[lxc-users] Failed to import LXD container tar.gz in unprivileged container (nested container)

Stéphane Graber stgraber at stgraber.org
Fri Nov 22 19:11:26 UTC 2019 

Ah, could be that those images ship with stuff in /dev then.
As I said, your best bet is to modify the tarball and just drop those
entries.

It's only a problem because you're trying to import the tarball inside an
unprivileged container where such device nodes cannot be created.
If the container had been exported from within an unprivileged container or
if it was restored on a host or inside a privileged container, this
wouldn't happen.

On Fri, Nov 22, 2019 at 12:18 PM Chris Han <chrishan308 at gmail.com> wrote:

> That container was started from a clean image from the "ubuntu" remote.
>     lxc launch ubuntu:18.04 c1
>
> Originally the container was started in a Btrfs storage pool. But after
> that I copy the container to a Dir storage pool and use the later version.
> Will this cause the /dev/xx problem?
>
> On Sat, Nov 23, 2019 at 1:07 AM Stéphane Graber <stgraber at stgraber.org>
> wrote:
>
>> No, switching between privileged and unprivileged wouldn't have cause
>> dev/ to get populated.
>> My guess is that you probably had an image that contained those files
>> when it shouldn't have in the first place.
>>
>> On Fri, Nov 22, 2019 at 11:45 AM Chris Han <chrishan308 at gmail.com> wrote:
>>
>>> Originally the container was started as a privileged container
>>> with security.privileged="true". But after that I have removed
>>> the security.privileged configuration and restarted the container. Is this
>>> the root cause of the problem?
>>>
>>> May I know what is the correct steps to change a privileged container to
>>> an unprivileged container?
>>>
>>> Thanks for your reply.
>>>
>>> On Sat, Nov 23, 2019 at 12:28 AM Stéphane Graber <stgraber at stgraber.org>
>>> wrote:
>>>
>>>> Hmm, not sure why you have those devices in this container in the first
>>>> place, normally /dev is left empty and mounted as tmpfs in the container.
>>>> You could likely just edit the tarball to remove the content of dev/
>>>> and then import it just fine.
>>>>
>>>> On Fri, Nov 22, 2019 at 2:19 AM Chris Han <chrishan308 at gmail.com>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I have an unprivileged LXD container, c1, running in a physical host.
>>>>> I have exported this container to tar.gz:
>>>>>
>>>>> lxc export c1-unprivileged c1-unprivileged.tar.gz
>>>>>
>>>>>
>>>>> I have created another unprivileged LXD container, c2, with settings
>>>>> for nested containers. Inside the c2 container, I am able to launch a
>>>>> nested unprivileged LXD container, c3. The c3 container is working fine.
>>>>>
>>>>> lxc launch ubuntu:18.04 c3-unprivileged-nested
>>>>>
>>>>>
>>>>> However, when I try to import the c1 tar.gz file inside c2 to create a
>>>>> nested container, it shows the following error message:
>>>>>
>>>>> lxc import c1-unprivileged.tar.gz
>>>>>
>>>>> tar: rootfs/dev/zero: Cannot mknod: Operation not permitted
>>>>> tar: rootfs/dev/random: Cannot mknod: Operation not permitted
>>>>> tar: rootfs/dev/tty: Cannot mknod: Operation not permitted
>>>>> tar: rootfs/dev/null: Cannot mknod: Operation not permitted
>>>>> tar: rootfs/dev/full: Cannot mknod: Operation not permitted
>>>>> tar: rootfs/dev/urandom: Cannot mknod: Operation not permitted
>>>>>
>>>>> I am able to import the c1 tar.gz file in a physical host, but unable
>>>>> to import it in an unprivileged container (to create a nested container).
>>>>> The LXD network and storage settings in the physical host and the c2
>>>>> container are exactly the same.
>>>>>
>>>>> How to import the c1 tar.gz in the c2 unprivileged container?
>>>>>
>>>>> _______________________________________________
>>>>> lxc-users mailing list
>>>>> lxc-users at lists.linuxcontainers.org
>>>>> http://lists.linuxcontainers.org/listinfo/lxc-users
>>>>>
>>>>
>>>>
>>>> --
>>>> Stéphane
>>>> _______________________________________________
>>>> lxc-users mailing list
>>>> lxc-users at lists.linuxcontainers.org
>>>> http://lists.linuxcontainers.org/listinfo/lxc-users
>>>>
>>> _______________________________________________
>>> lxc-users mailing list
>>> lxc-users at lists.linuxcontainers.org
>>> http://lists.linuxcontainers.org/listinfo/lxc-users
>>>
>>
>>
>> --
>> Stéphane
>> _______________________________________________
>> lxc-users mailing list
>> lxc-users at lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-users
>>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>


-- 
Stéphane
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20191122/73a01075/attachment-0001.html>

More information about the lxc-users mailing list