[lxc-users] Unprivileged Debian Buster Containers
lxc at brak.space
lxc at brak.space
Sun Jan 7 03:41:07 UTC 2018
I was able to search around and find an existing issue.
https://github.com/systemd/systemd/pull/6876
The keyctl syscalls are not setup to handle namespaces which is a
requirement of unprivileged containers. I eventually figured out the
right seccomp syntax to disable keyctl syscalls:
|2 blacklistkeyctl_chown errno 38 keyctl errno 38|
What I don't understand is how was this not a problem before, and why
isn't this in the default lxc config files for debian. And if this is
worth reporting to the debian packaging team.
I still have a problem starting the boinc service related to keyctl, but
the problem is resolved if I modify the systemd unit file to not switch
to the boinc user and remain as root instead.
On 01/04/2018 04:02 AM, Pavol Cupka wrote:
> could be cgroups v2 related.
>
> On Tue, Jan 2, 2018 at 7:49 AM <lxc at brak.space> wrote:
>
> Hello,
>
> I'm having trouble running buster containers on debian Buster/Sid. I'm
> using the download template with unprivileged containers and plain lxc
> no lxd. The container is created no problem, however, it seems the
> created container does not have a systemd, and hence basically nothing
> works.
>
> What could be causing this. Jessie containers work just fine for me.
>
>
> Thanks,
>
>
> Paul
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> <mailto:lxc-users at lists.linuxcontainers.org>
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
>
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20180106/28480515/attachment.html>
More information about the lxc-users
mailing list