[lxc-users] Unprivileged Debian Buster Containers

[lxc at brak.space]

I was able to search around and find an existing issue.

https://github.com/systemd/systemd/pull/6876

The keyctl syscalls are not setup to handle namespaces which is a 
requirement of unprivileged containers. I eventually figured out the 
right seccomp syntax to disable keyctl syscalls:

|2 blacklistkeyctl_chown errno 38 keyctl errno 38|


What I don't understand is how was this not a problem before, and why 
isn't this in the default lxc config files for debian. And if this is 
worth reporting to the debian packaging team.

I still have a problem starting the boinc service related to keyctl, but 
the problem is resolved if I modify the systemd unit file to not switch 
to the boinc user and remain as root instead.

On 01/04/2018 04:02 AM, Pavol Cupka wrote:
> could be cgroups v2 related.
>
> On Tue, Jan 2, 2018 at 7:49 AM <lxc at brak.space> wrote:
>
>     Hello,
>
>     I'm having trouble running buster containers on debian Buster/Sid. I'm
>     using the download template with unprivileged containers and plain lxc
>     no lxd. The container is created no problem, however, it seems the
>     created container does not have a systemd, and hence basically nothing
>     works.
>
>     What could be causing this. Jessie containers work just fine for me.
>
>
>     Thanks,
>
>
>     Paul
>
>     _______________________________________________
>     lxc-users mailing list
>     lxc-users at lists.linuxcontainers.org
>     <mailto:lxc-users at lists.linuxcontainers.org>
>     http://lists.linuxcontainers.org/listinfo/lxc-users
>
>
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20180106/28480515/attachment.html>