[lxc-users] Trying to create a lxc container for running Visual Studio Code
Peter Carlsson
peter.jm.carlsson at gmail.com
Fri Feb 12 05:41:44 UTC 2021
On Thu, Feb 11, 2021 at 05:45:35PM -0600, Serge E. Hallyn wrote:
> On Thu, Feb 11, 2021 at 10:22:52PM +0100, Peter Carlsson wrote:
> > On Thu, Feb 11, 2021 at 11:54:05AM -0600, Serge E. Hallyn wrote:
> > > On Wed, Feb 10, 2021 at 10:49:55PM +0100, Peter Carlsson wrote:
> > > > On Wed, Feb 10, 2021 at 07:08:09AM -0600, Serge E. Hallyn wrote:
> > > >
> > > > Hello again!
> > > >
> > > > Thanks for your help.
> > > >
> > > > I decided to start fresh and create the container as unprivileged. I
> > > > therefor deleted the old thread.
> > > >
> > > > Here is basically what I did:
> > > >
> > > > As root:
> > > >
> > > > usermod -v 100000-200000 -w 100000-200000 peter
> > > > cat /etc/subuid
> > > > peter:100000:100001
> > > > cat /etc/subgid
> > > > peter:100000:100001
> > > >
> > > > nano /etc/sysctl.conf
> > > > # Added by Peter Carlsson 2021-02-10 for lxc
> > > > kernel.unprivileged_userns_clone=1
> > > >
> > > > nano /etc/default/lxc-net
> > > > #USE_LXC_BRIDGE="true"
> > > >
> > > > nano /etc/lxc/default.conf
> > > > lxc.net.0.type = veth
> > > > lxc.net.0.link = lxcbr0
> > > > lxc.net.0.flags = up
> > > >
> > > > lxc.apparmor.profile = generated
> > > > lxc.apparmor.allow_nesting = 1
> > > >
> > > > As user peter:
> > > >
> > > > mkdir /home/peter/.config/lxc
> > > > nano /home/peter/.config/lxc/default.conf
> > > > lxc.net.0.type = veth
> > > > lxc.net.0.link = lxcbr0
> > > > lxc.net.0.flags = up
> > > >
> > > > lxc.apparmor.profile = generated
> > > > lxc.apparmor.allow_nesting = 1
> > > >
> > > > lxc.idmap = u 0 100000 100001
> > > > lxc.idmap = g 0 100000 100001
> > >
> > > This all looks good.
> > >
> > > > Don't know if this was necessary but I ran this after reading a link found on Google
> > > >
> > > > lxc-usernsexec
> > >
> > > Sorry I'm not following here. lxc-usernsexec without any arguments
> > > will put you in a shell in a user namespace. I assume you exited that
> > > before going on with lxc-create, right?
> >
> > Never mind. To try to solve my problems I googled and tried out
> > different advices but this was something I don't think I did anything
> > successful with.
> >
> > > > lxc-create -t download -n VisualStudioCode -- -d debian -r buster -a amd64
> > > >
> > > > lxc-start -n VisualStudioCode -F
> > > >
> > > > lxc-start: VisualStudioCode: network.c: lxc_create_network_unpriv_exec: 2178 lxc-user-nic failed to configure requested network: No such file or directory - Failed to open "/etc/lxc/lxc-usernet"
> > > > cmd/lxc_user_nic.c: 1296: main: Quota reached
> > > > lxc-start: VisualStudioCode: start.c: lxc_spawn: 1777 Failed to create the configured network
> > > > lxc-start: VisualStudioCode: start.c: __lxc_start: 1951 Failed to spawn container "VisualStudioCode"
> > > > lxc-start: VisualStudioCode: tools/lxc_start.c: main: 330 The container failed to start
> > > > lxc-start: VisualStudioCode: tools/lxc_start.c: main: 336 Additional information can be obtained by setting the --logfile and --logpriority options
> > > >
> > > > What should I put in /etc/lxc/lxc-usernet?
> > >
> > > cat << EOF | sudo tee /etc/lxc/lxc-usernet
> > > # USERNAME TYPE BRIDGE COUNT
> > > peter veth lxcbr0 10
> > >
> > > > Do you see something else I have missed or should have done differently?
> > >
> > > Not offhand. But do make sure that lxc-net is running, i.e. make sure
> > > that 'brctl show' shows lxcbr0
> > >
> > > > Note that I had the network working for the container created by root.
> >
> > Now I have also done these things and had some progress:
> >
> > systemctl enable lxc-net
> > systemctl start lxc-net
> >
> > nano /etc/lxc/lxc-usernet
> > # USERNAME TYPE BRIDGE COUNT
> > peter veth lxcbr0 10
> >
> > chmod 755 /home/peter/.local/share/
> > chmod 755 /home/peter/.local/share/lxc/
> >
> > lxc-start -n VisualStudioCode -F
> > Failed to mount cgroup at /sys/fs/cgroup/systemd: Permission denied
> > [!!!!!!] Failed to mount API filesystems.
> > Exiting PID 1...
> >
> > For me it is not obvious what my next step should be. Any help would be
> > appreciated.
>
> serge at sl /etc/pam.d$ dpkg -l | grep cgfs
> ii libpam-cgfs 1:4.0.3+master~20200706-1105-0ubuntu1~eoan amd64 PAM module for managing cgroups for LXC
>
> Do you have something like this? If so, then /etc/pam.d/common-session should have
> a line like
>
> common-session:session optional pam_cgfs.so -c freezer,memory,name=systemd
>
> which is what should delegate the cgroups you need to create containers.
dpkg -l libpam-cgfs
ii libpam-cgfs 1:3.1.0+really3.0.3-8 i386 PAM module for managing cgroups for LXC
My /etc/pam.d/common-session already had a similar line (the last one)
but I added your suggestion as well.
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session optional pam_winbind.so
session optional pam_systemd.so
session optional pam_cgfs.so -c freezer,memory,name=systemd
# end of pam-auth-update config
# Added by Peter Carlsson 2021-02-12 for lxc
common-session:session optional pam_cgfs.so -c freezer,memory,name=systemd
I also ran pam-auth-update as suggested in the file but I still get:
lxc-start -n VisualStudioCode -F
Failed to mount cgroup at /sys/fs/cgroup/systemd: Permission denied
[!!!!!!] Failed to mount API filesystems.
Exiting PID 1...
Thanks for all your help!
Best regards,
Peter Carlsson
More information about the lxc-users
mailing list