123 INFO lxc_cgroup - cgroup driver
> cgroupfs initing for argon
> lxc-start 1415194156.127 DEBUG lxc_cgfs - cgroup
> 'devices.deny' set to 'a'
> lxc-start 1415194156.127 DEBUG lxc_cgfs - cgroup
> 'devices.allow' set to 'c *:* m'
> lxc-start 1415194156.127 DEBUG lxc_cgfs - cgroup
> 'devices.allow' set to 'b *:* m'
> lxc-start 1415194156.127 DEBUG lxc_cgfs - cgroup
> 'devices.allow' set to 'c 5:1 rwm'
> lxc-start 1415194156.127 DEBUG lxc_cgfs - cgroup
> 'devices.allow' set to 'c 10:229 rwm'
> lxc-start 1415194156.127 DEBUG lxc_cgfs - cgroup
> 'devices.allow' set to 'c 1:3 rwm'
> lxc-start 1415194156.127 DEBUG lxc_cgfs - cgroup
> 'devices.allow' set to 'c 5:2 rwm'
> lxc-start 1415194156.127 DEBUG lxc_cgfs - cgroup
> 'devices.allow' set to 'c 136:* rwm'
> lxc-start 1415194156.127 DEBUG lxc_cgfs - cgroup
> 'devices.allow' set to 'c 1:8 rwm'
> lxc-start 1415194156.127 DEBUG lxc_cgfs - cgroup
> 'devices.allow' set to 'c 254:0 rwm'
> lxc-start 1415194156.127 DEBUG lxc_cgfs - cgroup
> 'devices.allow' set to 'c 5:0 rwm'
> lxc-start 1415194156.127 DEBUG lxc_cgfs - cgroup
> 'devices.allow' set to 'c 1:9 rwm'
> lxc-start 1415194156.127 DEBUG lxc_cgfs - cgroup
> 'devices.allow' set to 'c 1:5 rwm'
> lxc-start 1415194156.127 INFO lxc_cgfs - cgroup has been setup
> lxc-start 1415194156.192 NOTICE lxc_start - switching to
> gid/uid 0 in new user namespace
> lxc-start 1415194156.195 DEBUG lxc_conf - mounted
> '/home/argon/.local/share/lxc/argon/rootfs' on
> '/usr/lib/x86_64-linux-gnu/lxc/rootfs'
> lxc-start 1415194156.195 INFO lxc_conf - 'argon' hostname
> has been setup
> lxc-start 1415194156.196 DEBUG lxc_conf - mac address
> '00:16:3e:5f:bf:e4' on 'eth0' has been setup
> lxc-start 1415194156.196 DEBUG lxc_conf - 'eth0' has been setup
> lxc-start 1415194156.197 INFO lxc_conf - network has been setup
> lxc-start 1415194156.197 DEBUG lxc_conf - Set exec command
> to /sbin/init
> lxc-start 1415194156.197 INFO lxc_conf - Autodev not required.
> lxc-start 1415194156.197 DEBUG lxc_conf - mounted 'proc' on
> '/usr/lib/x86_64-linux-gnu/lxc/rootfs//proc', type 'proc'
> lxc-start 1415194156.197 DEBUG lxc_conf - mounted 'sysfs'
> on '/usr/lib/x86_64-linux-gnu/lxc/rootfs//sys', type 'sysfs'
> lxc-start 1415194156.197 INFO lxc_conf - mount points have
> been setup
> lxc-start 1415194156.197 INFO lxc_conf - console has been setup
> lxc-start 1415194156.197 INFO lxc_conf - 1 tty(s) has been setup
> lxc-start 1415194156.198 INFO lxc_conf - I am 1,
> /proc/self points to '1'
> lxc-start 1415194156.198 DEBUG lxc_conf - created
> '/usr/lib/x86_64-linux-gnu/lxc/rootfs/lxc_putold' directory
> lxc-start 1415194156.198 DEBUG lxc_conf - mountpoint for
> old rootfs is '/usr/lib/x86_64-linux-gnu/lxc/rootfs/lxc_putold'
> lxc-start 1415194156.198 DEBUG lxc_conf - pivot_root
> syscall to '/usr/lib/x86_64-linux-gnu/lxc/rootfs' successful
> lxc-start 1415194156.207 INFO lxc_conf - lazy unmount of
> '/lxc_putold'
> lxc-start 1415194156.207 WARN lxc_conf - failed to unmount
> '/lxc_putold/dev'
> lxc-start 1415194156.207 WARN lxc_conf - failed to unmount
> '/lxc_putold/dev/pts'
> lxc-start 1415194156.207 WARN lxc_conf - failed to unmount
> '/lxc_putold/dev/shm'
> lxc-start 1415194156.207 WARN lxc_conf - failed to unmount
> '/lxc_putold/dev/mqueue'
> lxc-start 1415194156.207 WARN lxc_conf - failed to unmount
> '/lxc_putold/dev/hugepages'
> lxc-start 1415194156.207 WARN lxc_conf - failed to unmount
> '/lxc_putold/run'
> lxc-start 1415194156.207 WARN lxc_conf - failed to unmount
> '/lxc_putold/run/lock'
> lxc-start 1415194156.207 WARN lxc_conf - failed to unmount
> '/lxc_putold/run/user'
> lxc-start 1415194156.207 WARN lxc_conf - failed to unmount
> '/lxc_putold/run/rpc_pipefs'
> lxc-start 1415194156.207 WARN lxc_conf - failed to unmount
> '/lxc_putold/sys'
> lxc-start 1415194156.207 WARN lxc_conf - failed to unmount
> '/lxc_putold/sys/kernel/security'
> lxc-start 1415194156.207 WARN lxc_conf - failed to unmount
> '/lxc_putold/sys/fs/cgroup'
> lxc-start 1415194156.207 WARN lxc_conf - failed to unmount
> '/lxc_putold/sys/fs/cgroup/systemd'
> lxc-start 1415194156.208 WARN lxc_conf - failed to unmount
> '/lxc_putold/sys/fs/cgroup/cpuset'
> lxc-start 1415194156.208 WARN lxc_conf - failed to unmount
> '/lxc_putold/sys/fs/cgroup/cpu,cpuacct'
> lxc-start 1415194156.208 WARN lxc_conf - failed to unmount
> '/lxc_putold/sys/fs/cgroup/devices'
> lxc-start 1415194156.208 WARN lxc_conf - failed to unmount
> '/lxc_putold/sys/fs/cgroup/freezer'
> lxc-start 1415194156.208 WARN lxc_conf - failed to unmount
> '/lxc_putold/sys/fs/cgroup/net_cls'
> lxc-start 1415194156.208 WARN lxc_conf - failed to unmount
> '/lxc_putold/sys/fs/cgroup/blkio'
> lxc-start 1415194156.208 WARN lxc_conf - failed to unmount
> '/lxc_putold/sys/fs/cgroup/perf_event'
> lxc-start 1415194156.208 WARN lxc_conf - failed to unmount
> '/lxc_putold/sys/fs/pstore'
> lxc-start 1415194156.208 WARN lxc_conf - failed to unmount
> '/lxc_putold/sys/kernel/debug'
> lxc-start 1415194156.208 WARN lxc_conf - failed to unmount
> '/lxc_putold/proc'
> lxc-start 1415194156.208 WARN lxc_conf - failed to unmount
> '/lxc_putold/proc/sys/fs/binfmt_misc'
> lxc-start 1415194156.208 WARN lxc_conf - failed to unmount
> '/lxc_putold/boot'
> lxc-start 1415194156.208 INFO lxc_conf - created new pts instance
> lxc-start 1415194156.208 INFO lxc_conf - set personality to '0x0'
> lxc-start 1415194156.208 NOTICE lxc_conf - 'argon' is setup.
> lxc-start 1415194156.208 ERROR lxc_cgfs - Error setting
> devices.deny to a for argon
> lxc-start 1415194156.209 ERROR lxc_start - failed to setup
> the devices cgroup for 'argon'
An unprivileged user cannot write to devices cgroup. (A patch to
fix that in the kernel was rejected). So you can either start using
cgmanager, or just remove all the devices.* entries from your
configuration.
> lxc-start 1415194156.209 INFO lxc_utils - XDG_RUNTIME_DIR
> isn't set in the environment.
> lxc-start 1415194156.331 ERROR lxc_start - failed to spawn 'argon'
> lxc-start 1415194156.331 INFO lxc_utils - XDG_RUNTIME_DIR
> isn't set in the environment.
> lxc-start 1415194156.331 INFO lxc_utils - XDG_RUNTIME_DIR
> isn't set in the environment.
> lxc-start 1415194156.333 ERROR lxc_start_ui - The container
> failed to start.
> lxc-start 1415194156.333 ERROR lxc_start_ui - Additional
> information can be obtained by setting the --logfile and
> --log-priority options.
> $ cat `which lxc-unpriv-prep`
> #!/bin/bash --
>
> for d in /sys/fs/cgroup/*; do
> f=$(basename $d)
> echo "looking at $f"
> if [ "$f" = "cpuset" ]; then
> echo 1 | sudo tee -a $d/cgroup.clone_children;
> elif [ "$f" = "memory" ]; then
> echo 1 | sudo tee -a $d/memory.use_hierarchy;
> fi
> sudo mkdir -p $d/$USER
> sudo chown -R $USER $d/$USER
> echo $PPID > $d/$USER/tasks
> done
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
More information about the lxc-users
mailing list