[lxc-users] lxc-2.0.1 can't start unprivileged container
Serge E. Hallyn
serge at hallyn.com
Thu Jun 9 20:31:02 UTC 2016
Quoting Stéphane Graber (stgraber at ubuntu.com):
> On Thu, Jun 09, 2016 at 12:56:55PM -0700, Mike Wright wrote:
> > On 06/09/2016 12:40 PM, Stéphane Graber wrote:
> > >Sounds like your host /proc is over-mounted which triggers a protection
> > >mechanism in the kernel that prevents an unprivileged user from mounting
> > >it.
> > >
> > >Look in your host's /proc/mounts for any mountpoint under /proc, try
> > >unmounting them one by one until you find the one that's triggering the
> > >protection.
> >
> > Thanks Stéphane,
> >
> > Here's what's there:
> >
> > grep proc /proc/mounts:
> >
> > proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
> >
> > systemd-1 /proc/sys/fs/binfmt_misc autofs
> > rw,relatime,fd=36,pgrp=1,timeout=0,minproto=5,maxproto=5,direct 0 0
> >
> > xenfs /proc/xen xenfs rw,relatime 0 0
> >
> > I don't think I can safely remove any of those. Any other ideas?
>
> I don't expect either of use to be in active constant use, so you can
> still try unmounting them temporarily.
>
> An alternative is to mount /proc somewhere else on the host where it's
> not hidden by those mounts.
>
> For example:
> - mkdir /mnt/proc
> - mount -t proc proc /mnt/proc
Right, that's what we do with /usr/share/lxc/config/nesting.conf
for the analogous reason in nesting cases.
More information about the lxc-users
mailing list