[lxc-users] Trying to create a lxc container for running Visual Studio Code

Serge E. Hallyn serge at hallyn.com
Thu Feb 18 05:17:01 UTC 2021


On Wed, Feb 17, 2021 at 10:34:22PM +0100, Peter Carlsson wrote:
> On Fri, Feb 12, 2021 at 06:41:44AM +0100, Peter Carlsson wrote:
> > On Thu, Feb 11, 2021 at 05:45:35PM -0600, Serge E. Hallyn wrote:
> > > On Thu, Feb 11, 2021 at 10:22:52PM +0100, Peter Carlsson wrote:
> > > > On Thu, Feb 11, 2021 at 11:54:05AM -0600, Serge E. Hallyn wrote:
> > > > > On Wed, Feb 10, 2021 at 10:49:55PM +0100, Peter Carlsson wrote:
> > > > > > On Wed, Feb 10, 2021 at 07:08:09AM -0600, Serge E. Hallyn wrote:
> > > > > > 
> > > > > > Hello again!
> > > > > > 
> > > > > > Thanks for your help.
> > > > > > 
> > > > > > I decided to start fresh and create the container as unprivileged. I
> > > > > > therefor deleted the old thread.
> > > > > > 
> > > > > > Here is basically what I did:
> > > > > > 
> > > > > > As root:
> > > > > > 
> > > > > >   usermod -v 100000-200000 -w 100000-200000 peter
> > > > > >   cat /etc/subuid
> > > > > >     peter:100000:100001
> > > > > >   cat /etc/subgid
> > > > > >     peter:100000:100001
> > > > > > 
> > > > > >   nano /etc/sysctl.conf
> > > > > >     # Added by Peter Carlsson 2021-02-10 for lxc
> > > > > >     kernel.unprivileged_userns_clone=1
> > > > > > 
> > > > > >   nano /etc/default/lxc-net
> > > > > >     #USE_LXC_BRIDGE="true"
> > > > > > 
> > > > > >   nano /etc/lxc/default.conf
> > > > > >     lxc.net.0.type = veth
> > > > > >     lxc.net.0.link = lxcbr0
> > > > > >     lxc.net.0.flags = up
> > > > > > 
> > > > > >     lxc.apparmor.profile = generated
> > > > > >     lxc.apparmor.allow_nesting = 1
> > > > > > 
> > > > > > As user peter:
> > > > > > 
> > > > > >   mkdir /home/peter/.config/lxc
> > > > > >   nano /home/peter/.config/lxc/default.conf
> > > > > >     lxc.net.0.type = veth
> > > > > >     lxc.net.0.link = lxcbr0
> > > > > >     lxc.net.0.flags = up
> > > > > > 
> > > > > >     lxc.apparmor.profile = generated
> > > > > >     lxc.apparmor.allow_nesting = 1
> > > > > > 
> > > > > >     lxc.idmap = u 0 100000 100001
> > > > > >     lxc.idmap = g 0 100000 100001
> > > > > 
> > > > > This all looks good.
> > > > > 
> > > > > > Don't know if this was necessary but I ran this after reading a link found on Google
> > > > > > 
> > > > > >   lxc-usernsexec
> > > > > 
> > > > > Sorry I'm not following here.  lxc-usernsexec without any arguments
> > > > > will put you in a shell in a user namespace.  I assume you exited that
> > > > > before going on with lxc-create, right?
> > > > 
> > > > Never mind. To try to solve my problems I googled and tried out
> > > > different advices but this was something I don't think I did anything
> > > > successful with.
> > > > 
> > > > > >   lxc-create -t download -n VisualStudioCode -- -d debian -r buster -a amd64
> > > > > > 
> > > > > >   lxc-start -n VisualStudioCode -F
> > > > > >  
> > > > > >     lxc-start: VisualStudioCode: network.c: lxc_create_network_unpriv_exec: 2178 lxc-user-nic failed to configure requested network: No such file or directory - Failed to open "/etc/lxc/lxc-usernet"
> > > > > >     cmd/lxc_user_nic.c: 1296: main: Quota reached
> > > > > >     lxc-start: VisualStudioCode: start.c: lxc_spawn: 1777 Failed to create the configured network
> > > > > >     lxc-start: VisualStudioCode: start.c: __lxc_start: 1951 Failed to spawn container "VisualStudioCode"
> > > > > >     lxc-start: VisualStudioCode: tools/lxc_start.c: main: 330 The container failed to start
> > > > > >     lxc-start: VisualStudioCode: tools/lxc_start.c: main: 336 Additional information can be obtained by setting the --logfile and --logpriority options
> > > > > > 
> > > > > > What should I put in /etc/lxc/lxc-usernet?
> > > > > 
> > > > > cat << EOF | sudo tee /etc/lxc/lxc-usernet
> > > > > # USERNAME TYPE BRIDGE COUNT
> > > > > peter veth lxcbr0 10
> > > > > 
> > > > > > Do you see something else I have missed or should have done differently?
> > > > > 
> > > > > Not offhand.  But do make sure that lxc-net is running, i.e. make sure
> > > > > that 'brctl show' shows lxcbr0
> > > > > 
> > > > > > Note that I had the network working for the container created by root.
> > > >  
> > > > Now I have also done these things and had some progress:
> > > > 
> > > >   systemctl enable lxc-net
> > > >   systemctl start lxc-net
> > > > 
> > > >   nano /etc/lxc/lxc-usernet
> > > >     # USERNAME TYPE BRIDGE COUNT
> > > >     peter veth lxcbr0 10
> > > > 
> > > >   chmod 755 /home/peter/.local/share/
> > > >   chmod 755 /home/peter/.local/share/lxc/
> > > > 
> > > >   lxc-start -n VisualStudioCode -F
> > > >     Failed to mount cgroup at /sys/fs/cgroup/systemd: Permission denied
> > > >     [!!!!!!] Failed to mount API filesystems.
> > > >     Exiting PID 1...
> > > > 
> > > > For me it is not obvious what my next step should be. Any help would be
> > > > appreciated.
> > > 
> > > serge at sl /etc/pam.d$ dpkg -l | grep cgfs
> > > ii  libpam-cgfs                                1:4.0.3+master~20200706-1105-0ubuntu1~eoan amd64        PAM module for managing cgroups for LXC
> > > 
> > > Do you have something like this?  If so, then /etc/pam.d/common-session should have
> > > a line like
> > > 
> > > common-session:session  optional        pam_cgfs.so -c freezer,memory,name=systemd
> > > 
> > > which is what should delegate the cgroups you need to create containers.
> > 
> >   dpkg -l libpam-cgfs
> >     ii  libpam-cgfs    1:3.1.0+really3.0.3-8 i386         PAM module for managing cgroups for LXC
> > 
> > My /etc/pam.d/common-session already had a similar line (the last one)
> > but I added your suggestion as well.
> > 
> >   # here are the per-package modules (the "Primary" block)
> >   session [default=1]                     pam_permit.so
> >   # here's the fallback if no module succeeds
> >   session requisite                       pam_deny.so
> >   # prime the stack with a positive return value if there isn't one already;
> >   # this avoids us returning an error just because nothing sets a success code
> >   # since the modules above will each just jump around
> >   session required                        pam_permit.so
> >   # and here are more per-package modules (the "Additional" block)
> >   session required        pam_unix.so
> >   session optional                        pam_winbind.so
> >   session optional        pam_systemd.so
> >   session optional        pam_cgfs.so -c freezer,memory,name=systemd
> >   # end of pam-auth-update config
> > 
> >   # Added by Peter Carlsson 2021-02-12 for lxc
> >   common-session:session  optional        pam_cgfs.so -c freezer,memory,name=systemd
> > 
> > I also ran pam-auth-update as suggested in the file but I still get:
> > 
> >   lxc-start -n VisualStudioCode -F
> >     Failed to mount cgroup at /sys/fs/cgroup/systemd: Permission denied
> >     [!!!!!!] Failed to mount API filesystems.
> >     Exiting PID 1...
> > 
> > Thanks for all your help!
> > 
> > Best regards,
> > Peter Carlsson

(Sorry for the delay)

> I decided to remove the line from /etc/pam.d/common-session again since
> I think I the line you were suggesting was already in the file.

Yeah you don't want it twice.

> But still the same error message.
> 
> Do you see any errors in the permissions below? I want to be sure before
> I change permissions in system folders. 
> 
> # ls -l /sys/fs/cgroup/systemd/
> totalt 0
> -rw-r--r--   1 root root 0 feb 15 23:29 cgroup.clone_children
> -rw-r--r--   1 root root 0 feb 17 22:30 cgroup.procs
> -r--r--r--   1 root root 0 feb 15 23:29 cgroup.sane_behavior
> drwxr-xr-x   2 root root 0 feb 15 23:29 docker
> drwxr-xr-x   2 root root 0 feb 15 23:29 init.scope
> drwxr-xr-x   8 root root 0 feb 15 23:29 lxc
> -rw-r--r--   1 root root 0 feb 15 23:29 notify_on_release
> -rw-r--r--   1 root root 0 feb 15 23:29 release_agent
> drwxr-xr-x 151 root root 0 feb 17 22:09 system.slice
> -rw-r--r--   1 root root 0 feb 15 23:29 tasks
> drwxr-xr-x   9 root root 0 feb 15 23:29 user
> drwxr-xr-x   3 root root 0 feb 17 21:24 user.slice
> 
> # ls -l /sys/fs/cgroup/systemd/lxc/
> totalt 0
> -rw-r--r-- 1 root root 0 feb 15 23:29 cgroup.clone_children
> -rw-r--r-- 1 root root 0 feb 15 23:29 cgroup.procs
> -rw-r--r-- 1 root root 0 feb 15 23:29 notify_on_release
> -rw-r--r-- 1 root root 0 feb 15 23:29 tasks
> drwxr-xr-x 2 root root 0 feb 15 23:29 VisualStudioCode
> drwxr-xr-x 2 root root 0 feb 15 23:29 VisualStudioCode-1
> drwxr-xr-x 2 root root 0 feb 15 23:29 VisualStudioCode-2
> drwxr-xr-x 2 root root 0 feb 15 23:29 VisualStudioCode-3
> drwxr-xr-x 2 root root 0 feb 15 23:29 VisualStudioCode-4
> drwxr-xr-x 2 root root 0 feb 15 23:29 VisualStudioCode-5

On my laptop, my unprivileged container has:

cat /proc/3773/cgroup
12:net_cls,net_prio:/
11:pids:/user.slice/user-1000.slice/session-2.scope
10:hugetlb:/
9:memory:/user.slice/user-1000.slice/session-2.scope
8:cpu,cpuacct:/user.slice
7:blkio:/user.slice
6:freezer:/user/serge/0/lxc.payload.mail
5:rdma:/
4:perf_event:/
3:cpuset:/
2:devices:/user.slice
1:name=systemd:/user.slice/user-1000.slice/session-2.scope/lxc.payload.mail/init.scope
0::/user.slice/user-1000.slice/session-2.scope

So the systemd cgroup is

/user.slice/user-1000.slice/session-2.scope/lxc.payload.mail/init.scope

where the first part

/user.slice/user-1000.slice/session-2.scope

was inherited from my login shell, and

serge at sl ~$ ls -l /sys/fs/cgroup/systemd/user.slice/user-1000.slice/session-2.scope/
total 0
-rw-r--r-- 1 root  root   0 Feb 17 23:16 cgroup.clone_children
-rw-r--r-- 1 root  root   0 Feb 17 23:16 cgroup.procs
drwxr-xr-x 2 serge serge  0 Feb  1 08:32 lxc.monitor.mail
drwxrwxr-x 5 serge 100000 0 Feb  1 08:32 lxc.payload.mail
drwxr-xr-x 2 serge serge  0 Feb  9 22:13 lxc.pivot
-rw-r--r-- 1 root  root   0 Feb 17 23:16 notify_on_release
-rw-r--r-- 1 root  root   0 Feb 17 23:16 tasks

-serge


More information about the lxc-users mailing list