[lxc-users] Trying to create a lxc container for running Visual Studio Code
Serge E. Hallyn
serge at hallyn.com
Thu Feb 18 05:17:01 UTC 2021
On Wed, Feb 17, 2021 at 10:34:22PM +0100, Peter Carlsson wrote:
> On Fri, Feb 12, 2021 at 06:41:44AM +0100, Peter Carlsson wrote:
> > On Thu, Feb 11, 2021 at 05:45:35PM -0600, Serge E. Hallyn wrote:
> > > On Thu, Feb 11, 2021 at 10:22:52PM +0100, Peter Carlsson wrote:
> > > > On Thu, Feb 11, 2021 at 11:54:05AM -0600, Serge E. Hallyn wrote:
> > > > > On Wed, Feb 10, 2021 at 10:49:55PM +0100, Peter Carlsson wrote:
> > > > > > On Wed, Feb 10, 2021 at 07:08:09AM -0600, Serge E. Hallyn wrote:
> > > > > >
> > > > > > Hello again!
> > > > > >
> > > > > > Thanks for your help.
> > > > > >
> > > > > > I decided to start fresh and create the container as unprivileged. I
> > > > > > therefor deleted the old thread.
> > > > > >
> > > > > > Here is basically what I did:
> > > > > >
> > > > > > As root:
> > > > > >
> > > > > > usermod -v 100000-200000 -w 100000-200000 peter
> > > > > > cat /etc/subuid
> > > > > > peter:100000:100001
> > > > > > cat /etc/subgid
> > > > > > peter:100000:100001
> > > > > >
> > > > > > nano /etc/sysctl.conf
> > > > > > # Added by Peter Carlsson 2021-02-10 for lxc
> > > > > > kernel.unprivileged_userns_clone=1
> > > > > >
> > > > > > nano /etc/default/lxc-net
> > > > > > #USE_LXC_BRIDGE="true"
> > > > > >
> > > > > > nano /etc/lxc/default.conf
> > > > > > lxc.net.0.type = veth
> > > > > > lxc.net.0.link = lxcbr0
> > > > > > lxc.net.0.flags = up
> > > > > >
> > > > > > lxc.apparmor.profile = generated
> > > > > > lxc.apparmor.allow_nesting = 1
> > > > > >
> > > > > > As user peter:
> > > > > >
> > > > > > mkdir /home/peter/.config/lxc
> > > > > > nano /home/peter/.config/lxc/default.conf
> > > > > > lxc.net.0.type = veth
> > > > > > lxc.net.0.link = lxcbr0
> > > > > > lxc.net.0.flags = up
> > > > > >
> > > > > > lxc.apparmor.profile = generated
> > > > > > lxc.apparmor.allow_nesting = 1
> > > > > >
> > > > > > lxc.idmap = u 0 100000 100001
> > > > > > lxc.idmap = g 0 100000 100001
> > > > >
> > > > > This all looks good.
> > > > >
> > > > > > Don't know if this was necessary but I ran this after reading a link found on Google
> > > > > >
> > > > > > lxc-usernsexec
> > > > >
> > > > > Sorry I'm not following here. lxc-usernsexec without any arguments
> > > > > will put you in a shell in a user namespace. I assume you exited that
> > > > > before going on with lxc-create, right?
> > > >
> > > > Never mind. To try to solve my problems I googled and tried out
> > > > different advices but this was something I don't think I did anything
> > > > successful with.
> > > >
> > > > > > lxc-create -t download -n VisualStudioCode -- -d debian -r buster -a amd64
> > > > > >
> > > > > > lxc-start -n VisualStudioCode -F
> > > > > >
> > > > > > lxc-start: VisualStudioCode: network.c: lxc_create_network_unpriv_exec: 2178 lxc-user-nic failed to configure requested network: No such file or directory - Failed to open "/etc/lxc/lxc-usernet"
> > > > > > cmd/lxc_user_nic.c: 1296: main: Quota reached
> > > > > > lxc-start: VisualStudioCode: start.c: lxc_spawn: 1777 Failed to create the configured network
> > > > > > lxc-start: VisualStudioCode: start.c: __lxc_start: 1951 Failed to spawn container "VisualStudioCode"
> > > > > > lxc-start: VisualStudioCode: tools/lxc_start.c: main: 330 The container failed to start
> > > > > > lxc-start: VisualStudioCode: tools/lxc_start.c: main: 336 Additional information can be obtained by setting the --logfile and --logpriority options
> > > > > >
> > > > > > What should I put in /etc/lxc/lxc-usernet?
> > > > >
> > > > > cat << EOF | sudo tee /etc/lxc/lxc-usernet
> > > > > # USERNAME TYPE BRIDGE COUNT
> > > > > peter veth lxcbr0 10
> > > > >
> > > > > > Do you see something else I have missed or should have done differently?
> > > > >
> > > > > Not offhand. But do make sure that lxc-net is running, i.e. make sure
> > > > > that 'brctl show' shows lxcbr0
> > > > >
> > > > > > Note that I had the network working for the container created by root.
> > > >
> > > > Now I have also done these things and had some progress:
> > > >
> > > > systemctl enable lxc-net
> > > > systemctl start lxc-net
> > > >
> > > > nano /etc/lxc/lxc-usernet
> > > > # USERNAME TYPE BRIDGE COUNT
> > > > peter veth lxcbr0 10
> > > >
> > > > chmod 755 /home/peter/.local/share/
> > > > chmod 755 /home/peter/.local/share/lxc/
> > > >
> > > > lxc-start -n VisualStudioCode -F
> > > > Failed to mount cgroup at /sys/fs/cgroup/systemd: Permission denied
> > > > [!!!!!!] Failed to mount API filesystems.
> > > > Exiting PID 1...
> > > >
> > > > For me it is not obvious what my next step should be. Any help would be
> > > > appreciated.
> > >
> > > serge at sl /etc/pam.d$ dpkg -l | grep cgfs
> > > ii libpam-cgfs 1:4.0.3+master~20200706-1105-0ubuntu1~eoan amd64 PAM module for managing cgroups for LXC
> > >
> > > Do you have something like this? If so, then /etc/pam.d/common-session should have
> > > a line like
> > >
> > > common-session:session optional pam_cgfs.so -c freezer,memory,name=systemd
> > >
> > > which is what should delegate the cgroups you need to create containers.
> >
> > dpkg -l libpam-cgfs
> > ii libpam-cgfs 1:3.1.0+really3.0.3-8 i386 PAM module for managing cgroups for LXC
> >
> > My /etc/pam.d/common-session already had a similar line (the last one)
> > but I added your suggestion as well.
> >
> > # here are the per-package modules (the "Primary" block)
> > session [default=1] pam_permit.so
> > # here's the fallback if no module succeeds
> > session requisite pam_deny.so
> > # prime the stack with a positive return value if there isn't one already;
> > # this avoids us returning an error just because nothing sets a success code
> > # since the modules above will each just jump around
> > session required pam_permit.so
> > # and here are more per-package modules (the "Additional" block)
> > session required pam_unix.so
> > session optional pam_winbind.so
> > session optional pam_systemd.so
> > session optional pam_cgfs.so -c freezer,memory,name=systemd
> > # end of pam-auth-update config
> >
> > # Added by Peter Carlsson 2021-02-12 for lxc
> > common-session:session optional pam_cgfs.so -c freezer,memory,name=systemd
> >
> > I also ran pam-auth-update as suggested in the file but I still get:
> >
> > lxc-start -n VisualStudioCode -F
> > Failed to mount cgroup at /sys/fs/cgroup/systemd: Permission denied
> > [!!!!!!] Failed to mount API filesystems.
> > Exiting PID 1...
> >
> > Thanks for all your help!
> >
> > Best regards,
> > Peter Carlsson
(Sorry for the delay)
> I decided to remove the line from /etc/pam.d/common-session again since
> I think I the line you were suggesting was already in the file.
Yeah you don't want it twice.
> But still the same error message.
>
> Do you see any errors in the permissions below? I want to be sure before
> I change permissions in system folders.
>
> # ls -l /sys/fs/cgroup/systemd/
> totalt 0
> -rw-r--r-- 1 root root 0 feb 15 23:29 cgroup.clone_children
> -rw-r--r-- 1 root root 0 feb 17 22:30 cgroup.procs
> -r--r--r-- 1 root root 0 feb 15 23:29 cgroup.sane_behavior
> drwxr-xr-x 2 root root 0 feb 15 23:29 docker
> drwxr-xr-x 2 root root 0 feb 15 23:29 init.scope
> drwxr-xr-x 8 root root 0 feb 15 23:29 lxc
> -rw-r--r-- 1 root root 0 feb 15 23:29 notify_on_release
> -rw-r--r-- 1 root root 0 feb 15 23:29 release_agent
> drwxr-xr-x 151 root root 0 feb 17 22:09 system.slice
> -rw-r--r-- 1 root root 0 feb 15 23:29 tasks
> drwxr-xr-x 9 root root 0 feb 15 23:29 user
> drwxr-xr-x 3 root root 0 feb 17 21:24 user.slice
>
> # ls -l /sys/fs/cgroup/systemd/lxc/
> totalt 0
> -rw-r--r-- 1 root root 0 feb 15 23:29 cgroup.clone_children
> -rw-r--r-- 1 root root 0 feb 15 23:29 cgroup.procs
> -rw-r--r-- 1 root root 0 feb 15 23:29 notify_on_release
> -rw-r--r-- 1 root root 0 feb 15 23:29 tasks
> drwxr-xr-x 2 root root 0 feb 15 23:29 VisualStudioCode
> drwxr-xr-x 2 root root 0 feb 15 23:29 VisualStudioCode-1
> drwxr-xr-x 2 root root 0 feb 15 23:29 VisualStudioCode-2
> drwxr-xr-x 2 root root 0 feb 15 23:29 VisualStudioCode-3
> drwxr-xr-x 2 root root 0 feb 15 23:29 VisualStudioCode-4
> drwxr-xr-x 2 root root 0 feb 15 23:29 VisualStudioCode-5
On my laptop, my unprivileged container has:
cat /proc/3773/cgroup
12:net_cls,net_prio:/
11:pids:/user.slice/user-1000.slice/session-2.scope
10:hugetlb:/
9:memory:/user.slice/user-1000.slice/session-2.scope
8:cpu,cpuacct:/user.slice
7:blkio:/user.slice
6:freezer:/user/serge/0/lxc.payload.mail
5:rdma:/
4:perf_event:/
3:cpuset:/
2:devices:/user.slice
1:name=systemd:/user.slice/user-1000.slice/session-2.scope/lxc.payload.mail/init.scope
0::/user.slice/user-1000.slice/session-2.scope
So the systemd cgroup is
/user.slice/user-1000.slice/session-2.scope/lxc.payload.mail/init.scope
where the first part
/user.slice/user-1000.slice/session-2.scope
was inherited from my login shell, and
serge at sl ~$ ls -l /sys/fs/cgroup/systemd/user.slice/user-1000.slice/session-2.scope/
total 0
-rw-r--r-- 1 root root 0 Feb 17 23:16 cgroup.clone_children
-rw-r--r-- 1 root root 0 Feb 17 23:16 cgroup.procs
drwxr-xr-x 2 serge serge 0 Feb 1 08:32 lxc.monitor.mail
drwxrwxr-x 5 serge 100000 0 Feb 1 08:32 lxc.payload.mail
drwxr-xr-x 2 serge serge 0 Feb 9 22:13 lxc.pivot
-rw-r--r-- 1 root root 0 Feb 17 23:16 notify_on_release
-rw-r--r-- 1 root root 0 Feb 17 23:16 tasks
-serge
More information about the lxc-users
mailing list