[lxc-users] Unprivileged Systemd-based Containers
Christian Brauner
christianvanbrauner at gmail.com
Mon Jan 26 11:51:28 UTC 2015
Hi,
thanks Dirk!
> But there seems to be another solution with LXFS:
>
> https://linuxcontainers.org/lxcfs/introduction/
>
> This is what it says:
>
> + A cgroupfs-like tree which is container aware and works
> using CGManager.
>
> + A set of files which can be bind-mounted over their /proc
> originals to provide CGroup-aware values.
I just tried it. Downloaded it, unpacked it:
./configure && make && sudo make install
Then I followed the github lxcfs explanation:
sudo mkdir -p /var/lib/lxcfs
sudo lxcfs -s -f -o allow_other /var/lib/lxcfs
but if I run an unprivileged container with:
lxc-start -n jessie -F
it still gives me
[chb at conventiont lxcfs]$ lxc-start -n jessie -F
Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted
I use LXC's master from github so according to the lxcfs github page it should
work. Does someone know what is going on?
Here is the output from:
lxc-start -n jessie -F -l DEBUG -o AAA:
lxc-start 1422272908.485 INFO lxc_start_ui - lxc_start.c:main:264 - using rcfile /home/chb/.local/share/lxc/jessie/config
lxc-start 1422272908.485 WARN lxc_confile - confile.c:config_pivotdir:1770 - lxc.pivotdir is ignored. It will soon become an error.
lxc-start 1422272908.486 INFO lxc_confile - confile.c:config_idmap:1379 - read uid map: type u nsid 0 hostid 100000 range 65536
lxc-start 1422272908.486 INFO lxc_confile - confile.c:config_idmap:1379 - read uid map: type g nsid 0 hostid 100000 range 65536
lxc-start 1422272908.487 WARN lxc_log - log.c:lxc_log_init:316 - lxc_log_init called with log already initialized
lxc-start 1422272908.488 WARN lxc_cgmanager - cgmanager.c:cgm_get:962 - do_cgm_get exited with error
lxc-start 1422272908.488 INFO lxc_seccomp - seccomp.c:parse_config_v2:298 - processing: .reject_force_umount # comment this to allow umount -f; not recommended.
lxc-start 1422272908.488 INFO lxc_seccomp - seccomp.c:parse_config_v2:371 - Adding non-compat rule for reject_force_umount action 0
lxc-start 1422272908.488 INFO lxc_seccomp - seccomp.c:do_resolve_add_rule:192 - Setting seccomp rule to reject force umounts
lxc-start 1422272908.488 INFO lxc_seccomp - seccomp.c:parse_config_v2:382 - Adding compat rule for reject_force_umount action 0
lxc-start 1422272908.488 INFO lxc_seccomp - seccomp.c:parse_config_v2:390 - Adding non-compat rule bc nr1 == nr2 (-1, -1)
lxc-start 1422272908.488 INFO lxc_seccomp - seccomp.c:do_resolve_add_rule:192 - Setting seccomp rule to reject force umounts
lxc-start 1422272908.488 INFO lxc_seccomp - seccomp.c:parse_config_v2:298 - processing: .[all].
lxc-start 1422272908.488 INFO lxc_seccomp - seccomp.c:parse_config_v2:298 - processing: .kexec_load errno 1.
lxc-start 1422272908.488 INFO lxc_seccomp - seccomp.c:parse_config_v2:371 - Adding non-compat rule for kexec_load action 327681
lxc-start 1422272908.488 INFO lxc_seccomp - seccomp.c:parse_config_v2:382 - Adding compat rule for kexec_load action 327681
lxc-start 1422272908.488 INFO lxc_seccomp - seccomp.c:parse_config_v2:395 - Really adding compat rule bc nr1 == nr2 (283, 246)
lxc-start 1422272908.488 INFO lxc_seccomp - seccomp.c:parse_config_v2:298 - processing: .open_by_handle_at errno 1.
lxc-start 1422272908.488 INFO lxc_seccomp - seccomp.c:parse_config_v2:371 - Adding non-compat rule for open_by_handle_at action 327681
lxc-start 1422272908.488 INFO lxc_seccomp - seccomp.c:parse_config_v2:382 - Adding compat rule for open_by_handle_at action 327681
lxc-start 1422272908.488 INFO lxc_seccomp - seccomp.c:parse_config_v2:395 - Really adding compat rule bc nr1 == nr2 (342, 304)
lxc-start 1422272908.488 INFO lxc_seccomp - seccomp.c:parse_config_v2:298 - processing: .init_module errno 1.
lxc-start 1422272908.488 INFO lxc_seccomp - seccomp.c:parse_config_v2:371 - Adding non-compat rule for init_module action 327681
lxc-start 1422272908.488 INFO lxc_seccomp - seccomp.c:parse_config_v2:382 - Adding compat rule for init_module action 327681
lxc-start 1422272908.488 INFO lxc_seccomp - seccomp.c:parse_config_v2:395 - Really adding compat rule bc nr1 == nr2 (128, 175)
lxc-start 1422272908.488 INFO lxc_seccomp - seccomp.c:parse_config_v2:298 - processing: .finit_module errno 1.
lxc-start 1422272908.488 INFO lxc_seccomp - seccomp.c:parse_config_v2:371 - Adding non-compat rule for finit_module action 327681
lxc-start 1422272908.488 WARN lxc_seccomp - seccomp.c:do_resolve_add_rule:209 - Seccomp: got negative # for syscall: finit_module
lxc-start 1422272908.488 WARN lxc_seccomp - seccomp.c:do_resolve_add_rule:210 - This syscall will NOT be blacklisted
lxc-start 1422272908.488 INFO lxc_seccomp - seccomp.c:parse_config_v2:382 - Adding compat rule for finit_module action 327681
lxc-start 1422272908.488 INFO lxc_seccomp - seccomp.c:parse_config_v2:390 - Adding non-compat rule bc nr1 == nr2 (-10085, -10085)
lxc-start 1422272908.488 WARN lxc_seccomp - seccomp.c:do_resolve_add_rule:209 - Seccomp: got negative # for syscall: finit_module
lxc-start 1422272908.488 WARN lxc_seccomp - seccomp.c:do_resolve_add_rule:210 - This syscall will NOT be blacklisted
lxc-start 1422272908.488 INFO lxc_seccomp - seccomp.c:parse_config_v2:298 - processing: .delete_module errno 1.
lxc-start 1422272908.488 INFO lxc_seccomp - seccomp.c:parse_config_v2:371 - Adding non-compat rule for delete_module action 327681
lxc-start 1422272908.488 INFO lxc_seccomp - seccomp.c:parse_config_v2:382 - Adding compat rule for delete_module action 327681
lxc-start 1422272908.488 INFO lxc_seccomp - seccomp.c:parse_config_v2:395 - Really adding compat rule bc nr1 == nr2 (129, 176)
lxc-start 1422272908.488 INFO lxc_seccomp - seccomp.c:parse_config_v2:403 - Merging in the compat seccomp ctx into the main one
lxc-start 1422272908.489 DEBUG lxc_conf - conf.c:lxc_create_tty:3297 - allocated pty '/dev/pts/4' (5/6)
lxc-start 1422272908.489 DEBUG lxc_conf - conf.c:lxc_create_tty:3297 - allocated pty '/dev/pts/5' (7/8)
lxc-start 1422272908.489 DEBUG lxc_conf - conf.c:lxc_create_tty:3297 - allocated pty '/dev/pts/6' (9/10)
lxc-start 1422272908.489 DEBUG lxc_conf - conf.c:lxc_create_tty:3297 - allocated pty '/dev/pts/7' (11/12)
lxc-start 1422272908.489 INFO lxc_conf - conf.c:lxc_create_tty:3308 - tty's configured
lxc-start 1422272908.489 DEBUG lxc_start - start.c:setup_signal_fd:259 - sigchild handler set
lxc-start 1422272908.489 DEBUG lxc_console - console.c:lxc_console_peer_default:500 - opening /dev/tty for console peer
lxc-start 1422272908.489 DEBUG lxc_console - console.c:lxc_console_peer_default:506 - using '/dev/tty' as console
lxc-start 1422272908.489 DEBUG lxc_console - console.c:lxc_console_sigwinch_init:179 - 503 got SIGWINCH fd 17
lxc-start 1422272908.489 DEBUG lxc_console - console.c:lxc_console_winsz:88 - set winsz dstfd:14 cols:239 rows:34
lxc-start 1422272908.862 INFO lxc_start - start.c:lxc_init:455 - 'jessie' is initialized
lxc-start 1422272908.862 DEBUG lxc_start - start.c:__lxc_start:1072 - Not dropping cap_sys_boot or watching utmp
lxc-start 1422272908.862 INFO lxc_start - start.c:lxc_spawn:816 - Cloning a new user namespace
lxc-start 1422272908.862 INFO lxc_cgroup - cgroup.c:cgroup_init:65 - cgroup driver cgmanager initing for jessie
lxc-start 1422272909.060 NOTICE lxc_start - start.c:do_start:667 - switching to gid/uid 0 in new user namespace
lxc-start 1422272909.084 DEBUG lxc_conf - conf.c:setup_rootfs:1234 - mounted '/home/chb/.local/share/lxc/jessie/rootfs' on '/usr/lib/lxc/rootfs'
lxc-start 1422272909.084 INFO lxc_conf - conf.c:setup_utsname:894 - 'jessie' hostname has been setup
lxc-start 1422272909.084 DEBUG lxc_conf - conf.c:setup_hw_addr:2186 - mac address '00:16:3e:3a:f1:12' on 'eth0' has been setup
lxc-start 1422272909.084 DEBUG lxc_conf - conf.c:setup_netdev:2413 - 'eth0' has been setup
lxc-start 1422272909.084 INFO lxc_conf - conf.c:setup_network:2434 - network has been setup
lxc-start 1422272909.084 INFO lxc_conf - conf.c:mount_autodev:1098 - Mounting /dev under /usr/lib/lxc/rootfs
lxc-start 1422272909.084 INFO lxc_conf - conf.c:mount_autodev:1119 - Mounted tmpfs onto /usr/lib/lxc/rootfs/dev
lxc-start 1422272909.084 INFO lxc_conf - conf.c:mount_autodev:1137 - Mounted /dev under /usr/lib/lxc/rootfs
lxc-start 1422272909.085 DEBUG lxc_conf - conf.c:mount_entry:1729 - mounted 'proc' on '/usr/lib/lxc/rootfs/proc', type 'proc'
lxc-start 1422272909.085 DEBUG lxc_conf - conf.c:mount_entry:1729 - mounted 'sysfs' on '/usr/lib/lxc/rootfs/sys', type 'sysfs'
lxc-start 1422272909.085 DEBUG lxc_conf - conf.c:mount_entry:1679 - remounting /sys/fs/fuse/connections on /usr/lib/lxc/rootfs/sys/fs/fuse/connections to respect bind or remount options
lxc-start 1422272909.085 DEBUG lxc_conf - conf.c:mount_entry:1694 - (at remount) flags for /sys/fs/fuse/connections was 4096, required extra flags are 0
lxc-start 1422272909.085 DEBUG lxc_conf - conf.c:mount_entry:1703 - mountflags already was 4096, skipping remount
lxc-start 1422272909.085 DEBUG lxc_conf - conf.c:mount_entry:1729 - mounted '/sys/fs/fuse/connections' on '/usr/lib/lxc/rootfs/sys/fs/fuse/connections', type 'none'
lxc-start 1422272909.085 DEBUG lxc_conf - conf.c:mount_entry:1679 - remounting /dev/console on /usr/lib/lxc/rootfs/dev/console to respect bind or remount options
lxc-start 1422272909.085 DEBUG lxc_conf - conf.c:mount_entry:1694 - (at remount) flags for /dev/console was 4098, required extra flags are 2
lxc-start 1422272909.085 DEBUG lxc_conf - conf.c:mount_entry:1729 - mounted '/dev/console' on '/usr/lib/lxc/rootfs/dev/console', type 'none'
lxc-start 1422272909.085 DEBUG lxc_conf - conf.c:mount_entry:1679 - remounting /dev/full on /usr/lib/lxc/rootfs/dev/full to respect bind or remount options
lxc-start 1422272909.085 DEBUG lxc_conf - conf.c:mount_entry:1694 - (at remount) flags for /dev/full was 4098, required extra flags are 2
lxc-start 1422272909.085 DEBUG lxc_conf - conf.c:mount_entry:1729 - mounted '/dev/full' on '/usr/lib/lxc/rootfs/dev/full', type 'none'
lxc-start 1422272909.085 DEBUG lxc_conf - conf.c:mount_entry:1679 - remounting /dev/null on /usr/lib/lxc/rootfs/dev/null to respect bind or remount options
lxc-start 1422272909.085 DEBUG lxc_conf - conf.c:mount_entry:1694 - (at remount) flags for /dev/null was 4098, required extra flags are 2
lxc-start 1422272909.085 DEBUG lxc_conf - conf.c:mount_entry:1729 - mounted '/dev/null' on '/usr/lib/lxc/rootfs/dev/null', type 'none'
lxc-start 1422272909.085 DEBUG lxc_conf - conf.c:mount_entry:1679 - remounting /dev/random on /usr/lib/lxc/rootfs/dev/random to respect bind or remount options
lxc-start 1422272909.085 DEBUG lxc_conf - conf.c:mount_entry:1694 - (at remount) flags for /dev/random was 4098, required extra flags are 2
lxc-start 1422272909.085 DEBUG lxc_conf - conf.c:mount_entry:1729 - mounted '/dev/random' on '/usr/lib/lxc/rootfs/dev/random', type 'none'
lxc-start 1422272909.085 DEBUG lxc_conf - conf.c:mount_entry:1679 - remounting /dev/tty on /usr/lib/lxc/rootfs/dev/tty to respect bind or remount options
lxc-start 1422272909.085 DEBUG lxc_conf - conf.c:mount_entry:1694 - (at remount) flags for /dev/tty was 4098, required extra flags are 2
lxc-start 1422272909.085 DEBUG lxc_conf - conf.c:mount_entry:1729 - mounted '/dev/tty' on '/usr/lib/lxc/rootfs/dev/tty', type 'none'
lxc-start 1422272909.085 DEBUG lxc_conf - conf.c:mount_entry:1679 - remounting /dev/urandom on /usr/lib/lxc/rootfs/dev/urandom to respect bind or remount options
lxc-start 1422272909.085 DEBUG lxc_conf - conf.c:mount_entry:1694 - (at remount) flags for /dev/urandom was 4098, required extra flags are 2
lxc-start 1422272909.085 DEBUG lxc_conf - conf.c:mount_entry:1729 - mounted '/dev/urandom' on '/usr/lib/lxc/rootfs/dev/urandom', type 'none'
lxc-start 1422272909.085 DEBUG lxc_conf - conf.c:mount_entry:1679 - remounting /dev/zero on /usr/lib/lxc/rootfs/dev/zero to respect bind or remount options
lxc-start 1422272909.085 DEBUG lxc_conf - conf.c:mount_entry:1694 - (at remount) flags for /dev/zero was 4098, required extra flags are 2
lxc-start 1422272909.085 DEBUG lxc_conf - conf.c:mount_entry:1729 - mounted '/dev/zero' on '/usr/lib/lxc/rootfs/dev/zero', type 'none'
lxc-start 1422272909.085 INFO lxc_conf - conf.c:mount_file_entries:1978 - mount points have been setup
lxc-start 1422272909.085 INFO lxc_conf - conf.c:fill_autodev:1165 - Creating initial consoles under /usr/lib/lxc/rootfs/dev
lxc-start 1422272909.085 INFO lxc_conf - conf.c:fill_autodev:1176 - Populating /dev under /usr/lib/lxc/rootfs
lxc-start 1422272909.085 INFO lxc_conf - conf.c:fill_autodev:1208 - Populated /dev under /usr/lib/lxc/rootfs
lxc-start 1422272909.085 INFO lxc_conf - conf.c:setup_dev_console:1459 - console has been setup
lxc-start 1422272909.085 INFO lxc_conf - conf.c:setup_tty:1021 - 4 tty(s) has been setup
lxc-start 1422272909.085 INFO lxc_conf - conf.c:do_tmp_proc_mount:3520 - I am 1, /proc/self points to '1'
lxc-start 1422272909.101 DEBUG lxc_conf - conf.c:setup_rootfs_pivot_root:1076 - pivot_root syscall to '/usr/lib/lxc/rootfs' successful
lxc-start 1422272909.101 INFO lxc_conf - conf.c:setup_personality:1414 - set personality to '0x0'
lxc-start 1422272909.101 DEBUG lxc_conf - conf.c:setup_caps:2097 - drop capability 'mac_admin' (33)
lxc-start 1422272909.101 DEBUG lxc_conf - conf.c:setup_caps:2097 - drop capability 'mac_override' (32)
lxc-start 1422272909.101 DEBUG lxc_conf - conf.c:setup_caps:2097 - drop capability 'sys_time' (25)
lxc-start 1422272909.101 DEBUG lxc_conf - conf.c:setup_caps:2097 - drop capability 'sys_module' (16)
lxc-start 1422272909.101 DEBUG lxc_conf - conf.c:setup_caps:2106 - capabilities have been setup
lxc-start 1422272909.101 NOTICE lxc_conf - conf.c:lxc_setup:3842 - 'jessie' is setup.
lxc-start 1422272909.101 NOTICE lxc_start - start.c:start:1174 - exec'ing '/sbin/init'
lxc-start 1422272909.102 NOTICE lxc_start - start.c:post_start:1185 - '/sbin/init' started with pid '527'
lxc-start 1422272909.102 WARN lxc_start - start.c:signal_handler:307 - invalid pid for SIGCHLD
lxc-start 1422272912.159 DEBUG lxc_console - console.c:lxc_console_winsz:88 - set winsz dstfd:14 cols:239 rows:23
More information about the lxc-users
mailing list