[lxc-users] "working" unprivileged centos 7 container under ubuntu

Fajar A. Nugraha list at fajar.net
Mon Aug 10 10:13:30 UTC 2015


As a follow up to
https://lists.linuxcontainers.org/pipermail/lxc-users/2015-March/008658.html
, I've tested similar setup but with systemd-224. My build is
available on https://goo.gl/XpKFxS

Tested and works:
- container start & stop
- lxc-console
- lxc-attach
- login via ssh

What DOESN'T work:
- systemd-journald. This means (among others) you won't have any
additional output from "systemctl status"

Improvement from before: no more crash on unprivileged container poweroff

Host:
- ubuntu vivid with wily's 4.1.0-3-generic kernel (I didn't test
vivid's kernel, but should work as well)
- lxc 1.1.2-0ubuntu5~ubuntu15 and lxcfs
0.9-0ubuntu1~ubuntu15.04.1~ppa1 from ppa:ubuntu-lxc/lxc-stable

Container:
- unprivileged centos 7 container, with custom systemd and related packages

Howto:
Note that lines starting with "$" is executed as normal user on the
host, while lines starting with "[root at c7-test" is executed inside the
container.

(1) As a normal, non-root user, setup unprivileged container (see
https://help.ubuntu.com/lts/serverguide/lxc.html#lxc-unpriv for
prequisites, including making sure you have subuid/subgid assigned,
editing /etc/lxc/lxc-usernet, and editing ~/.config/lxc/default.conf).
I name the container "c7-test"

$ id -u
1000

$ lxc-create -n c7-test -t download -- -d centos -r 7 -a amd64


(2) Edit its config

$ vi ~/.local/share/lxc/c7-test/config

Replace

lxc.include = /usr/share/lxc/config/centos.common.conf
lxc.include = /usr/share/lxc/config/centos.userns.conf

... with

lxc.include = /usr/share/lxc/config/fedora.common.conf
lxc.include = /usr/share/lxc/config/fedora.userns.conf


(3) Install "tar" on the container. We need this to transfer files to
the container without having to worry about permission

3.a) start the container directly using bash as init (do NOT use
normal container startup method as this point as centos bundled
systemd doesn't work)

$ lxc-execute -n c7-test -- bash --login


3.b) start networking on the container. You should already have dhcp
working if you use the default bridge (lxcbr0). Verify you get a
working address (it should be printed since you use "-v")

[root at c7-test /]# dhclient -v eth0


3.c) install tar

[root at c7-test /]# yum -y install tar


4) set container root password

[root at c7-test /]# passwd


5) On another terminal window, download the RPMS from the two
directories inside "RPMS-install", put it on a directory on the host
(I put it on "RPMS" directory)

6) Copy the RPMS directory to the container (I copy it to "/" inside
the container)

$ tar cf - RPMS | lxc-attach -n c7-test -- bash -c "cd / && tar xvf -"


7) Back to the first terminal (the container), install the RPMS with
yum (so that all dependencies from centos repo will be automatically
installed as well)

[root at c7-test /]# yum -y install /RPMS/*.rpm


8) Disable systemd-journald service, and enable poweroff from the host

[root at c7-test /]# ln -s /dev/null /etc/systemd/system/systemd-journald.service

[root at c7-test /]# ln -s /usr/lib/systemd/system/poweroff.target
/etc/systemd/system/sigpwr.target


9) Kill dhclient, and then exit

[root at c7-test /]# pkill dhclient

[root at c7-test /]# exit


10) Start the container in foreground so you can see its boot process.
Note that you will see "FAILED" lines, just ignore it.

$ lxc-start -F -n c7-test
systemd 224 running in system mode. (+PAM +AUDIT +SELINUX +IMA
-APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL
+XZ -LZ4 +SECCOMP -BLKID +ELFUTILS +KMOD +IDN)
Detected virtualization lxc.
Detected architecture x86-64.

Welcome to CentOS Linux 7 (Core)!
...
systemd-journald-audit.socket: Socket service systemd-journald.service
not loaded, refusing.
[FAILED] Failed to listen on Journal Audit Socket.
...
Failed to reset devices.list on
/user.slice/user-1000.slice/session-c2.scope/lxc/c7-test/system.slice/systemd-update-utmp-runlevel.service:
Permission denied
         Starting Update UTMP about System Runlevel Changes...
[  OK  ] Reached target Network is Online.
Startup finished in 5.296s.

CentOS Linux 7 (Core)
Kernel 4.1.0-3-generic on an x86_64

c7-test login:


11) Login as root with password set on step (4)

12) Install ssh server

[root at c7-test ~]# yum -y install openssh-server


13) Start ssh server. You will see lots of "Failed" lines, just ignore
it. Also note the container's IP address.

[root at c7-test ~]# systemctl status sshd

[root at c7-test ~]# systemctl start sshd

[root at c7-test ~]# systemctl status sshd

[root at c7-test ~]# ip ad li eth0


14) From the host, ssh to the container, do some tests, then logout

15) Back to the container terminal window, power it down

[root at c7-test ~]# poweroff
[  OK  ] Stopped Session c1 of user root.
         Stopping User Manager for UID 0...
...
[  OK  ] Reached target Shutdown.
dev-null.mount: Mount process exited, code=exited status=32
Failed to reset devices.list on
/user.slice/user-1000.slice/session-c2.scope/lxc/c7-test/system.slice/systemd-poweroff.service:
Permission denied
sys-devices-virtual-net.mount: Mount process exited, code=exited status=32
sys-devices-virtual-net.mount: Unit entered failed state.
Shutting down.
Sending SIGTERM to remaining processes...
Sending SIGKILL to remaining processes...
Powering off.


16) After you verify that everything is working, you can now
start/stop the container again in the background

$ lxc-start -n c7-test

$ lxc-ls -f --running
NAME     STATE    IPV4             IPV6  GROUPS  AUTOSTART
----------------------------------------------------------
c7-test  RUNNING  A.B.C.D  -     -       NO

$ lxc-stop -n c7-test


-- 
Fajar


More information about the lxc-users mailing list