[lxc-users] Running unprivileged container nested inside docker

Eytan Heidingsfeld eytanh at gmail.com
Wed Apr 25 17:03:15 UTC 2018


Hi,
I know this is definitely not on the list of things regularly tested but I
have a scenario where I'm running trying to run an unprivileged LXC
container inside a docker container. The docker container is privileged and
I would like the LXC container to be unprivileged.
I have setup /etc/subuid,/etc/subgid in the both the host and the docker
container.
Currently lxc-start fails with: lxc_conf - conf.c:lxc_setup_rootfs:1323 -
Failed to mount rootfs "/data/vm/mount/bind/rootdir" onto
"/usr/lib/x86_64-linux-gnu/lxc" with options "(null)" (lxc-3.0).

I don't understand why it is failing the mount, using strace I can see:
565   access("/usr/lib/x86_64-linux-gnu/lxc", F_OK) = 0
565   stat("/data/rootdir", 0x7ffcd1c5a7f0) = -1 EACCES (Permission denied)

Where data/rootdir is my rootdir for the container and it's contents are
with the subuid/subgid I allocated.

Longer quote from log:
lxc-start container 20180425170139.363 INFO     lxc_start -
start.c:do_start:1070 - Unshared CLONE_NEWNET
lxc-start container 20180425170139.364 DEBUG    lxc_conf -
conf.c:idmaptool_on_path_and_privileged:2745 - The binary
"/usr/bin/newuidmap" does have the setuid bit set
lxc-start container 20180425170139.364 DEBUG    lxc_conf -
conf.c:idmaptool_on_path_and_privileged:2745 - The binary
"/usr/bin/newgidmap" does have the setuid bit set
lxc-start container 20180425170139.364 DEBUG    lxc_conf -
conf.c:lxc_map_ids:2833 - Functional newuidmap and newgidmap binary found
lxc-start container 20180425170139.370 DEBUG    lxc_start -
start.c:lxc_spawn:1668 - Preserved net namespace via fd 10
lxc-start container 20180425170139.388 DEBUG    lxc_network -
network.c:lxc_network_move_created_netdev_priv:2479 - Moved network device
"vethVGW02V"/"(null)" to network namespace of 657
lxc-start container 20180425170139.388 NOTICE   lxc_utils -
utils.c:lxc_switch_uid_gid:2029 - Switched to gid 0.
lxc-start container 20180425170139.388 NOTICE   lxc_utils -
utils.c:lxc_switch_uid_gid:2035 - Switched to uid 0.
lxc-start container 20180425170139.388 NOTICE   lxc_utils -
utils.c:lxc_setgroups:2047 - Dropped additional groups.
lxc-start container 20180425170139.389 INFO     lxc_start -
start.c:do_start:1177 - Unshared CLONE_NEWCGROUP
lxc-start container 20180425170139.393 ERROR    lxc_conf -
conf.c:lxc_setup_rootfs:1323 - Failed to mount rootfs "/data/rootdir" onto
"/usr/lib/x86_64-linux-gnu/lxc" with options "(null)"
lxc-start container 20180425170139.393 ERROR    lxc_conf -
conf.c:do_rootfs_setup:3266 - Failed to setup rootfs for
lxc-start container 20180425170139.393 ERROR    lxc_conf -
conf.c:lxc_setup:3311 - Failed to setup rootfs

Any clues where to look?

Thanks,
Eytan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20180425/8e4ca557/attachment.html>


More information about the lxc-users mailing list