Discussion:
[lxc-users] "working" unprivileged centos 7 container under ubuntu
Fajar A. Nugraha
2015-08-10 10:13:30 UTC
Permalink
As a follow up to
https://lists.linuxcontainers.org/pipermail/lxc-users/2015-March/008658.html
, I've tested similar setup but with systemd-224. My build is
available on https://goo.gl/XpKFxS

Tested and works:
- container start & stop
- lxc-console
- lxc-attach
- login via ssh

What DOESN'T work:
- systemd-journald. This means (among others) you won't have any
additional output from "systemctl status"

Improvement from before: no more crash on unprivileged container poweroff

Host:
- ubuntu vivid with wily's 4.1.0-3-generic kernel (I didn't test
vivid's kernel, but should work as well)
- lxc 1.1.2-0ubuntu5~ubuntu15 and lxcfs
0.9-0ubuntu1~ubuntu15.04.1~ppa1 from ppa:ubuntu-lxc/lxc-stable

Container:
- unprivileged centos 7 container, with custom systemd and related packages

Howto:
Note that lines starting with "$" is executed as normal user on the
host, while lines starting with "[***@c7-test" is executed inside the
container.

(1) As a normal, non-root user, setup unprivileged container (see
https://help.ubuntu.com/lts/serverguide/lxc.html#lxc-unpriv for
prequisites, including making sure you have subuid/subgid assigned,
editing /etc/lxc/lxc-usernet, and editing ~/.config/lxc/default.conf).
I name the container "c7-test"

$ id -u
1000

$ lxc-create -n c7-test -t download -- -d centos -r 7 -a amd64


(2) Edit its config

$ vi ~/.local/share/lxc/c7-test/config

Replace

lxc.include = /usr/share/lxc/config/centos.common.conf
lxc.include = /usr/share/lxc/config/centos.userns.conf

... with

lxc.include = /usr/share/lxc/config/fedora.common.conf
lxc.include = /usr/share/lxc/config/fedora.userns.conf


(3) Install "tar" on the container. We need this to transfer files to
the container without having to worry about permission

3.a) start the container directly using bash as init (do NOT use
normal container startup method as this point as centos bundled
systemd doesn't work)

$ lxc-execute -n c7-test -- bash --login


3.b) start networking on the container. You should already have dhcp
working if you use the default bridge (lxcbr0). Verify you get a
working address (it should be printed since you use "-v")

[***@c7-test /]# dhclient -v eth0


3.c) install tar

[***@c7-test /]# yum -y install tar


4) set container root password

[***@c7-test /]# passwd


5) On another terminal window, download the RPMS from the two
directories inside "RPMS-install", put it on a directory on the host
(I put it on "RPMS" directory)

6) Copy the RPMS directory to the container (I copy it to "/" inside
the container)

$ tar cf - RPMS | lxc-attach -n c7-test -- bash -c "cd / && tar xvf -"


7) Back to the first terminal (the container), install the RPMS with
yum (so that all dependencies from centos repo will be automatically
installed as well)

[***@c7-test /]# yum -y install /RPMS/*.rpm


8) Disable systemd-journald service, and enable poweroff from the host

[***@c7-test /]# ln -s /dev/null /etc/systemd/system/systemd-journald.service

[***@c7-test /]# ln -s /usr/lib/systemd/system/poweroff.target
/etc/systemd/system/sigpwr.target


9) Kill dhclient, and then exit

[***@c7-test /]# pkill dhclient

[***@c7-test /]# exit


10) Start the container in foreground so you can see its boot process.
Note that you will see "FAILED" lines, just ignore it.

$ lxc-start -F -n c7-test
systemd 224 running in system mode. (+PAM +AUDIT +SELINUX +IMA
-APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL
+XZ -LZ4 +SECCOMP -BLKID +ELFUTILS +KMOD +IDN)
Detected virtualization lxc.
Detected architecture x86-64.

Welcome to CentOS Linux 7 (Core)!
...
systemd-journald-audit.socket: Socket service systemd-journald.service
not loaded, refusing.
[FAILED] Failed to listen on Journal Audit Socket.
...
Failed to reset devices.list on
/user.slice/user-1000.slice/session-c2.scope/lxc/c7-test/system.slice/systemd-update-utmp-runlevel.service:
Permission denied
Starting Update UTMP about System Runlevel Changes...
[ OK ] Reached target Network is Online.
Startup finished in 5.296s.

CentOS Linux 7 (Core)
Kernel 4.1.0-3-generic on an x86_64

c7-test login:


11) Login as root with password set on step (4)

12) Install ssh server

[***@c7-test ~]# yum -y install openssh-server


13) Start ssh server. You will see lots of "Failed" lines, just ignore
it. Also note the container's IP address.

[***@c7-test ~]# systemctl status sshd

[***@c7-test ~]# systemctl start sshd

[***@c7-test ~]# systemctl status sshd

[***@c7-test ~]# ip ad li eth0


14) From the host, ssh to the container, do some tests, then logout

15) Back to the container terminal window, power it down

[***@c7-test ~]# poweroff
[ OK ] Stopped Session c1 of user root.
Stopping User Manager for UID 0...
...
[ OK ] Reached target Shutdown.
dev-null.mount: Mount process exited, code=exited status=32
Failed to reset devices.list on
/user.slice/user-1000.slice/session-c2.scope/lxc/c7-test/system.slice/systemd-poweroff.service:
Permission denied
sys-devices-virtual-net.mount: Mount process exited, code=exited status=32
sys-devices-virtual-net.mount: Unit entered failed state.
Shutting down.
Sending SIGTERM to remaining processes...
Sending SIGKILL to remaining processes...
Powering off.


16) After you verify that everything is working, you can now
start/stop the container again in the background

$ lxc-start -n c7-test

$ lxc-ls -f --running
NAME STATE IPV4 IPV6 GROUPS AUTOSTART
----------------------------------------------------------
c7-test RUNNING A.B.C.D - - NO

$ lxc-stop -n c7-test
--
Fajar
Fajar A. Nugraha
2015-08-10 11:44:31 UTC
Permalink
Post by Fajar A. Nugraha
As a follow up to
https://lists.linuxcontainers.org/pipermail/lxc-users/2015-March/008658.html
, I've tested similar setup but with systemd-224. My build is
available on https://goo.gl/XpKFxS
- container start & stop
- lxc-console
- lxc-attach
- login via ssh
- systemd-journald. This means (among others) you won't have any
additional output from "systemctl status"
Correction: apparently systemd-journald WORKS, it's
systemd-journald-audit.socket that's failing:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1457054
If you've already run that, just "rm
/etc/systemd/system/systemd-journald.service" and then reboot the
container.

Another thing, I notice that sometimes sshd (either service or socket)
doesn't start when container is started in background (without "-F").
A workaround that seems to work:

[***@c7-test ~]# cp /usr/lib/systemd/system/sshd.service
/etc/systemd/system/sshd.service

[***@c7-test ~]# vi /etc/systemd/system/sshd.service

Replace
After=network.target sshd-keygen.service
with
After=local-fs.target sshd-keygen.service

and
WantedBy=multi-user.target
with
WantedBy=network.target

[***@c7-test ~]# systemctl disable sshd

[***@c7-test ~]# systemctl enable sshd

poweroff, then start the container again. Either sshd.service or
sshd.socket should always be started now (check with "systemctl -a |
grep ssh").
--
Fajar
Loading...