[lxc-users] Error while trying to create/start unprivilege containers/ Bug report ?

Fajar A. Nugraha list at fajar.net
Fri May 13 09:19:06 UTC 2016

On Fri, May 13, 2016 at 3:05 PM, Rémy Dernat <remy.d1 at gmail.com> wrote:

> Hi,
> I am new on lxc, although, I used other container technologies in the
> past.
> I choose to switch to lxc for the userspace capabilties.

How do you define "userpace"?

if you mean "lxc can be started by non-root users", root still needs to
perform some configurations to allow them do so.

> I followed this tutorial: https://help.ubuntu.com/lts/serverguide/lxc.html
Works for me.

For my first tests of lxc I was quite disappointed; the creation of
> containers works fine as sudo, but not when you try to run it as non-root
> user: http://paste.debian.net/683686/
> Debug informations: http://paste.debian.net/683687/
Did you mix sudo in the commands? e.g. when using lxc-create, or mkdir?

In general, you should NOT do so. For unprivileged containers, commands
must be run as normal user. And DON'T run it as root while su/sudo-ing to
the user either, it won't work. use "ssh" to login as the user.

The exception is when preparing the system (e.g. installing packages,
modifying /etc/sub[ug]id, /etc/lxc/lxc-usernet), where you (obivously) must
be root.

Try again with a fresh system. Or, for test purposes, use a container with
nesting enabled (e.g.
https://insights.ubuntu.com/2016/04/15/lxd-2-0-lxd-in-lxd-812/ , setting
security.nesting: true, and use THAT as your 'host')

> I also read this thread on ubuntuask:
> http://askubuntu.com/questions/623789/problem-setting-up-a-user-space-lxc-container
> But running its script and installing lxc from ppa archive in version 2.0
> did not change anything. Note that everything works as expected on ubuntu
> 16.04 (from Ubuntu apt official repositories; I did not try the lxc ppa).
> This problem only occurs on ubuntu 14.04.

Just tested this on a container-with-nesting-enabled as 14.04 host:
as root:

add-apt-repository ppa:ubuntu-lxc/lxc-stable
apt-get update
apt-get install lxc

as normal user (ssh as the existing "ubuntu" user, then following the guide
you linked, 'Basic unprivileged usage'):

mkdir -p ~/.config/lxc
echo "lxc.id_map = u 0 100000 65536" > ~/.config/lxc/default.conf
echo "lxc.id_map = g 0 100000 65536" >> ~/.config/lxc/default.conf
echo "lxc.network.type = veth" >> ~/.config/lxc/default.conf
echo "lxc.network.link = lxcbr0" >> ~/.config/lxc/default.conf
echo "$USER veth lxcbr0 2" | sudo tee -a /etc/lxc/lxc-usernet

cat /proc/self/cgroup
lxc-create -t download -n u1 -- -d ubuntu -r xenial -a amd64
lxc-start -n u1
lxc-attach -n u1

The the "cat /proc/self/group" command, I use it to check whether to user
session is already on it's own cgroup. In my case it looks like this:
$ cat /proc/self/cgroup

... while on a "normal" host it should look like this:
$ cat /proc/self/cgroup

The important thing is that there are some cgroups (e.g. memory,
name=systemd) which starts with "user-$UID.slice" or "user/$USER". On newer
systems, this is created by libpam-cgfs. If you've installed older versions
of lxc, you might still have 'cgmanager' and 'libpam-systemd', which might
interfere with the correct functions. You might be hitting these limitation.

So again, my suggestion:
- start with a fresh system as host. fresh install, VM,
nesting-enabled-container, whatever
- add ubuntu-lxc/lxc-stable ppa, install lxc. Make sure you have latest
version (2.0.0-0ubuntu2~ubuntu14.04.1~ppa1 on my test)
- use ssh to login as the user. Do NOT use su/sudo
- follow the example

If you CAN'T start with a fresh system, then you could probably have some
luck by uninstalling old packages first (lxc, cgmanager, libpam-systemd,
etc). I haven't test this though, and you might end up wasting time. Always
use fresh system for testing purposes whenever possible.

One last possibly-obvious suggestion: if you can start over with 16.04, do
so, and use lxd. nicer, easier, cleaner. You can then create a
nesting-capable-container for each of your users, and let them manage it
(including creating their own containers under it)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20160513/38c4d506/attachment.html>

More information about the lxc-users mailing list