[lxc-users] trouble starting (or maybe creating?) unprivileged containers as a user
Jonathan Zacsh
jzacsh at gmail.com
Thu Jul 7 16:16:03 UTC 2016
Since posting this, I realized my networking config maybe confusing
other things, then managed to find old threads on this list that
helped (sorry didn't find them all before). Not solved yet, but figure
I should share progress in case others also have trouble:
I tried - and with help from
http://permalink.gmane.org/gmane.linux.kernel.containers.lxc.general/6765
succeeded - to create/start a container *without* network:
$ sudo cgm create all $USER
$ sudo cgm chown all $USER $(id -u) $(id -g) # failed with, "call to
cgmanager_chown_sync failed: invalid request", so i rebooted at this
point
$ cgm movepid all $USER $$
Then this https://wiki.debian.org/LXC/SimpleBridge article got me
through setting up a container with a network:
$ cat /etc/default/lxc-net
USE_LXC_BRIDGE="true"
LXC_BRIDGE="lxcbr0"
LXC_ADDR="10.0.3.1"
LXC_NETMASK="255.255.255.0"
LXC_NETWORK="10.0.3.0/24"
LXC_DHCP_RANGE="10.0.3.2,10.0.3.254"
LXC_DHCP_MAX="253"
LXC_DHCP_CONFILE=""
LXC_DOMAIN=""
$ systemctl enable lxc-net && systemctl start lxc-net
$ cat /proc/self/cgroup
9:devices:/user.slice
8:freezer:/user/jzacsh/1
7:net_cls,net_prio:/
6:blkio:/user.slice
5:cpuset:/
4:pids:/user.slice/user-1000.slice
3:perf_event:/
2:cpu,cpuacct:/user.slice
1:name=systemd:/user.slice/user-1000.slice/session-3.scope
And now just debugging /dev/tty errors
Output from log file from: lxc-start -n unittests -l info --logfile
lxc-start 20160707114509.303 INFO lxc_start_ui -
lxc_start.c:main:264 - using rcfile
/home/jzacsh/.local/share/lxc/unittests/config
lxc-start 20160707114509.303 WARN lxc_confile -
confile.c:config_pivotdir:1879 - lxc.pivotdir is ignored. It will
soon become an error.
lxc-start 20160707114509.304 WARN lxc_confile -
confile.c:config_pivotdir:1879 - lxc.pivotdir is ignored. It will
soon become an error.
lxc-start 20160707114509.304 INFO lxc_confile -
confile.c:config_idmap:1500 - read uid map: type u nsid 0 hostid
1476256 range 65536
lxc-start 20160707114509.304 INFO lxc_confile -
confile.c:config_idmap:1500 - read uid map: type g nsid 0 hostid
1476256 range 65536
lxc-start 20160707114509.306 WARN lxc_cgmanager -
cgmanager.c:cgm_get:989 - do_cgm_get exited with error
lxc-start 20160707114509.306 INFO lxc_start -
start.c:lxc_check_inherited:251 - closed inherited fd 4
lxc-start 20160707114509.318 INFO lxc_container -
lxccontainer.c:do_lxcapi_start:797 - Attempting to set proc title to
[lxc monitor] /home/jzacsh/.local/share/lxc unittests
lxc-start 20160707114509.318 INFO lxc_lsm -
lsm/lsm.c:lsm_init:48 - LSM security driver nop
lxc-start 20160707114509.318 INFO lxc_seccomp -
seccomp.c:parse_config_v2:342 - processing: .reject_force_umount #
comment this to allow umount -f; not recommended.
lxc-start 20160707114509.318 INFO lxc_seccomp -
seccomp.c:parse_config_v2:446 - Adding native rule for
reject_force_umount action 0
lxc-start 20160707114509.318 INFO lxc_seccomp -
seccomp.c:do_resolve_add_rule:216 - Setting seccomp rule to reject
force umounts
lxc-start 20160707114509.318 INFO lxc_seccomp -
seccomp.c:parse_config_v2:449 - Adding compat rule for
reject_force_umount action 0
lxc-start 20160707114509.318 INFO lxc_seccomp -
seccomp.c:do_resolve_add_rule:216 - Setting seccomp rule to reject
force umounts
lxc-start 20160707114509.319 INFO lxc_seccomp -
seccomp.c:parse_config_v2:342 - processing: .[all].
lxc-start 20160707114509.319 INFO lxc_seccomp -
seccomp.c:parse_config_v2:342 - processing: .kexec_load errno 1.
lxc-start 20160707114509.319 INFO lxc_seccomp -
seccomp.c:parse_config_v2:446 - Adding native rule for kexec_load
action 327681
lxc-start 20160707114509.319 INFO lxc_seccomp -
seccomp.c:parse_config_v2:449 - Adding compat rule for kexec_load
action 327681
lxc-start 20160707114509.319 INFO lxc_seccomp -
seccomp.c:parse_config_v2:342 - processing: .open_by_handle_at errno
1.
lxc-start 20160707114509.319 INFO lxc_seccomp -
seccomp.c:parse_config_v2:446 - Adding native rule for
open_by_handle_at action 327681
lxc-start 20160707114509.319 INFO lxc_seccomp -
seccomp.c:parse_config_v2:449 - Adding compat rule for
open_by_handle_at action 327681
lxc-start 20160707114509.319 INFO lxc_seccomp -
seccomp.c:parse_config_v2:342 - processing: .init_module errno 1.
lxc-start 20160707114509.319 INFO lxc_seccomp -
seccomp.c:parse_config_v2:446 - Adding native rule for init_module
action 327681
lxc-start 20160707114509.319 INFO lxc_seccomp -
seccomp.c:parse_config_v2:449 - Adding compat rule for init_module
action 327681
lxc-start 20160707114509.319 INFO lxc_seccomp -
seccomp.c:parse_config_v2:342 - processing: .finit_module errno 1.
lxc-start 20160707114509.319 INFO lxc_seccomp -
seccomp.c:parse_config_v2:446 - Adding native rule for finit_module
action 327681
lxc-start 20160707114509.319 INFO lxc_seccomp -
seccomp.c:parse_config_v2:449 - Adding compat rule for finit_module
action 327681
lxc-start 20160707114509.319 INFO lxc_seccomp -
seccomp.c:parse_config_v2:342 - processing: .delete_module errno 1.
lxc-start 20160707114509.319 INFO lxc_seccomp -
seccomp.c:parse_config_v2:446 - Adding native rule for delete_module
action 327681
lxc-start 20160707114509.319 INFO lxc_seccomp -
seccomp.c:parse_config_v2:449 - Adding compat rule for delete_module
action 327681
lxc-start 20160707114509.319 INFO lxc_seccomp -
seccomp.c:parse_config_v2:456 - Merging in the compat seccomp ctx into
the main one
lxc-start 20160707114509.319 INFO lxc_start -
start.c:lxc_check_inherited:251 - closed inherited fd 4
lxc-start 20160707114509.333 INFO lxc_monitor -
monitor.c:lxc_monitor_sock_name:178 - using monitor sock name
lxc/5148f99bf93f691d//home/jzacsh/.local/share/lxc
lxc-start 20160707114509.368 INFO lxc_start -
start.c:lxc_init:488 - 'unittests' is initialized
lxc-start 20160707114509.369 INFO lxc_start -
start.c:resolve_clone_flags:1013 - Cloning a new user namespace
lxc-start 20160707114509.370 INFO lxc_cgroup -
cgroup.c:cgroup_init:68 - cgroup driver cgmanager initing for
unittests
lxc-start 20160707114509.457 NOTICE lxc_start -
start.c:do_start:777 - switching to gid/uid 0/0 in new user namespace
lxc-start 20160707114509.458 INFO lxc_conf -
conf.c:setup_utsname:843 - 'unittests' hostname has been setup
lxc-start 20160707114509.461 INFO lxc_conf -
conf.c:setup_network:2393 - network has been setup
lxc-start 20160707114509.461 INFO lxc_conf -
conf.c:mount_autodev:1072 - Mounting container /dev
lxc-start 20160707114509.461 INFO lxc_conf -
conf.c:mount_autodev:1095 - Mounted tmpfs onto
/usr/lib/x86_64-linux-gnu/lxc/rootfs/dev
lxc-start 20160707114509.461 INFO lxc_conf -
conf.c:mount_autodev:1113 - Mounted container /dev
lxc-start 20160707114509.462 ERROR lxc_conf -
conf.c:mount_entry:1650 - No such device or address - failed to mount
'/dev/tty' on '/usr/lib/x86_64-linux-gnu/lxc/rootfs/dev/tty'
lxc-start 20160707114509.462 ERROR lxc_conf -
conf.c:lxc_setup:3731 - failed to setup the mount entries for
'unittests'
lxc-start 20160707114509.462 ERROR lxc_start -
start.c:do_start:833 - failed to setup the container
lxc-start 20160707114509.462 ERROR lxc_sync -
sync.c:__sync_wait:57 - An error occurred in another process (expected
sequence number 3)
lxc-start 20160707114509.462 ERROR lxc_start -
start.c:__lxc_start:1353 - failed to spawn 'unittests'
lxc-start 20160707114509.500 INFO lxc_conf -
conf.c:run_script_argv:367 - Executing script
'/usr/share/lxcfs/lxc.reboot.hook' for container 'unittests', config
section 'lxc'
lxc-start 20160707114510.005 INFO lxc_conf -
conf.c:run_script_argv:367 - Executing script
'/usr/share/lxcfs/lxc.reboot.hook' for container 'unittests', config
section 'lxc'
lxc-start 20160707114510.508 WARN lxc_commands -
commands.c:lxc_cmd_rsp_recv:172 - command get_init_pid failed to
receive response
lxc-start 20160707114510.509 WARN lxc_cgmanager -
cgmanager.c:cgm_get:989 - do_cgm_get exited with error
lxc-start 20160707114515.512 ERROR lxc_start_ui -
lxc_start.c:main:344 - The container failed to start.
lxc-start 20160707114515.513 ERROR lxc_start_ui -
lxc_start.c:main:346 - To get more details, run the container in
foreground mode.
lxc-start 20160707114515.513 ERROR lxc_start_ui -
lxc_start.c:main:348 - Additional information can be obtained by
setting the --logfile and --logpriority options.
On Thu, Jul 7, 2016 at 9:34 AM, Jonathan Zacsh <jzacsh at gmail.com> wrote:
> Hi all,
>
> I'm having trouble starting an unprivileged lxc container as a user
> (or maybe I'm not creating them
> properly?) For reference, this is what I followed initially:
> https://linuxcontainers.org/lxc/getting-started/#creating-unprivileged-containers-as-a-user
> (and eventually tacked on more as I searched the web to troubleshoot:
> see URLs/comments in config below).
>
> Below my signature, I listed relevant lxc config and lxc command
> lines, then a handful of
> debugging info I've seen is usually asked for with regard to lxc.
>
> Any help/tips is much appreciated!
> Jon
>
>
> == My LXC Commands & Config:
>
> $ lxc-create --name unittests -t download -f ~/.config/lxc/default.conf
> snipped: various permissions errors I didn't save...
>
> $ sudo sh -c 'echo 1 > /proc/sys/kernel/unprivileged_userns_clone'
>
> $ lxc-create --name unittests -t download -f ~/.config/lxc/default.conf
> Setting up the GPG keyring
> Downloading the image index
> ---
> DIST RELEASE ARCH VARIANT BUILD
> ---
> alpine 3.0 amd64 default 20160630_17:50
> ... snipped
> debian sid amd64 default 20160705_22:42
> ... snipped
> ubuntu yakkety s390x default 20160706_03:49
> ---
> Distribution: debian
> Release: sid
> Architecture: amd64
>
> Using image from local cache
> Unpacking the rootfs
> ---
> You just created a Debian container (release=sid, arch=amd64, variant=default)
>
> To enable sshd, run: apt-get install openssh-server
>
> For security reason, container images ship without user accounts
> and without a root password.
>
> Use lxc-attach or chroot directly into the rootfs to set a root password
> or create user accounts.
>
> $ lxc-start --foreground --logfile
> ./post-reboot_create-unprivileged.log --name unittests
> Error attaching veth9VMB7O to lxcbr0
> Quota reached
> lxc-start: start.c:
> lxc_spawn: 1197 failed to create the configured network
>
> lxc-start:
> start.c: __lxc_start: 1353 failed to spawn 'unittests'
>
>
> lxc-start: lxc_start.c:
> main: 344 The container failed to start.
> lxc-start: lxc_start.c: main: 348 Additional information can be
> obtained by setting the --logfile and --logpriority options.
>
> $ cat ./post-reboot_create-unprivileged.log
> lxc-start 20160706233007.226 ERROR lxc_start -
> start.c:lxc_spawn:1197 - failed to create the configured network
> lxc-start 20160706233007.227 ERROR lxc_start -
> start.c:__lxc_start:1353 - failed to spawn 'unittests'
> lxc-start 20160706233008.272 ERROR lxc_start_ui -
> lxc_start.c:main:344 - The container failed to start.
> lxc-start 20160706233008.272 ERROR lxc_start_ui -
> lxc_start.c:main:348 - Additional information can be obtained by
> setting the --logfile and --logpriority options.
>
> == My Debugging Info
>
> $ uname -a # debian sid
> Linux theswan 4.6.0-1-amd64 #1 SMP Debian 4.6.3-1 (2016-07-04) x86_64 GNU/Linux
>
> $ cat /proc/sys/kernel/unprivileged_userns_clone && cat
> /sys/fs/cgroup/cpuset/cgroup.clone_children
> 1
> 1
>
> $ echo "USER: $USER" && cat /etc/lxc/lxc-usernet # same errors even
> if i set this to 100 or 1000
> USER: jzacsh
> jzacsh veth lxcbr0 10
>
>
> $ cat -n ~/.config/lxc/default.conf
> 1 # from lxc-create's error output
> 2 lxc.include = /etc/lxc/default.conf
> 3
> 4 # trouble with unprivileged-create permissions
> 5 # .. trying from: https://unix.stackexchange.com/a/177031
> 6 lxc.include = /usr/share/lxc/config/debian.common.conf
> 7 lxc.include = /usr/share/lxc/config/debian.userns.conf
> 8
> 9 lxc.arch = x86_64
> 10
> 11 # from https://help.ubuntu.com/lts/serverguide/lxc.html
> 12 lxc.network.type = veth
> 13 lxc.network.link = lxcbr0
> 14 # ... from https://www.flockport.com/lxc-using-unprivileged-containers/
> 15 lxc.network.flags = up
> 16 lxc.network.hwaddr = 00:16:3e:xx:xx:xx
> 17
> 18 # ... for nested containers:
> 19 lxc.mount.auto = cgroup
> 20 lxc.aa_profile = lxc-container-default-with-nesting
> 21
> 22 # from lxc-create's error output
> 23 lxc.id_map = u 0 1476256 65536
> 24 lxc.id_map = g 0 1476256 65536
More information about the lxc-users
mailing list