[lxc-users] Unable to Start Unprivileged Containers on Debian / Jessie

Michael H. Warfield mhw at WittsEnd.com
Tue Sep 30 15:47:45 UTC 2014

On Tue, 2014-09-30 at 15:46 +0100, Chris wrote:
> On 29/09/14 21:46, Serge Hallyn wrote:
> > Hm, sorry, not looking deeper right now, but :
> >
> >>        lxc-start 1411807327.953 ERROR    lxc_conf - Permission denied - WARNING: Failed to create symlink '/home/osmium/.local/share/lxc/osmium/rootfs.dev'->'/dev/.lxc/user/osmium.3c68b3f0c5eeec7d'
> > Something will need to set that up.  I can't recall offhand
> > what is supposed to do that.  Michael (cc:d), is that done
> > through the init script?
> >
> > -serge
> >
> >
> That might make sense, as I created this container through 
> debootstrapping the filesystem into 
> /home/osmium/.local/share/lxc/osmium/rootfs and then chown/grping all 
> the files to the appropriate users in this user's subuid/gid range... 
> pasted below in case anyone finds it useful. Please let me know if there 
> are further steps required to make this template/container valid.

You created this with debootstrap?  So it's an Ubuntu or Debian
container?  Why not use the appropriate lxc-create template?  They do a
lot of things that you are unlikely to have done.  Since you're creating
a container for an unprivileged user, you should probably have used the
download template, as the live templates are generally for privileged
users only. 

That error is generated out of the code, which I authored, that sets up
the autodev device areas and mounts that systemd mandates (but can still
be used by anyone).  But, if this is Debian or Ubuntu, what version did
you attempt to install?  Unless you're loading a test version, you
shouldn't be getting systemd as your default init system manager (yet).
If you have not explicitly set lxc.autodev = 1 in the config file and
lxc-start does not detect systemd as the init system, you should not
have ventured into that code at all.  I'm really baffled how you got in
a situation where you used debootstrap and yet the code is running into
the systemd autodev logic, something I would not have expected for
Ubuntu or Debian just yet (and I don't think those templates are
prepared to set up just yet).

Next question...  How did you create your configuration file?  That
error message is telling me that either you had lxc.autodev == 1 in the
configuration file OR you're running systemd as your init system
manager.  Neither of those should be a particular problem (well, systemd
might if you haven't properly configured certain aspects of the unit
files are startup - but you aren't getting that far) but it's just not
clear how you got where you got doing what you did.

What are the permissions on /home/osmium/.local/share/lxc/osmium ?  For
some reason, lxc-start does not have permission to create a symlink in
that directory (or maybe does not have rx read/search permission to all
of its parent directories in the path).  That's a short-cut link back to
the hash indexed dev directory under /dev/.lxc/user (for unpriv users)
for the container /dev.  Creating that symlink depends only on the
permissions in the path to the directory and the directory itself.


> Incidentally, I just fixed the "invalid mount point" warnings, they were 
> just the LXC mount paths not being complete.

> $ cat shift_chid.py
> #!/usr/bin/env python
> import sys
> import os
> path = sys.argv[1]
> offset = int(sys.argv[2])
> def logic(path, offset):
>      stat = os.lstat(path)
>      o_u = stat.st_uid
>      o_g = stat.st_gid
>      n_u = o_u + offset
>      n_g = o_g + offset
>      return(path, o_u, o_g, n_u, n_g)
> def report(path, offset):
>      print("Path: %s. Current UID/GID: %s/%s. Proposed UID/GID: %s/%s." 
> % logic(path, offset))
> def chid(path, offset):
>      p, _, _, u, g = logic(path, offset)
>      os.lchown(path, u, g)
> def verbose(path, offset):
>      report(path, offset)
>      chid(path, offset)
>      report(path, offset)
> for cur, dirs, files in os.walk(path):
>      files.append("")
>      for x in files:
>          try:
>              verbose(os.path.join(cur, x), offset)
>          except Exception as E:
>              sys.stderr.write("Error reported: %s" % E)

Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 465 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140930/0afa93e2/attachment.sig>

More information about the lxc-users mailing list