[lxc-users] Running unprivileged container nested inside docker

Serge E. Hallyn serge at hallyn.com
Thu Apr 26 19:27:26 UTC 2018


Quoting Eytan Heidingsfeld (eytanh at gmail.com):
> Hi,
> I know this is definitely not on the list of things regularly tested but I
> have a scenario where I'm running trying to run an unprivileged LXC
> container inside a docker container. The docker container is privileged and
> I would like the LXC container to be unprivileged.
> I have setup /etc/subuid,/etc/subgid in the both the host and the docker
> container.
> Currently lxc-start fails with: lxc_conf - conf.c:lxc_setup_rootfs:1323 -
> Failed to mount rootfs "/data/vm/mount/bind/rootdir" onto
> "/usr/lib/x86_64-linux-gnu/lxc" with options "(null)" (lxc-3.0).
> 
> I don't understand why it is failing the mount, using strace I can see:
> 565   access("/usr/lib/x86_64-linux-gnu/lxc", F_OK) = 0
> 565   stat("/data/rootdir", 0x7ffcd1c5a7f0) = -1 EACCES (Permission denied)
> 
> Where data/rootdir is my rootdir for the container and it's contents are
> with the subuid/subgid I allocated.
> 
> Longer quote from log:
> lxc-start container 20180425170139.363 INFO     lxc_start -
> start.c:do_start:1070 - Unshared CLONE_NEWNET
> lxc-start container 20180425170139.364 DEBUG    lxc_conf -
> conf.c:idmaptool_on_path_and_privileged:2745 - The binary
> "/usr/bin/newuidmap" does have the setuid bit set
> lxc-start container 20180425170139.364 DEBUG    lxc_conf -
> conf.c:idmaptool_on_path_and_privileged:2745 - The binary
> "/usr/bin/newgidmap" does have the setuid bit set
> lxc-start container 20180425170139.364 DEBUG    lxc_conf -
> conf.c:lxc_map_ids:2833 - Functional newuidmap and newgidmap binary found
> lxc-start container 20180425170139.370 DEBUG    lxc_start -
> start.c:lxc_spawn:1668 - Preserved net namespace via fd 10
> lxc-start container 20180425170139.388 DEBUG    lxc_network -
> network.c:lxc_network_move_created_netdev_priv:2479 - Moved network device
> "vethVGW02V"/"(null)" to network namespace of 657
> lxc-start container 20180425170139.388 NOTICE   lxc_utils -
> utils.c:lxc_switch_uid_gid:2029 - Switched to gid 0.
> lxc-start container 20180425170139.388 NOTICE   lxc_utils -
> utils.c:lxc_switch_uid_gid:2035 - Switched to uid 0.
> lxc-start container 20180425170139.388 NOTICE   lxc_utils -
> utils.c:lxc_setgroups:2047 - Dropped additional groups.
> lxc-start container 20180425170139.389 INFO     lxc_start -
> start.c:do_start:1177 - Unshared CLONE_NEWCGROUP
> lxc-start container 20180425170139.393 ERROR    lxc_conf -
> conf.c:lxc_setup_rootfs:1323 - Failed to mount rootfs "/data/rootdir" onto
> "/usr/lib/x86_64-linux-gnu/lxc" with options "(null)"
> lxc-start container 20180425170139.393 ERROR    lxc_conf -
> conf.c:do_rootfs_setup:3266 - Failed to setup rootfs for
> lxc-start container 20180425170139.393 ERROR    lxc_conf -
> conf.c:lxc_setup:3311 - Failed to setup rootfs
> 
> Any clues where to look?

Look at the LSM (probably apparmor) policy.  See /proc/pid/current/attr
for the policy name.


More information about the lxc-users mailing list