[lxc-users] Starting unprivileged lxc container with sudo?

Gordon gordonmc at cox.net
Mon Mar 7 18:36:10 UTC 2016 

All this is on an Ubuntu 14.04 server setup.

I've got a nice little (Intel NUC) server set up with several 
containers. I've created a completely unprivileged (call the user 
unpriv) user with no sudo access that owns all the containers. I've also 
got another account that I use for administration with full sudo access 
(call it priv).

I'm able to use the priv account to create and delete containers using 
sudo just fine. I just haven't been able to use sudo to start or stop 
containers from the priv account. I have to actually log in to the 
unpriv account to do that.

This is what I get when I try to start a container:

$ sudo -u unpriv -H lxc-start -n apachetest
WARN: could not reopen tty: Permission denied
WARN: could not reopen tty: Permission denied
WARN: could not reopen tty: Permission denied
WARN: could not reopen tty: Permission denied
WARN: could not reopen tty: Permission denied
WARN: could not reopen tty: Permission denied
WARN: could not reopen tty: Permission denied
WARN: could not reopen tty: Permission denied
WARN: could not reopen tty: Permission denied
WARN: could not reopen tty: Permission denied
WARN: could not reopen tty: Permission denied
WARN: could not reopen tty: Permission denied
WARN: could not reopen tty: Permission denied
WARN: could not reopen tty: Permission denied
WARN: could not reopen tty: Permission denied
lxc_container: cgmanager.c: lxc_cgmanager_create: 301 call to 
cgmanager_create_sync failed: invalid request
lxc_container: cgmanager.c: lxc_cgmanager_create: 303 Failed to create 
hugetlb:lxc/apachetest
lxc_container: cgmanager.c: cgm_create: 650 Error creating cgroup 
hugetlb:lxc/apachetest
lxc_container: start.c: lxc_spawn: 891 failed creating cgroups
lxc_container: start.c: __lxc_start: 1121 failed to spawn 'apachetest'
lxc_container: lxc_start.c: main: 341 The container failed to start.
lxc_container: lxc_start.c: main: 345 Additional information can be 
obtained by setting the --logfile and --logpriority options.

More information about the lxc-users mailing list