[lxc-users] Something changed between 1.1.2 and 1.1.4 for unprivileged containers?

Fajar A. Nugraha list at fajar.net
Fri Oct 16 08:45:42 UTC 2015 

Please keep the list in to/cc

On Fri, Oct 16, 2015 at 3:17 PM, Dirk Geschke <dirk at lug-erding.de> wrote:
> Hi Fajar,
>
>> > I'm a little bit irritated, shouldn't it be something like
>> >
>> >   /home/${USER}/.local/share/lxc/${CONTAINER}/rootfs
>> >
>> > for an unprivileged user?
>>
>> What is your exact sudo line? My guess is some old root environment is
>> still there? Using "-i" with sudo should prevent that.
>
> -i does not fix it...
>
>> If that STILL doesn't work, AND running unpriv container from a user
>> ssh session works, then try to compare the difference between what you
>> get when you ssh to that user and your su/sudo session, starting with
>> environment variable and cgroup.
>
> oh, it even does not run if I login as this unprivileged user
> via ssh, still the same error:
>

You should've mentioned this earlier :)

This should work before moving into fancy things like starting from systemd.


>   $ cgm movepid all lxc-geschke $$
>   $ lxc-start -n lxc-geschke -o /var/tmp/lxc-log
>   lxc-start: lxc_start.c: main: 344 The container failed to start.
>   lxc-start: lxc_start.c: main: 346 To get more details, run the container in foreground mode.
>   lxc-start: lxc_start.c: main: 348 Additional information can be obtained by setting the --logfile and --logpriority options.
>
> and the log shows the same:
>
>   lxc-start 1444983074.762 ERROR    lxc_utils - utils.c:open_without_symlink:1575 - No such file or directory - Error examining fuse in /usr/local/lib/lxc/rootfs/sys/fs/fuse/connections
>   lxc-start 1444983074.762 ERROR    lxc_utils - utils.c:open_without_symlink:1575 - No such file or directory - Error examining fuse in /usr/local/lib/lxc/rootfs/sys/fs/fuse/connections
>   lxc-start 1444983074.762 ERROR    lxc_utils - utils.c:open_without_symlink:1575 - No such device or address - Error examining tty in /usr/local/lib/lxc/rootfs/dev/tty
>   lxc-start 1444983074.762 ERROR    lxc_conf - conf.c:mount_entry:1731 - No such device or address - failed to mount '/dev/tty' on '/usr/local/lib/lxc/rootfs/dev/tty'
>   lxc-start 1444983074.762 ERROR    lxc_conf - conf.c:lxc_setup:3745 - failed to setup the mount entries for 'lxc-geschke'
>   lxc-start 1444983074.762 ERROR    lxc_start - start.c:do_start:702 - failed to setup the container
>   lxc-start 1444983074.762 ERROR    lxc_sync - sync.c:__sync_wait:51 - invalid sequence number 1. expected 2
>   lxc-start 1444983074.801 ERROR    lxc_start - start.c:__lxc_start:1172 - failed to spawn 'lxc-geschke'
>   lxc-start 1444983079.805 ERROR    lxc_start_ui - lxc_start.c:main:344 - The container failed to start.
>   lxc-start 1444983079.805 ERROR    lxc_start_ui - lxc_start.c:main:346 - To get more details, run the container in foreground mode.
>   lxc-start 1444983079.805 ERROR    lxc_start_ui - lxc_start.c:main:348 - Additional information can be obtained by setting the --logfile and --logpriority options.
>
> Strange, with lxc-1.1.2 this works...
>
> I still suspect, there is a problem with the path which seems to have
> changed between 1.1.2 and 1.1.4.
>

Probably. I'm guessing it's part of hardening against sysmlink exploit.

Does /usr/local/lib/lxc/rootfs/ exist? It should be the path used to
temporary mount rootfs (/usr/lib/x86_64-linux-gnu/lxc in ubuntu
package)

-- 
Fajar

More information about the lxc-users mailing list