[lxc-users] problem creating unprivileged containers ...

Robert Pendell shinji at elite-systems.org
Fri Jul 31 23:56:20 UTC 2015 

On Fri, Jul 31, 2015 at 6:43 PM, Yonsy Solis <yonsy.s.p at gmail.com> wrote:
>
>
>
> On vie, jul 31, 2015 at 5:37 PM, Ranjib Dey <dey.ranjib at gmail.com> wrote:
>>
>> :-(  . the output looks good. check if you can create directories in /tmp
>> . run the create command with -l debug -o out.log, others will hopefully
>> point out the issue,
>
>
> Ok, content pasted here. Any help, will be apreciated
>
> ========
> ➜  ~  touch /tmp/amiga1200
> ➜  ~  touch /tmp/user/amiga1200
> touch: cannot touch ‘/tmp/user/amiga1200’: Permission denied
> ➜  ~  ll -l /tmp
> total 12K
> -rw-rw-r-- 1 yonsy yonsy    0 jul 31 17:37 amiga
> -rw-rw-r-- 1 yonsy yonsy    0 jul 31 17:38 amiga1200
> -rw-r--r-- 1 root  root   652 jul 31 16:19 apt-fast.list
> drwx------ 2 yonsy yonsy 4,0K jul 31 15:24 ssh-9GCdU9ENV3Z5
> -rw-rw-r-- 1 yonsy yonsy    0 jul 31 15:24 unity_support_test.0
> drwx--x--x 5 root  root  4,0K jul 31 15:27 user
>
> ➜  ~  lxc-create -t download -n tbase -l debug -o out.log -- -d ubuntu -r
> trusty -a amd64
> mktemp: failed to create directory via template
> ‘/tmp/user/1000/tmp.XXXXXXXXXX’: Permission denied
> lxc-create: lxccontainer.c: create_run_template: 1108 container creation
> template for tbase failed
> lxc-create: lxc_create.c: main: 274 Error creating container tbase
> ➜  ~  cat out.log
>     lxc-create 1438382389.252 WARN     lxc_log - log.c:lxc_log_init:316 -
> lxc_log_init called with log already initialized
>     lxc-create 1438382389.252 INFO     lxc_confile -
> confile.c:config_idmap:1376 - read uid map: type u nsid 0 hostid 100000
> range 65536
>     lxc-create 1438382389.252 INFO     lxc_confile -
> confile.c:config_idmap:1376 - read uid map: type g nsid 0 hostid 100000
> range 65536
>     lxc-create 1438382389.362 INFO     lxc_confile -
> confile.c:config_idmap:1376 - read uid map: type u nsid 0 hostid 100000
> range 65536
>     lxc-create 1438382389.362 INFO     lxc_confile -
> confile.c:config_idmap:1376 - read uid map: type g nsid 0 hostid 100000
> range 65536
>     lxc-create 1438382389.393 ERROR    lxc_container -
> lxccontainer.c:create_run_template:1108 - container creation template for
> tbase failed
>     lxc-create 1438382389.394 WARN     lxc_cgmanager -
> cgmanager.c:cgm_get:963 - do_cgm_get exited with error
>     lxc-create 1438382389.402 ERROR    lxc_create_ui - lxc_create.c:main:274
> - Error creating container tbase
> ➜  ~
> ========l
>
>
>
> Yonsy Solis
>

I actually know this issue since I hit into it with my own installation.

It affects lxc-create and lxc-attach.

The issue is caused by pam_tmpdir.  The purpose of the pam module is
to create a secure per-user tmpdir.  The directory perms end up being
0700 which denies everyone except for the user (and root).

During container creation there is a user change as it creates the
folder structure.  It seems to need to mess around in the currently
defined TMPDIR during processing so it fails since execution inherits
the value from the currently logged in user and the secure tmpdir is
for a different userid at this point.  This also affects lxc-attach as
the container processes get the same issue (seen during apt-get
install openssh-server after lxc-attach'd and actually you get a
different error as it looks for a non-existant location).

Workaround 1: Remove pam_tmpdir although it has its uses.  For Ubuntu
the package is libpam-tmpdir.  It is pulled in as a recommend to tmux
usually.
Workaround 2: Prefix the lxc-create and lxc-attach commands with
TMPDIR=/tmp so rather than just doing "lxc-create -t download -n
container" you would do "TMPDIR=/tmp lxc-create -t download -n
container" instead.

Fix: Any way to prevent lxc-create and lxc-attach from inheriting TMPDIR?

I'm not sure if it is a bug to inherit TMPDIR when you do lxc-attach....

More information about the lxc-users mailing list