[lxc-users] Numerous errors running unprivileged container on Arch Linux x86

Discussion:

[lxc-users] Numerous errors running unprivileged container on Arch Linux x86_64

John

2017-01-10 20:54:22 UTC

I setup /etc/subuid and /etc/subgid and modified /etc/lxc/default.conf to add the needed uid/gids:

% grep root /etc/sub*
/etc/subgid:root:100000:65536
/etc/subuid:root:100000:65536

% cat /etc/lxc/default.conf
lxc.network.type = empty
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536

I then created an lxc via:
# lxc-create -t download -n nw

I pulled down the archlinux current amd64 image.

This is my config:
-----
Distribution configuration
lxc.include = /usr/share/lxc/config/archlinux.common.conf
lxc.include = /usr/share/lxc/config/archlinux.userns.conf
lxc.arch = x86_64

# Container specific configuration
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536
lxc.rootfs = /var/lib/lxc/nw/rootfs
lxc.rootfs.backend = dir
lxc.utsname = nw

# Network configuration
lxc.network.type = empty

-----

The problem is when I start the container, I see numerous errors relating to systemd and I am now sure what is missing from my config. Advice is deeply appreciated.

# lxc-start -n nw -F

systemd 232 running in system mode. (+PAM -AUDIT -SELINUX -IMA -APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN)
Detected virtualization lxc.
Detected architecture x86-64.

Welcome to Arch Linux!

Set hostname to <nw>.
Failed to read AF_UNIX datagram queue length, ignoring: No such file or directory
Failed to install release agent, ignoring: No such file or directory
[ OK ] Listening on Journal Socket.
[ OK ] Started Forward Password Requests to Wall Directory Watch.
[ OK ] Listening on Process Core Dump Socket.
[ OK ] Listening on Journal Socket (/dev/log).
[ OK ] Listening on /dev/initctl Compatibility Named Pipe.
[ OK ] Listening on Device-mapper event daemon FIFOs.
user.slice: Failed to reset devices.list: Operation not permitted
user.slice: Failed to set invocation ID on control group /user.slice, ignoring: Operation not permitted
[ OK ] Created slice User and Session Slice.
[ OK ] Listening on Network Service Netlink Socket.
[ OK ] Reached target Remote File Systems.
[ OK ] Started Dispatch Password Requests to Console Directory Watch.
[ OK ] Reached target Encrypted Volumes.
[ OK ] Reached target Paths.
system.slice: Failed to reset devices.list: Operation not permitted
system.slice: Failed to set invocation ID on control group /system.slice, ignoring: Operation not permitted
[ OK ] Created slice System Slice.
dev-mqueue.mount: Failed to reset devices.list: Operation not permitted
dev-mqueue.mount: Failed to set invocation ID on control group /system.slice/dev-mqueue.mount, ignoring: Operation not permitted
Mounting POSIX Message Queue File System...
systemd-journald.service: Failed to reset devices.list: Operation not permitted
systemd-journald.service: Failed to set invocation ID on control group /system.slice/systemd-journald.service, ignoring: Operation not permitted
Starting Journal Service...
systemd-remount-fs.service: Failed to reset devices.list: Operation not permitted
systemd-remount-fs.service: Failed to set invocation ID on control group /system.slice/systemd-remount-fs.service, ignoring: Operation not permitted
Starting Remount Root and Kernel File Systems...
[ OK ] Reached target Slices.
systemd-sysctl.service: Failed to reset devices.list: Operation not permitted
systemd-sysctl.service: Failed to set invocation ID on control group /system.slice/systemd-sysctl.service, ignoring: Operation not permitted
Starting Apply Kernel Variables...
system-container\x2dgetty.slice: Failed to reset devices.list: Operation not permitted
system-container\x2dgetty.slice: Failed to set invocation ID on control group /system.slice/system-container\x2dgetty.slice, ignoring: Operation not permitted
[ OK ] Created slice system-container\x2dgetty.slice.
system-getty.slice: Failed to reset devices.list: Operation not permitted
system-getty.slice: Failed to set invocation ID on control group /system.slice/system-getty.slice, ignoring: Operation not permitted
[ OK ] Created slice system-getty.slice.
[ OK ] Reached target Swap.
tmp.mount: Failed to reset devices.list: Operation not permitted
tmp.mount: Failed to set invocation ID on control group /system.slice/tmp.mount, ignoring: Operation not permitted
Mounting Temporary Directory...
[ OK ] Listening on LVM2 metadata daemon socket.
dev-random.mount: Failed to reset devices.list: Operation not permitted
dev-tty1.mount: Failed to reset devices.list: Operation not permitted
proc-sys-net.mount: Failed to reset devices.list: Operation not permitted
dev-tty.mount: Failed to reset devices.list: Operation not permitted
dev-zero.mount: Failed to reset devices.list: Operation not permitted
dev-full.mount: Failed to reset devices.list: Operation not permitted
dev-tty3.mount: Failed to reset devices.list: Operation not permitted
dev-urandom.mount: Failed to reset devices.list: Operation not permitted
dev-tty2.mount: Failed to reset devices.list: Operation not permitted
proc-sysrq\x2dtrigger.mount: Failed to reset devices.list: Operation not permitted
-.mount: Failed to reset devices.list: Operation not permitted
sys-devices-virtual-net.mount: Failed to reset devices.list: Operation not permitted
dev-tty4.mount: Failed to reset devices.list: Operation not permitted
dev-null.mount: Failed to reset devices.list: Operation not permitted
sys-fs-fuse-connections.mount: Failed to reset devices.list: Operation not permitted
dev-tty5.mount: Failed to reset devices.list: Operation not permitted
dev-tty6.mount: Failed to reset devices.list: Operation not permitted
init.scope: Failed to reset devices.list: Operation not permitted
[ OK ] Mounted POSIX Message Queue File System.
[ OK ] Mounted Temporary Directory.
[ OK ] Started Remount Root and Kernel File Systems.
[ OK ] Started Apply Kernel Variables.
[ OK ] Reached target Local File Systems (Pre).
[ OK ] Reached target Local File Systems.
[ OK ] Started Journal Service.
Starting Flush Journal to Persistent Storage...
[ OK ] Started Flush Journal to Persistent Storage.
Starting Create Volatile Files and Directories...
[ OK ] Started Create Volatile Files and Directories.
Starting Update UTMP about System Boot/Shutdown...
[ OK ] Started Update UTMP about System Boot/Shutdown.
[ OK ] Reached target System Initialization.
[ OK ] Listening on D-Bus System Message Bus Socket.
[ OK ] Reached target Sockets.
[ OK ] Reached target Basic System.
[ OK ] Started D-Bus System Message Bus.
Starting Network Service...
Starting Login Service...
[ OK ] Started Daily rotation of log files.
[ OK ] Started Daily Cleanup of Temporary Directories.
[ OK ] Started Daily verification of password and group files.
[ OK ] Started Daily man-db cache update.
[ OK ] Reached target Timers.
[ OK ] Started Login Service.
[ OK ] Started Network Service.
[ OK ] Reached target Network.
Starting Permit User Sessions...
Starting Network Name Resolution...
[ OK ] Started Permit User Sessions.
[ OK ] Started Console Getty.
[ OK ] Started Getty on lxc/tty6.
[ OK ] Started Container Getty on /dev/pts/2.
[ OK ] Started Getty on lxc/tty2.
[ OK ] Started Getty on lxc/tty5.
[ OK ] Started Container Getty on /dev/pts/1.
[ OK ] Started Container Getty on /dev/pts/5.
[ OK ] Started Container Getty on /dev/pts/3.
[ OK ] Started Getty on lxc/tty4.
[ OK ] Started Getty on lxc/tty1.
[ OK ] Started Getty on lxc/tty3.
[ OK ] Started Container Getty on /dev/pts/0.
[ OK ] Started Container Getty on /dev/pts/4.
[ OK ] Reached target Login Prompts.
[ OK ] Started Network Name Resolution.
[ OK ] Reached target Multi-User System.

Arch Linux 4.9.2-2-custom (console)

nw login:

Fajar A. Nugraha

2017-01-11 03:23:46 UTC

Permalink

Post by John
I pulled down the archlinux current amd64 image.
The problem is when I start the container, I see numerous errors relating
to systemd and I am now sure what is missing from my config. Advice is
deeply appreciated.
system.slice: Failed to reset devices.list: Operation not permitted
system.slice: Failed to set invocation ID on control group /system.slice,
ignoring: Operation not permitted
[ OK ] Created slice System Slice.
[ OK ] Reached target Multi-User System.
Arch Linux 4.9.2-2-custom (console)

Short version: if you can get login prompt, and the system works as
expected (e.g. services are running, you get ip address, etc), then it's
safe to ignore the errors. Mostly they're just warnings due to running
unprivileged.

Some distro versions (e.g. debian jessie) requires systemd update (e.g.
from debian stretch packages) to work properly as unpriv container, but
from what you pasted, archlinux should be fine.

--
Fajar

John

2017-01-11 20:02:41 UTC

Permalink

________________________________
Sent: Tuesday, January 10, 2017 10:23 PM
Subject: Re: [lxc-users] Numerous errors running unprivileged container on Arch Linux x86_64
Short version: if you can get login prompt, and the system works as expected (e.g. services are running, you get ip address, etc), then it's safe to ignore the errors. Mostly they're just warnings due to running unprivileged.
Some distro versions (e.g. debian jessie) requires systemd update (e.g. from debian stretch packages) to work properly as unpriv container, but from what you pasted, archlinux should be fine.

Thank you for the kind reply. My goal is to have openvpn and a LAMP stack run from within the
unprivileged container. The problem (perhaps related to my config being incorrectly configured) is that openvpn will not run when systemd starts it. Interestingly, if I run openvpn as root from within the container, it runs just fine. Is there a way to use the systemd service to run openvpn?

Error:
# systemctl status openvpn-***@splus.service
● openvpn-***@splus.service - OpenVPN service for splus
Loaded: loaded (/usr/lib/systemd/system/openvpn-***@.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Wed 2017-01-11 19:56:49 UTC; 7s ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Process: 49 ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --co
Main PID: 49 (code=exited, status=1/FAILURE)

Jan 11 19:56:49 nw openvpn[49]: TUN/TAP device tun0 opened
Jan 11 19:56:49 nw openvpn[49]: Note: Cannot set tx queue length on tun0: Operation not permitted (errno=1)
Jan 11 19:56:49 nw openvpn[49]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Jan 11 19:56:49 nw openvpn[49]: /usr/bin/ip link set dev tun0 up mtu 1500
Jan 11 19:56:49 nw openvpn[49]: openvpn_execve: unable to fork: Resource temporarily unavailable (errno=11)
Jan 11 19:56:49 nw openvpn[49]: Exiting due to fatal error
Jan 11 19:56:49 nw systemd[1]: openvpn-***@splus.service: Main process exited, code=exited, status=1/FAILURE
Jan 11 19:56:49 nw systemd[1]: Failed to start OpenVPN service for splus.
Jan 11 19:56:49 nw systemd[1]: openvpn-***@splus.service: Unit entered failed state.
Jan 11 19:56:49 nw systemd[1]: openvpn-***@splus.service: Failed with result 'exit-code'.

Config:
---
lxc.include = /usr/share/lxc/config/archlinux.common.conf
lxc.include = /usr/share/lxc/config/archlinux.userns.conf
lxc.arch = x86_64
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536
lxc.rootfs = /var/lib/lxc/nw/rootfs
lxc.rootfs.backend = dir
lxc.utsname = nw
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.name = eth0
lxc.mount.entry = /dev/net dev/net none bind,create=dir
lxc.cgroup.devices.allow = c 10:200 rwm
---

Fajar A. Nugraha

2017-01-12 00:38:08 UTC

Permalink

Post by John
Thank you for the kind reply. My goal is to have openvpn and a LAMP stack
run from within the
unprivileged container. The problem (perhaps related to my config being
incorrectly configured) is that openvpn will not run when systemd starts
it. Interestingly, if I run openvpn as root from within the container, it
runs just fine. Is there a way to use the systemd service to run openvpn?

It's a known openvpn-systemd-unpriv-container issue. You need to edit (or
overide) ***@.service.

http://askubuntu.com/questions/747023/systemd-fails-to-start-openvpn-in-lxd-managed-16-04-container

--
Fajar

John

2017-01-12 07:30:18 UTC

Permalink

________________________________

Sent: Wednesday, January 11, 2017 7:38 PM
Subject: Re: [lxc-users] Numerous errors running unprivileged container on Arch Linux x86_64
http://askubuntu.com/questions/747023/systemd-fails-to-start-openvpn-in-lxd-managed-16-04-container

Yes! I did not find that link despite my best efforts googling. I am able to get openvpn up and running in the unpriviliged container. Thank you very much!