[lxc-users] Something changed between 1.1.2 and 1.1.4 for unprivileged containers?

Mon Oct 19 05:06:36 UTC 2015

On Sun, Oct 18, 2015 at 9:42 PM, Dirk Geschke <dirk at lug-erding.de> wrote:
> Hi Fajar,
>
>> > Do you have an idea, what's going wrong?
>>
>>
>> Well, for one thing, listing the relevant part of your setup should
>> help. That includes what your container config looks like, including
>> the "few bind mounts".
>
> ah, yes, I thought it was only minor issue to fix it, so I skipped
> this part so far. Indeed, the container config is quite small
> and has only two special bind mounts for a tap interface and
> kvm in the container (I replaced the container and user name
> by geschke):
>
> $ grep -v ^# .local/share/lxc/lxc-geschke/config
>
> lxc.include = /usr/local/share/lxc/config/debian.common.conf
> lxc.include = /usr/local/share/lxc/config/debian.userns.conf
> lxc.arch = x86_64
>
> lxc.include = /usr/local/share/lxc/config/debian.common.conf
> lxc.include = /usr/local/share/lxc/config/debian.userns.conf
> lxc.arch = x86_64

Why the double entry?

Probably doesn't matter, but try removing one of them anyway.

> lxc.id_map = u 0 624288 65536
> lxc.id_map = g 0 624288 65536
> lxc.mount.entry = /dev/net/tun dev/net/tun none bind,create=file 0 0
> lxc.mount.entry = /dev/kvm dev/kvm none bind,create=file 0 0
> lxc.mount.entry = /opt/images opt/images none bind,create=dir 0 0
>
> lxc.rootfs = /home/geschke/.local/share/lxc/lxc-geschke/rootfs
> lxc.utsname = lxc-geschke
>
> lxc.network.type = veth
> lxc.network.link = lxcbr0
> lxc.network.flags = up
> lxc.network.hwaddr = 00:16:3e:6c:fc:1a
>
> The container runs without problems with 1.1.2. It is a debian wheezy
> version upgraded to jessie without systemd.
>
> The idea was to start it per init-script, which worked with 1.1.2
> But actually we are at the point where I log in as the unprivileged
> user, start the container with lxc-start and it fails. But if I add
> the -F option, it seems to work without major problems:
>
> $ lxc-start --version
> 1.1.4
>

At this point I'm inclined to think the problem might be specific to
your setup. Perhaps something leftover from 1.1.2 is causing havoc,
like lxc-start from 1.1.4 using liblxc1 from 1.1.2? I suggest you
create a test system (e.g. with kvm/virtualbox) and try to replicate
the setup, but this time installing jessie and lxc directly (not
upgraded), and see if the problem persists.

Here's a documentation of my test system with jessie and lxc-1.1.4:
http://debian-lxc.github.io/

I've also changed the host's init to sysvinit and modify my container
config to match your bind-mount setups. Other than the fact that I had
to create /dev/kvm with mknod manually on the host (since virtualbox
does not support hardware acceleration for kvm), my unpriv container
can start correctly.

### container config
user at debian:~$ egrep -v '#|(^\s*$)' .local/share/lxc/c1/config
lxc.include = /usr/share/lxc/config/debian.common.conf
lxc.include = /usr/share/lxc/config/debian.userns.conf
lxc.arch = x86_64
lxc.id_map = u 0 624288 65536
lxc.id_map = g 0 624288 65536
lxc.aa_allow_incomplete = 1
lxc.rootfs = /home/user/.local/share/lxc/c1/rootfs
lxc.utsname = c1
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:92:62:71
lxc.mount.entry = /dev/net/tun dev/net/tun none bind,create=file 0 0
lxc.mount.entry = /dev/kvm dev/kvm none bind,create=file 0 0
lxc.mount.entry = /opt/images opt/images none bind,create=dir 0 0

### on the container
root at c1:~# mount | egrep "tun|kvm|images"
udev on /dev/net/tun type devtmpfs
(rw,relatime,size=10240k,nr_inodes=249109,mode=755)
udev on /dev/kvm type devtmpfs
(rw,relatime,size=10240k,nr_inodes=249109,mode=755)
/dev/sda1 on /opt/images type ext4 (rw,relatime,stripe=2,data=ordered)

root at c1:~# cat /proc/self/cgroup
10:name=systemd:/users/user/lxc/c1
9:perf_event:/users/user/lxc/c1
8:net_prio:/users/user/lxc/c1
7:net_cls:/users/user/lxc/c1
6:freezer:/users/user/lxc/c1
5:devices:/users/user/lxc/c1
4:cpuset:/users/user/lxc/c1
3:cpuacct:/users/user/lxc/c1
2:cpu:/users/user/lxc/c1
1:blkio:/users/user/lxc/c1

root at c1:~# cat /proc/self/uid_map
         0     624288      65536

root at c1:/# cat /etc/debian_version
8.2

-- 
Fajar