[lxc-users] Status: Debian Jessie support for unprivileged containers?

Fajar A. Nugraha list at fajar.net
Tue Oct 13 09:15:15 UTC 2015 

On Tue, Oct 13, 2015 at 3:32 PM, Christian Benke <benkokakao at gmail.com> wrote:
> Hello!
>
> I'm struggling to create an unprivileged Jessie container on a Jessie
> host. I came across this chart:
> https://www.flockport.com/lxc-and-lxd-support-across-distributions/,
> which points out that unprivileged containers are currently not
> supported on Debian Jessie.
>
> Can someone tell me if this information is up-to-date?

Looking at jessie's systemd version, yes.

> Is my struggle
> to get this working futile?

Yes, unless you're willing to compile your own systemd with ubuntu's patches.

> ~$ lxc-create -t download -n my-container -l DEBUG
> Setting up the GPG keyring
> Downloading the image index
> ---
> DIST RELEASE ARCH VARIANT BUILD
> ---
> [..]
> centos 6 i386 default 20151013_02:16
> debian wheezy amd64 default 20151012_22:42
> debian wheezy armel default 20151012_22:42
> debian wheezy armhf default 20151012_22:42
> debian wheezy i386 default 20151012_22:42
> gentoo current amd64 default 20151012_14:12
> [..]
> ---
>
> Distribution: debian
> Release: jessie
> Architecture: amd64
>
> Downloading the image index
> ERROR: Couldn't find a matching image.
> lxc_container: container creation template for my-container failed
> lxc_container: Error creating container my-container
>
>
> Creating a privileged Jessie container is not an issue. Thanks for any hints.

There are several parts to this issue.

First one, why jessie is not present on the template list. It might be
due to the fact the default jessie installation will not work as
unpriv container. Or the devs probably didn't have time to upload the
image yet.

Second, how to get the unpriv systemd container working. You'd need:
- a suitable systemd version on the host, which include ubuntu's patch
to make pam_systemd create a slice for all cgroups (and not just the
systemd cgroup). I don't think debian has a version for this (as the
patch is not upstream yet), so you might need to port ubuntu wily's
version to debian.
- a suitable systemd version on the guest. I believe systemd-224
works. You could probably backport stretch's version to jessie.

Third, how to convert a privileged container to unprivileged (assuming
you already have the second issue sorted out). One way would be:
- use a suitable container config file (a config file from unpriv
ubuntu willy should do), combined with
- a working privileged container rootfs, but with uid/gid modified
using uidmapshift (search Google or list archive for this)

So bottom line, don't bother unless you're willing to run a
"frakenstein", unsupported distro. Either retry with stretch and hope
it works better, or switch to ubuntu.

-- 
Fajar

More information about the lxc-users mailing list