[lxc-users] lxc-2.0.1 can't start unprivileged container
Mike Wright
nobody at nospam.hostisimo.com
Thu Jun 9 21:27:44 UTC 2016
On 06/09/2016 01:13 PM, Stéphane Graber wrote:
> On Thu, Jun 09, 2016 at 12:56:55PM -0700, Mike Wright wrote:
>> On 06/09/2016 12:40 PM, Stéphane Graber wrote:
>>> Sounds like your host /proc is over-mounted which triggers a protection
>>> mechanism in the kernel that prevents an unprivileged user from mounting
>>> it.
>>>
>>> Look in your host's /proc/mounts for any mountpoint under /proc, try
>>> unmounting them one by one until you find the one that's triggering the
>>> protection.
>>
>> Thanks Stéphane,
>>
>> Here's what's there:
>>
>> grep proc /proc/mounts:
>>
>> proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
>>
>> systemd-1 /proc/sys/fs/binfmt_misc autofs
>> rw,relatime,fd=36,pgrp=1,timeout=0,minproto=5,maxproto=5,direct 0 0
>>
>> xenfs /proc/xen xenfs rw,relatime 0 0
>>
>> I don't think I can safely remove any of those. Any other ideas?
>
> I don't expect either of use to be in active constant use, so you can
> still try unmounting them temporarily.
>
> An alternative is to mount /proc somewhere else on the host where it's
> not hidden by those mounts.
>
> For example:
> - mkdir /mnt/proc
> - mount -t proc proc /mnt/proc
Success!
Created /alt/proc and mounted another proc there. Unprivileged
container started. But I don't understand.
Don't the multiple procs conflict with each other in any way? How did
lxc find the correct proc to use?
There were two privileged containers running already without problems,
and I used to run some unprivileged containers with lxc-1.
Do I just accept this as a new fact of life with lxc and add a mount
proc line to fstab?
(Sorry for being dimwitted).
More information about the lxc-users
mailing list