[lxc-users] unprivileged container with systemd?

Serge Hallyn serge.hallyn at ubuntu.com
Mon Feb 9 18:21:33 UTC 2015 

Quoting Dirk Geschke (dirk at lug-erding.de):
> Hi Serge,
> 
> > > I just to follow
> > > 
> > >    https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/
> > > 
> > > once more to install a new container and it fails. First of all it
> > > was a problem with the access to the directory 
> > > 
> > >    ~/.local/share/lxc/jessie1
> > > 
> > > The owner changed to a mapped one -> 100000 and then there was no
> > > access for the lxcuser, which has uid 1001. I fixed this via setting
> > > write access for the users group.
> > > 
> > > But then I installed a download template:
> > > 
> > >    lxc-create -t download -n jessie1 -- -d debian -r jessie -a amd64
> > > 
> > > which worked without problems (except warnings regarding reopen tty).
> > > 
> > > If I try to start the container it ends up with:
> > > 
> > >    ~$ lxc-start -n jessie1
> > >    lxc_container: Permission denied - Unable to create /dev/.lxc for autodev
> > >    Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted
> > > 
> > > Here it ends, nothing more happens and only a kill -9 works...
> > > 
> > > And yes, /sbin/init in the container is now a link to systemd:
> > > 
> > >    /sbin/init -> /lib/systemd/systemd
> > > 
> > > I suspect, this does not work at all without cgroup namespace support
> > > in the kernel? Or am I missing something else?
> > 
> > There's something else you're missing, but I'm not sure what.  What is
> > your environment (os/release and any custom installs)?  Try 1.1.0, and
> > make sure to re-create the container as the new config file should be
> > more correct for systemd backed containers.
> 
> the host is Debian wheezy, kernel 3.18.4 and a backported shadow
> package for newuidmap & Co. 
> 
> For LXC I have now lxc-1.1, cgmanager-0.35 and lxcfs-0.5. This works
> fine with an debian-container for wheezy and jessie. But if I switch
> jessie to systemd, it fails. I just tried an upgrade to experimental,
> but this fails, too.
> 
> Now I started with a fresh template download of ubuntu vivid. This
> works fine, too, but with upstart. If I install systemd an put a
> lxc.init_cmd=/bin/systemd, it fails too:
> 
>    $ lxc-start -n ubuntu -F -l DEBUG
>    WARN: could not reopen tty: Permission denied
>    systemd 218 running in system mode. (+PAM +AUDIT +SELINUX +IMA
>    +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT -GNUTLS +ACL
>    +XZ -LZ4 -SECCOMP +BLKID -ELFUTILS +KMOD -IDN)
>    Detected virtualization 'lxc'.
>    Detected architecture 'x86-64'.
> 
>    Welcome to Ubuntu Vivid Vervet (development branch)!
> 
>    Set hostname to <ubuntu>.
>    /etc/mtab is not a symlink or not pointing to /proc/self/mounts. This
>    is not supported anymore. Please make sure to replace this file by a
>    symlink to avoid incorrect or misleading mount(8) output.
>    Failed to install release agent, ignoring: No such file or directory
> 
> That's the same behaviour as with debian jessie and systemd. At this
> point even an lxc-attach does not work...
> 
> I have no idea, what is going on, maybe there is something too old on
> debian wheezy as a host?

Hm, seems unlikely.  From lxc's pov things seem ok since init is starting.
Could you show the container configuration file as well as any files
which are lxc.include'd from it?  I'd start systemd with its debug options
to get more info about where it's going wrong.

When you say even lxc-attach doesn't work - what happens when you run it?
That's definately weird.  lxc-attach requires nothing from the container
itself other than a /bin/sh in rootfs and a init task that exists.

More information about the lxc-users mailing list