Discussion:
Creating a container as non root
(too old to reply)
Kevin Wilson
2014-01-09 06:08:59 UTC
Permalink
Hello,
I believe that creating a container as non root user should be straight-forward.

I added a user named "test" and I am trying to create a container (see
below the sequence). I am running latest lxc git
(built from source, as root) on Fedora 20.

useradd test
su test

lxc-create -t busybox -n busyboxTest
I get:

You lack access to /home/test/.local/share/lxc/
I ran;
mkdir -p /home/test/.local/share/lxc/

Then again:
lxc-create -t busybox -n busyboxTest
lxc-create: Permission denied - failed to create directory '/run/user/0/lock/'

failed to create lock
System error loading container

What should I do ?

Regards,
Kevin
Michael H. Warfield
2014-01-09 15:39:48 UTC
Permalink
Post by Kevin Wilson
Hello,
I believe that creating a container as non root user should be straight-forward.
Sigh... I'm afraid not...

Funny, Serge and I just had a couple of comments in exchange about this
very thing with regards to templates. He's been working on getting
containers to run under unprivileged users and I know the Fedora and
CentOS templates will not even run under a non-user (they check). His
remark was that most templates will not and can not, including the
Ubuntu template. Problem with the Ubuntu template (and, presumably the
Debian template) is the use of debboot which, in turn, uses mknod to
create devices for the container - and you're then toast.

The problem there is that there are going to be privileged operations
(chown, mknod, etc) that are simply going to require privileges in the
host which are not available to the non-priv user.

I'm not so sure about the busybox template but I wouldn't be optimistic.
It does look like it checks to see if it's in a user namespace and uses
mknod if not and does something else if it is. So, it looks like it
SHOULD work. But you have to have user namespaces set up to work.

Once a container is created, it should be possible to run it under a
non-priv user if you have a recent enough kernel along with the latest
lxc tools. But it seems likely we could ever navigate the morass of
creating a template using lxc-create as a non-priv user.
Post by Kevin Wilson
I added a user named "test" and I am trying to create a container (see
below the sequence). I am running latest lxc git
(built from source, as root) on Fedora 20.
useradd test
su test
lxc-create -t busybox -n busyboxTest
You lack access to /home/test/.local/share/lxc/
I ran;
mkdir -p /home/test/.local/share/lxc/
lxc-create -t busybox -n busyboxTest
lxc-create: Permission denied - failed to create directory '/run/user/0/lock/'
failed to create lock
System error loading container
What should I do ?
Regards,
Kevin
Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 978-7061 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 465 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140109/c2a55811/attachment.pgp>
Cal Leeming [Simplicity Media Ltd]
2014-01-09 16:05:40 UTC
Permalink
This post might be inappropriate. Click to display it.
Serge Hallyn
2014-01-09 16:11:38 UTC
Permalink
Sounds good. It might be worthwhile having a 'lxc-setup-images' command
which requires root and builds the base images. Then unprileged users
could untar/unsquash those images.

To be clear, I absolutely *can* create and run ubuntu-cloud images
without being root.

-serge
Post by Cal Leeming [Simplicity Media Ltd]
It's also worth mentioning that fakeroot/fakechroot have some nasty issues
with debootstrap;
https://bugs.launchpad.net/ubuntu/+source/fakechroot/+bug/1265857
One theory I'm exploring is building "base images" on a machine that does
have root, by running debootstrap on every flavor/arch then using
mksquashfs to compress it down into an image. You could then use unsquashfs
to force whatever uid/gid you wanted, then fakechroot/fakeroot to make
whatever changes you need to the container before launching. The downside
is that there is no public mirror that offers this at the moment (other
than the latest 13.x ubuntu, which contains a filesystem.squashfs you can
extract, but it's 700mb). You could create your own set of base images,
then wrap scripts around them to create the templates, but this is
absolutely not going to work out of the box, there is a lot of tedious work
involved.
I'm planning on doing a better write up about this (as its something I'm
actively working on), will update this thread at a later date.
Hope this helps a bit
Cal
Post by Kevin Wilson
Post by Kevin Wilson
Hello,
I believe that creating a container as non root user should be
straight-forward.
Sigh... I'm afraid not...
Funny, Serge and I just had a couple of comments in exchange about this
very thing with regards to templates. He's been working on getting
containers to run under unprivileged users and I know the Fedora and
CentOS templates will not even run under a non-user (they check). His
remark was that most templates will not and can not, including the
Ubuntu template. Problem with the Ubuntu template (and, presumably the
Debian template) is the use of debboot which, in turn, uses mknod to
create devices for the container - and you're then toast.
The problem there is that there are going to be privileged operations
(chown, mknod, etc) that are simply going to require privileges in the
host which are not available to the non-priv user.
I'm not so sure about the busybox template but I wouldn't be optimistic.
It does look like it checks to see if it's in a user namespace and uses
mknod if not and does something else if it is. So, it looks like it
SHOULD work. But you have to have user namespaces set up to work.
Once a container is created, it should be possible to run it under a
non-priv user if you have a recent enough kernel along with the latest
lxc tools. But it seems likely we could ever navigate the morass of
creating a template using lxc-create as a non-priv user.
Post by Kevin Wilson
I added a user named "test" and I am trying to create a container (see
below the sequence). I am running latest lxc git
(built from source, as root) on Fedora 20.
useradd test
su test
lxc-create -t busybox -n busyboxTest
You lack access to /home/test/.local/share/lxc/
I ran;
mkdir -p /home/test/.local/share/lxc/
lxc-create -t busybox -n busyboxTest
lxc-create: Permission denied - failed to create directory
'/run/user/0/lock/'
Post by Kevin Wilson
failed to create lock
System error loading container
What should I do ?
Regards,
Kevin
Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 978-7061 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 |
http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
Cal Leeming [Simplicity Media Ltd]
2014-08-05 23:06:37 UTC
Permalink
Just wanted to chime in on this, it would seem that creating unprivileged
containers works fine, at least for download template of Ubuntu.

However the problem starts when you use "sudo su".

For example, the following breaks;

admin$ sudo su deploy
admin$ lxc-create -t download -n u1 -- -d ubuntu -r trusty -a amd64
lxc-create: Permission denied - failed to create directory
'/run/user/999/lock/'
lxc-create: Error opening /tmp/1000/lxc//home/deploy/.local/share/lxc/u1

But the following works;

admin$ ssh deploy at 127.0.0.1
admin$ lxc-create -t download -n u1 -- -d ubuntu -r trusty -a amd64
Setting up the GPG keyring
Downloading the image index

It would seem that lxc-create is picking up a uid 999 (admin) for the lock,
and uid 1000 (deploy) for the tmp directory.

I had a quick look at the source but couldn't pin point where/why this was
happening.

Although there are other issues with creating unprivileged containers (as
per your previous discussion), this is probably a bug in its own rights.

Thoughts?

Cal



On Thu, Jan 9, 2014 at 4:11 PM, Serge Hallyn <serge.hallyn at ubuntu.com>
Post by Serge Hallyn
Sounds good. It might be worthwhile having a 'lxc-setup-images' command
which requires root and builds the base images. Then unprileged users
could untar/unsquash those images.
To be clear, I absolutely *can* create and run ubuntu-cloud images
without being root.
-serge
Quoting Cal Leeming [Simplicity Media Ltd] (
Post by Cal Leeming [Simplicity Media Ltd]
It's also worth mentioning that fakeroot/fakechroot have some nasty
issues
Post by Cal Leeming [Simplicity Media Ltd]
with debootstrap;
https://bugs.launchpad.net/ubuntu/+source/fakechroot/+bug/1265857
One theory I'm exploring is building "base images" on a machine that does
have root, by running debootstrap on every flavor/arch then using
mksquashfs to compress it down into an image. You could then use
unsquashfs
Post by Cal Leeming [Simplicity Media Ltd]
to force whatever uid/gid you wanted, then fakechroot/fakeroot to make
whatever changes you need to the container before launching. The downside
is that there is no public mirror that offers this at the moment (other
than the latest 13.x ubuntu, which contains a filesystem.squashfs you can
extract, but it's 700mb). You could create your own set of base images,
then wrap scripts around them to create the templates, but this is
absolutely not going to work out of the box, there is a lot of tedious
work
Post by Cal Leeming [Simplicity Media Ltd]
involved.
I'm planning on doing a better write up about this (as its something I'm
actively working on), will update this thread at a later date.
Hope this helps a bit
Cal
On Thu, Jan 9, 2014 at 3:39 PM, Michael H. Warfield <mhw at wittsend.com
Post by Kevin Wilson
Post by Kevin Wilson
Hello,
I believe that creating a container as non root user should be
straight-forward.
Sigh... I'm afraid not...
Funny, Serge and I just had a couple of comments in exchange about this
very thing with regards to templates. He's been working on getting
containers to run under unprivileged users and I know the Fedora and
CentOS templates will not even run under a non-user (they check). His
remark was that most templates will not and can not, including the
Ubuntu template. Problem with the Ubuntu template (and, presumably the
Debian template) is the use of debboot which, in turn, uses mknod to
create devices for the container - and you're then toast.
The problem there is that there are going to be privileged operations
(chown, mknod, etc) that are simply going to require privileges in the
host which are not available to the non-priv user.
I'm not so sure about the busybox template but I wouldn't be
optimistic.
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
It does look like it checks to see if it's in a user namespace and uses
mknod if not and does something else if it is. So, it looks like it
SHOULD work. But you have to have user namespaces set up to work.
Once a container is created, it should be possible to run it under a
non-priv user if you have a recent enough kernel along with the latest
lxc tools. But it seems likely we could ever navigate the morass of
creating a template using lxc-create as a non-priv user.
Post by Kevin Wilson
I added a user named "test" and I am trying to create a container
(see
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
Post by Kevin Wilson
below the sequence). I am running latest lxc git
(built from source, as root) on Fedora 20.
useradd test
su test
lxc-create -t busybox -n busyboxTest
You lack access to /home/test/.local/share/lxc/
I ran;
mkdir -p /home/test/.local/share/lxc/
lxc-create -t busybox -n busyboxTest
lxc-create: Permission denied - failed to create directory
'/run/user/0/lock/'
Post by Kevin Wilson
failed to create lock
System error loading container
What should I do ?
Regards,
Kevin
Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 978-7061 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 |
http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best
of
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of
it!
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140806/d94f0b81/attachment-0001.html>
Cal Leeming [Simplicity Media Ltd]
2014-08-05 23:20:11 UTC
Permalink
For what it's worth, I was able to get around the "sudo su" problem by
doing the following;

admin$ sudo -sHu deploy
deploy$ lxc-create -t download -n u1 -- -d ubuntu -r trusty -a amd64
-- snip --
You just created an Ubuntu container (release=trusty, arch=amd64,
variant=default)

I only came across this fix from an obscure rant from someone on IRC about
why "sudo su" is terrible.

Would seem others have had this same "sudo su" problem and it's quite
unexpected, given how popular it is.
https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/

It would be nice if "sudo su" was supported, as it does seem like an odd
bug / "feature" :)

Cal



On Wed, Aug 6, 2014 at 12:06 AM, Cal Leeming [Simplicity Media Ltd] <
Post by Cal Leeming [Simplicity Media Ltd]
Just wanted to chime in on this, it would seem that creating unprivileged
containers works fine, at least for download template of Ubuntu.
However the problem starts when you use "sudo su".
For example, the following breaks;
admin$ sudo su deploy
admin$ lxc-create -t download -n u1 -- -d ubuntu -r trusty -a amd64
lxc-create: Permission denied - failed to create directory
'/run/user/999/lock/'
lxc-create: Error opening /tmp/1000/lxc//home/deploy/.local/share/lxc/u1
But the following works;
admin$ ssh deploy at 127.0.0.1
admin$ lxc-create -t download -n u1 -- -d ubuntu -r trusty -a amd64
Setting up the GPG keyring
Downloading the image index
It would seem that lxc-create is picking up a uid 999 (admin) for the
lock, and uid 1000 (deploy) for the tmp directory.
I had a quick look at the source but couldn't pin point where/why this was
happening.
Although there are other issues with creating unprivileged containers (as
per your previous discussion), this is probably a bug in its own rights.
Thoughts?
Cal
On Thu, Jan 9, 2014 at 4:11 PM, Serge Hallyn <serge.hallyn at ubuntu.com>
Post by Serge Hallyn
Sounds good. It might be worthwhile having a 'lxc-setup-images' command
which requires root and builds the base images. Then unprileged users
could untar/unsquash those images.
To be clear, I absolutely *can* create and run ubuntu-cloud images
without being root.
-serge
Quoting Cal Leeming [Simplicity Media Ltd] (
Post by Cal Leeming [Simplicity Media Ltd]
It's also worth mentioning that fakeroot/fakechroot have some nasty
issues
Post by Cal Leeming [Simplicity Media Ltd]
with debootstrap;
https://bugs.launchpad.net/ubuntu/+source/fakechroot/+bug/1265857
One theory I'm exploring is building "base images" on a machine that
does
Post by Cal Leeming [Simplicity Media Ltd]
have root, by running debootstrap on every flavor/arch then using
mksquashfs to compress it down into an image. You could then use
unsquashfs
Post by Cal Leeming [Simplicity Media Ltd]
to force whatever uid/gid you wanted, then fakechroot/fakeroot to make
whatever changes you need to the container before launching. The
downside
Post by Cal Leeming [Simplicity Media Ltd]
is that there is no public mirror that offers this at the moment (other
than the latest 13.x ubuntu, which contains a filesystem.squashfs you
can
Post by Cal Leeming [Simplicity Media Ltd]
extract, but it's 700mb). You could create your own set of base images,
then wrap scripts around them to create the templates, but this is
absolutely not going to work out of the box, there is a lot of tedious
work
Post by Cal Leeming [Simplicity Media Ltd]
involved.
I'm planning on doing a better write up about this (as its something I'm
actively working on), will update this thread at a later date.
Hope this helps a bit
Cal
On Thu, Jan 9, 2014 at 3:39 PM, Michael H. Warfield <mhw at wittsend.com
Post by Kevin Wilson
Post by Kevin Wilson
Hello,
I believe that creating a container as non root user should be
straight-forward.
Sigh... I'm afraid not...
Funny, Serge and I just had a couple of comments in exchange about
this
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
very thing with regards to templates. He's been working on getting
containers to run under unprivileged users and I know the Fedora and
CentOS templates will not even run under a non-user (they check). His
remark was that most templates will not and can not, including the
Ubuntu template. Problem with the Ubuntu template (and, presumably
the
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
Debian template) is the use of debboot which, in turn, uses mknod to
create devices for the container - and you're then toast.
The problem there is that there are going to be privileged operations
(chown, mknod, etc) that are simply going to require privileges in the
host which are not available to the non-priv user.
I'm not so sure about the busybox template but I wouldn't be
optimistic.
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
It does look like it checks to see if it's in a user namespace and
uses
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
mknod if not and does something else if it is. So, it looks like it
SHOULD work. But you have to have user namespaces set up to work.
Once a container is created, it should be possible to run it under a
non-priv user if you have a recent enough kernel along with the latest
lxc tools. But it seems likely we could ever navigate the morass of
creating a template using lxc-create as a non-priv user.
Post by Kevin Wilson
I added a user named "test" and I am trying to create a container
(see
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
Post by Kevin Wilson
below the sequence). I am running latest lxc git
(built from source, as root) on Fedora 20.
useradd test
su test
lxc-create -t busybox -n busyboxTest
You lack access to /home/test/.local/share/lxc/
I ran;
mkdir -p /home/test/.local/share/lxc/
lxc-create -t busybox -n busyboxTest
lxc-create: Permission denied - failed to create directory
'/run/user/0/lock/'
Post by Kevin Wilson
failed to create lock
System error loading container
What should I do ?
Regards,
Kevin
Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 978-7061 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 |
http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the
best of
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure
of it!
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140806/4781f4e0/attachment.html>
Serge Hallyn
2014-08-05 23:22:15 UTC
Permalink
Post by Cal Leeming [Simplicity Media Ltd]
Just wanted to chime in on this, it would seem that creating unprivileged
containers works fine, at least for download template of Ubuntu.
However the problem starts when you use "sudo su".
For example, the following breaks;
admin$ sudo su deploy
admin$ lxc-create -t download -n u1 -- -d ubuntu -r trusty -a amd64
lxc-create: Permission denied - failed to create directory
'/run/user/999/lock/'
From this shell, what do 'echo $XDG_RUNTIME_DIR' and 'echo $HOME' say?
lxc-create: Error opening /tmp/1000/lxc//home/deploy/.local/share/lxc/u1
But the following works;
admin$ ssh deploy at 127.0.0.1
admin$ lxc-create -t download -n u1 -- -d ubuntu -r trusty -a amd64
Setting up the GPG keyring
Downloading the image index
It would seem that lxc-create is picking up a uid 999 (admin) for the lock,
and uid 1000 (deploy) for the tmp directory.
I had a quick look at the source but couldn't pin point where/why this was
happening.
Although there are other issues with creating unprivileged containers (as
per your previous discussion), this is probably a bug in its own rights.
Thoughts?
Cal
On Thu, Jan 9, 2014 at 4:11 PM, Serge Hallyn <serge.hallyn at ubuntu.com>
Post by Serge Hallyn
Sounds good. It might be worthwhile having a 'lxc-setup-images' command
which requires root and builds the base images. Then unprileged users
could untar/unsquash those images.
To be clear, I absolutely *can* create and run ubuntu-cloud images
without being root.
-serge
Quoting Cal Leeming [Simplicity Media Ltd] (
Post by Cal Leeming [Simplicity Media Ltd]
It's also worth mentioning that fakeroot/fakechroot have some nasty
issues
Post by Cal Leeming [Simplicity Media Ltd]
with debootstrap;
https://bugs.launchpad.net/ubuntu/+source/fakechroot/+bug/1265857
One theory I'm exploring is building "base images" on a machine that does
have root, by running debootstrap on every flavor/arch then using
mksquashfs to compress it down into an image. You could then use
unsquashfs
Post by Cal Leeming [Simplicity Media Ltd]
to force whatever uid/gid you wanted, then fakechroot/fakeroot to make
whatever changes you need to the container before launching. The downside
is that there is no public mirror that offers this at the moment (other
than the latest 13.x ubuntu, which contains a filesystem.squashfs you can
extract, but it's 700mb). You could create your own set of base images,
then wrap scripts around them to create the templates, but this is
absolutely not going to work out of the box, there is a lot of tedious
work
Post by Cal Leeming [Simplicity Media Ltd]
involved.
I'm planning on doing a better write up about this (as its something I'm
actively working on), will update this thread at a later date.
Hope this helps a bit
Cal
On Thu, Jan 9, 2014 at 3:39 PM, Michael H. Warfield <mhw at wittsend.com
Post by Kevin Wilson
Post by Kevin Wilson
Hello,
I believe that creating a container as non root user should be
straight-forward.
Sigh... I'm afraid not...
Funny, Serge and I just had a couple of comments in exchange about this
very thing with regards to templates. He's been working on getting
containers to run under unprivileged users and I know the Fedora and
CentOS templates will not even run under a non-user (they check). His
remark was that most templates will not and can not, including the
Ubuntu template. Problem with the Ubuntu template (and, presumably the
Debian template) is the use of debboot which, in turn, uses mknod to
create devices for the container - and you're then toast.
The problem there is that there are going to be privileged operations
(chown, mknod, etc) that are simply going to require privileges in the
host which are not available to the non-priv user.
I'm not so sure about the busybox template but I wouldn't be
optimistic.
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
It does look like it checks to see if it's in a user namespace and uses
mknod if not and does something else if it is. So, it looks like it
SHOULD work. But you have to have user namespaces set up to work.
Once a container is created, it should be possible to run it under a
non-priv user if you have a recent enough kernel along with the latest
lxc tools. But it seems likely we could ever navigate the morass of
creating a template using lxc-create as a non-priv user.
Post by Kevin Wilson
I added a user named "test" and I am trying to create a container
(see
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
Post by Kevin Wilson
below the sequence). I am running latest lxc git
(built from source, as root) on Fedora 20.
useradd test
su test
lxc-create -t busybox -n busyboxTest
You lack access to /home/test/.local/share/lxc/
I ran;
mkdir -p /home/test/.local/share/lxc/
lxc-create -t busybox -n busyboxTest
lxc-create: Permission denied - failed to create directory
'/run/user/0/lock/'
Post by Kevin Wilson
failed to create lock
System error loading container
What should I do ?
Regards,
Kevin
Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 978-7061 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 |
http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best
of
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of
it!
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
Cal Leeming [Simplicity Media Ltd]
2014-08-06 00:24:48 UTC
Permalink
Sure;

deploy$ echo $XDG_RUNTIME_DIR
/run/user/999
deploy$ echo $HOME
/home/deploy

deploy$ cat /proc/self/cgroup
11:hugetlb:/
10:perf_event:/
9:blkio:/
8:freezer:/
7:devices:/
6:memory:/
5:cpuacct:/
4:cpu:/
3:cpuset:/
2:name=systemd:/user/999.user/5.session

Expected uid is 1000 (deploy) but its showing 999 (admin).


Cal


On Wed, Aug 6, 2014 at 12:22 AM, Serge Hallyn <serge.hallyn at ubuntu.com>
Post by Serge Hallyn
Quoting Cal Leeming [Simplicity Media Ltd] (
Post by Cal Leeming [Simplicity Media Ltd]
Just wanted to chime in on this, it would seem that creating unprivileged
containers works fine, at least for download template of Ubuntu.
However the problem starts when you use "sudo su".
For example, the following breaks;
admin$ sudo su deploy
admin$ lxc-create -t download -n u1 -- -d ubuntu -r trusty -a amd64
lxc-create: Permission denied - failed to create directory
'/run/user/999/lock/'
From this shell, what do 'echo $XDG_RUNTIME_DIR' and 'echo $HOME' say?
Post by Cal Leeming [Simplicity Media Ltd]
lxc-create: Error opening /tmp/1000/lxc//home/deploy/.local/share/lxc/u1
But the following works;
admin$ ssh deploy at 127.0.0.1
admin$ lxc-create -t download -n u1 -- -d ubuntu -r trusty -a amd64
Setting up the GPG keyring
Downloading the image index
It would seem that lxc-create is picking up a uid 999 (admin) for the
lock,
Post by Cal Leeming [Simplicity Media Ltd]
and uid 1000 (deploy) for the tmp directory.
I had a quick look at the source but couldn't pin point where/why this
was
Post by Cal Leeming [Simplicity Media Ltd]
happening.
Although there are other issues with creating unprivileged containers (as
per your previous discussion), this is probably a bug in its own rights.
Thoughts?
Cal
On Thu, Jan 9, 2014 at 4:11 PM, Serge Hallyn <serge.hallyn at ubuntu.com>
Post by Serge Hallyn
Sounds good. It might be worthwhile having a 'lxc-setup-images'
command
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
which requires root and builds the base images. Then unprileged users
could untar/unsquash those images.
To be clear, I absolutely *can* create and run ubuntu-cloud images
without being root.
-serge
Quoting Cal Leeming [Simplicity Media Ltd] (
Post by Cal Leeming [Simplicity Media Ltd]
It's also worth mentioning that fakeroot/fakechroot have some nasty
issues
Post by Cal Leeming [Simplicity Media Ltd]
with debootstrap;
https://bugs.launchpad.net/ubuntu/+source/fakechroot/+bug/1265857
One theory I'm exploring is building "base images" on a machine that
does
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
have root, by running debootstrap on every flavor/arch then using
mksquashfs to compress it down into an image. You could then use
unsquashfs
Post by Cal Leeming [Simplicity Media Ltd]
to force whatever uid/gid you wanted, then fakechroot/fakeroot to
make
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
whatever changes you need to the container before launching. The
downside
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
is that there is no public mirror that offers this at the moment
(other
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
than the latest 13.x ubuntu, which contains a filesystem.squashfs
you can
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
extract, but it's 700mb). You could create your own set of base
images,
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
then wrap scripts around them to create the templates, but this is
absolutely not going to work out of the box, there is a lot of
tedious
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
work
Post by Cal Leeming [Simplicity Media Ltd]
involved.
I'm planning on doing a better write up about this (as its something
I'm
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
actively working on), will update this thread at a later date.
Hope this helps a bit
Cal
On Thu, Jan 9, 2014 at 3:39 PM, Michael H. Warfield <
mhw at wittsend.com
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
Post by Kevin Wilson
Hello,
I believe that creating a container as non root user should be
straight-forward.
Sigh... I'm afraid not...
Funny, Serge and I just had a couple of comments in exchange about
this
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
very thing with regards to templates. He's been working on getting
containers to run under unprivileged users and I know the Fedora
and
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
CentOS templates will not even run under a non-user (they check).
His
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
remark was that most templates will not and can not, including the
Ubuntu template. Problem with the Ubuntu template (and,
presumably the
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
Debian template) is the use of debboot which, in turn, uses mknod
to
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
create devices for the container - and you're then toast.
The problem there is that there are going to be privileged
operations
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
(chown, mknod, etc) that are simply going to require privileges in
the
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
host which are not available to the non-priv user.
I'm not so sure about the busybox template but I wouldn't be
optimistic.
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
It does look like it checks to see if it's in a user namespace and
uses
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
mknod if not and does something else if it is. So, it looks like
it
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
SHOULD work. But you have to have user namespaces set up to work.
Once a container is created, it should be possible to run it under
a
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
non-priv user if you have a recent enough kernel along with the
latest
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
lxc tools. But it seems likely we could ever navigate the morass
of
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
creating a template using lxc-create as a non-priv user.
Post by Kevin Wilson
I added a user named "test" and I am trying to create a container
(see
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
Post by Kevin Wilson
below the sequence). I am running latest lxc git
(built from source, as root) on Fedora 20.
useradd test
su test
lxc-create -t busybox -n busyboxTest
You lack access to /home/test/.local/share/lxc/
I ran;
mkdir -p /home/test/.local/share/lxc/
lxc-create -t busybox -n busyboxTest
lxc-create: Permission denied - failed to create directory
'/run/user/0/lock/'
Post by Kevin Wilson
failed to create lock
System error loading container
What should I do ?
Regards,
Kevin
Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 978-7061 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 |
http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the
best
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
of
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
all
PGP Key: 0x674627FF | possible worlds. A pessimist is
sure of
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
it!
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140806/7cd0e548/attachment-0001.html>
Cal Leeming [Simplicity Media Ltd]
2014-08-06 00:26:04 UTC
Permalink
(sorry hit return too fast).

Also turns out that the sudo -shU trick doesn't work, results in;

deploy$ lxc-start -n u1
lxc_container: call to cgmanager_create_sync failed: invalid request

Found another semi related ticket;
https://github.com/lxc/lxc/issues/181

Cal



On Wed, Aug 6, 2014 at 1:24 AM, Cal Leeming [Simplicity Media Ltd] <
Post by Cal Leeming [Simplicity Media Ltd]
Sure;
deploy$ echo $XDG_RUNTIME_DIR
/run/user/999
deploy$ echo $HOME
/home/deploy
deploy$ cat /proc/self/cgroup
11:hugetlb:/
10:perf_event:/
9:blkio:/
8:freezer:/
7:devices:/
6:memory:/
5:cpuacct:/
4:cpu:/
3:cpuset:/
2:name=systemd:/user/999.user/5.session
Expected uid is 1000 (deploy) but its showing 999 (admin).
Cal
On Wed, Aug 6, 2014 at 12:22 AM, Serge Hallyn <serge.hallyn at ubuntu.com>
Post by Serge Hallyn
Quoting Cal Leeming [Simplicity Media Ltd] (
Post by Cal Leeming [Simplicity Media Ltd]
Just wanted to chime in on this, it would seem that creating
unprivileged
Post by Cal Leeming [Simplicity Media Ltd]
containers works fine, at least for download template of Ubuntu.
However the problem starts when you use "sudo su".
For example, the following breaks;
admin$ sudo su deploy
admin$ lxc-create -t download -n u1 -- -d ubuntu -r trusty -a amd64
lxc-create: Permission denied - failed to create directory
'/run/user/999/lock/'
From this shell, what do 'echo $XDG_RUNTIME_DIR' and 'echo $HOME' say?
Post by Cal Leeming [Simplicity Media Ltd]
lxc-create: Error opening /tmp/1000/lxc//home/deploy/.local/share/lxc/u1
But the following works;
admin$ ssh deploy at 127.0.0.1
admin$ lxc-create -t download -n u1 -- -d ubuntu -r trusty -a amd64
Setting up the GPG keyring
Downloading the image index
It would seem that lxc-create is picking up a uid 999 (admin) for the
lock,
Post by Cal Leeming [Simplicity Media Ltd]
and uid 1000 (deploy) for the tmp directory.
I had a quick look at the source but couldn't pin point where/why this
was
Post by Cal Leeming [Simplicity Media Ltd]
happening.
Although there are other issues with creating unprivileged containers
(as
Post by Cal Leeming [Simplicity Media Ltd]
per your previous discussion), this is probably a bug in its own rights.
Thoughts?
Cal
On Thu, Jan 9, 2014 at 4:11 PM, Serge Hallyn <serge.hallyn at ubuntu.com>
Post by Serge Hallyn
Sounds good. It might be worthwhile having a 'lxc-setup-images'
command
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
which requires root and builds the base images. Then unprileged users
could untar/unsquash those images.
To be clear, I absolutely *can* create and run ubuntu-cloud images
without being root.
-serge
Quoting Cal Leeming [Simplicity Media Ltd] (
Post by Cal Leeming [Simplicity Media Ltd]
It's also worth mentioning that fakeroot/fakechroot have some nasty
issues
Post by Cal Leeming [Simplicity Media Ltd]
with debootstrap;
https://bugs.launchpad.net/ubuntu/+source/fakechroot/+bug/1265857
One theory I'm exploring is building "base images" on a machine
that does
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
have root, by running debootstrap on every flavor/arch then using
mksquashfs to compress it down into an image. You could then use
unsquashfs
Post by Cal Leeming [Simplicity Media Ltd]
to force whatever uid/gid you wanted, then fakechroot/fakeroot to
make
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
whatever changes you need to the container before launching. The
downside
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
is that there is no public mirror that offers this at the moment
(other
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
than the latest 13.x ubuntu, which contains a filesystem.squashfs
you can
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
extract, but it's 700mb). You could create your own set of base
images,
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
then wrap scripts around them to create the templates, but this is
absolutely not going to work out of the box, there is a lot of
tedious
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
work
Post by Cal Leeming [Simplicity Media Ltd]
involved.
I'm planning on doing a better write up about this (as its
something I'm
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
actively working on), will update this thread at a later date.
Hope this helps a bit
Cal
On Thu, Jan 9, 2014 at 3:39 PM, Michael H. Warfield <
mhw at wittsend.com
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
Post by Kevin Wilson
Hello,
I believe that creating a container as non root user should be
straight-forward.
Sigh... I'm afraid not...
Funny, Serge and I just had a couple of comments in exchange
about this
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
very thing with regards to templates. He's been working on
getting
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
containers to run under unprivileged users and I know the Fedora
and
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
CentOS templates will not even run under a non-user (they check).
His
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
remark was that most templates will not and can not, including the
Ubuntu template. Problem with the Ubuntu template (and,
presumably the
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
Debian template) is the use of debboot which, in turn, uses mknod
to
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
create devices for the container - and you're then toast.
The problem there is that there are going to be privileged
operations
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
(chown, mknod, etc) that are simply going to require privileges
in the
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
host which are not available to the non-priv user.
I'm not so sure about the busybox template but I wouldn't be
optimistic.
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
It does look like it checks to see if it's in a user namespace
and uses
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
mknod if not and does something else if it is. So, it looks like
it
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
SHOULD work. But you have to have user namespaces set up to work.
Once a container is created, it should be possible to run it
under a
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
non-priv user if you have a recent enough kernel along with the
latest
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
lxc tools. But it seems likely we could ever navigate the morass
of
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
creating a template using lxc-create as a non-priv user.
Post by Kevin Wilson
I added a user named "test" and I am trying to create a
container
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
(see
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
Post by Kevin Wilson
below the sequence). I am running latest lxc git
(built from source, as root) on Fedora 20.
useradd test
su test
lxc-create -t busybox -n busyboxTest
You lack access to /home/test/.local/share/lxc/
I ran;
mkdir -p /home/test/.local/share/lxc/
lxc-create -t busybox -n busyboxTest
lxc-create: Permission denied - failed to create directory
'/run/user/0/lock/'
Post by Kevin Wilson
failed to create lock
System error loading container
What should I do ?
Regards,
Kevin
Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 978-7061 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 |
http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the
best
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
of
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
all
PGP Key: 0x674627FF | possible worlds. A pessimist is
sure of
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
it!
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140806/65ae7ec8/attachment.html>
Cal Leeming [Simplicity Media Ltd]
2014-08-06 00:32:57 UTC
Permalink
Also found this discussion on the matter in systemd;
http://lists.freedesktop.org/archives/systemd-devel/2013-November/014370.html

Cal


On Wed, Aug 6, 2014 at 1:26 AM, Cal Leeming [Simplicity Media Ltd] <
Post by Cal Leeming [Simplicity Media Ltd]
(sorry hit return too fast).
Also turns out that the sudo -shU trick doesn't work, results in;
deploy$ lxc-start -n u1
lxc_container: call to cgmanager_create_sync failed: invalid request
Found another semi related ticket;
https://github.com/lxc/lxc/issues/181
Cal
On Wed, Aug 6, 2014 at 1:24 AM, Cal Leeming [Simplicity Media Ltd] <
Post by Cal Leeming [Simplicity Media Ltd]
Sure;
deploy$ echo $XDG_RUNTIME_DIR
/run/user/999
deploy$ echo $HOME
/home/deploy
deploy$ cat /proc/self/cgroup
11:hugetlb:/
10:perf_event:/
9:blkio:/
8:freezer:/
7:devices:/
6:memory:/
5:cpuacct:/
4:cpu:/
3:cpuset:/
2:name=systemd:/user/999.user/5.session
Expected uid is 1000 (deploy) but its showing 999 (admin).
Cal
On Wed, Aug 6, 2014 at 12:22 AM, Serge Hallyn <serge.hallyn at ubuntu.com>
Post by Serge Hallyn
Quoting Cal Leeming [Simplicity Media Ltd] (
Post by Cal Leeming [Simplicity Media Ltd]
Just wanted to chime in on this, it would seem that creating
unprivileged
Post by Cal Leeming [Simplicity Media Ltd]
containers works fine, at least for download template of Ubuntu.
However the problem starts when you use "sudo su".
For example, the following breaks;
admin$ sudo su deploy
admin$ lxc-create -t download -n u1 -- -d ubuntu -r trusty -a amd64
lxc-create: Permission denied - failed to create directory
'/run/user/999/lock/'
From this shell, what do 'echo $XDG_RUNTIME_DIR' and 'echo $HOME' say?
Post by Cal Leeming [Simplicity Media Ltd]
lxc-create: Error opening
/tmp/1000/lxc//home/deploy/.local/share/lxc/u1
Post by Cal Leeming [Simplicity Media Ltd]
But the following works;
admin$ ssh deploy at 127.0.0.1
admin$ lxc-create -t download -n u1 -- -d ubuntu -r trusty -a amd64
Setting up the GPG keyring
Downloading the image index
It would seem that lxc-create is picking up a uid 999 (admin) for the
lock,
Post by Cal Leeming [Simplicity Media Ltd]
and uid 1000 (deploy) for the tmp directory.
I had a quick look at the source but couldn't pin point where/why this
was
Post by Cal Leeming [Simplicity Media Ltd]
happening.
Although there are other issues with creating unprivileged containers
(as
Post by Cal Leeming [Simplicity Media Ltd]
per your previous discussion), this is probably a bug in its own
rights.
Post by Cal Leeming [Simplicity Media Ltd]
Thoughts?
Cal
On Thu, Jan 9, 2014 at 4:11 PM, Serge Hallyn <serge.hallyn at ubuntu.com>
Post by Serge Hallyn
Sounds good. It might be worthwhile having a 'lxc-setup-images'
command
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
which requires root and builds the base images. Then unprileged
users
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
could untar/unsquash those images.
To be clear, I absolutely *can* create and run ubuntu-cloud images
without being root.
-serge
Quoting Cal Leeming [Simplicity Media Ltd] (
Post by Cal Leeming [Simplicity Media Ltd]
It's also worth mentioning that fakeroot/fakechroot have some nasty
issues
Post by Cal Leeming [Simplicity Media Ltd]
with debootstrap;
https://bugs.launchpad.net/ubuntu/+source/fakechroot/+bug/1265857
One theory I'm exploring is building "base images" on a machine
that does
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
have root, by running debootstrap on every flavor/arch then using
mksquashfs to compress it down into an image. You could then use
unsquashfs
Post by Cal Leeming [Simplicity Media Ltd]
to force whatever uid/gid you wanted, then fakechroot/fakeroot to
make
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
whatever changes you need to the container before launching. The
downside
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
is that there is no public mirror that offers this at the moment
(other
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
than the latest 13.x ubuntu, which contains a filesystem.squashfs
you can
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
extract, but it's 700mb). You could create your own set of base
images,
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
then wrap scripts around them to create the templates, but this is
absolutely not going to work out of the box, there is a lot of
tedious
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
work
Post by Cal Leeming [Simplicity Media Ltd]
involved.
I'm planning on doing a better write up about this (as its
something I'm
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
actively working on), will update this thread at a later date.
Hope this helps a bit
Cal
On Thu, Jan 9, 2014 at 3:39 PM, Michael H. Warfield <
mhw at wittsend.com
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
Post by Kevin Wilson
Hello,
I believe that creating a container as non root user should be
straight-forward.
Sigh... I'm afraid not...
Funny, Serge and I just had a couple of comments in exchange
about this
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
very thing with regards to templates. He's been working on
getting
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
containers to run under unprivileged users and I know the Fedora
and
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
CentOS templates will not even run under a non-user (they
check). His
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
remark was that most templates will not and can not, including
the
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
Ubuntu template. Problem with the Ubuntu template (and,
presumably the
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
Debian template) is the use of debboot which, in turn, uses
mknod to
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
create devices for the container - and you're then toast.
The problem there is that there are going to be privileged
operations
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
(chown, mknod, etc) that are simply going to require privileges
in the
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
host which are not available to the non-priv user.
I'm not so sure about the busybox template but I wouldn't be
optimistic.
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
It does look like it checks to see if it's in a user namespace
and uses
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
mknod if not and does something else if it is. So, it looks
like it
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
SHOULD work. But you have to have user namespaces set up to
work.
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
Once a container is created, it should be possible to run it
under a
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
non-priv user if you have a recent enough kernel along with the
latest
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
lxc tools. But it seems likely we could ever navigate the
morass of
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
creating a template using lxc-create as a non-priv user.
Post by Kevin Wilson
I added a user named "test" and I am trying to create a
container
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
(see
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
Post by Kevin Wilson
below the sequence). I am running latest lxc git
(built from source, as root) on Fedora 20.
useradd test
su test
lxc-create -t busybox -n busyboxTest
You lack access to /home/test/.local/share/lxc/
I ran;
mkdir -p /home/test/.local/share/lxc/
lxc-create -t busybox -n busyboxTest
lxc-create: Permission denied - failed to create directory
'/run/user/0/lock/'
Post by Kevin Wilson
failed to create lock
System error loading container
What should I do ?
Regards,
Kevin
Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 978-7061 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 |
http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in
the best
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
of
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
all
PGP Key: 0x674627FF | possible worlds. A pessimist is
sure of
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
it!
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140806/32e3bfdc/attachment-0001.html>
Serge Hallyn
2014-08-06 00:43:17 UTC
Permalink
Post by Cal Leeming [Simplicity Media Ltd]
Sure;
deploy$ echo $XDG_RUNTIME_DIR
/run/user/999
Right, so we're not going to have lxc second-guess your environment.
Note actually that on my host (ubuntu 14.10) 'sudo su otheruser' clears
out XDG_RUNTIME_DIR, so lxc would correctly fall back to using the new
$HOME.

I'd simply recomment ssh'ing in to get a proper login environment.
Post by Cal Leeming [Simplicity Media Ltd]
deploy$ echo $HOME
/home/deploy
deploy$ cat /proc/self/cgroup
11:hugetlb:/
10:perf_event:/
9:blkio:/
8:freezer:/
7:devices:/
6:memory:/
5:cpuacct:/
4:cpu:/
3:cpuset:/
2:name=systemd:/user/999.user/5.session
Expected uid is 1000 (deploy) but its showing 999 (admin).
Cal
On Wed, Aug 6, 2014 at 12:22 AM, Serge Hallyn <serge.hallyn at ubuntu.com>
Post by Serge Hallyn
Quoting Cal Leeming [Simplicity Media Ltd] (
Post by Cal Leeming [Simplicity Media Ltd]
Just wanted to chime in on this, it would seem that creating unprivileged
containers works fine, at least for download template of Ubuntu.
However the problem starts when you use "sudo su".
For example, the following breaks;
admin$ sudo su deploy
admin$ lxc-create -t download -n u1 -- -d ubuntu -r trusty -a amd64
lxc-create: Permission denied - failed to create directory
'/run/user/999/lock/'
From this shell, what do 'echo $XDG_RUNTIME_DIR' and 'echo $HOME' say?
Post by Cal Leeming [Simplicity Media Ltd]
lxc-create: Error opening /tmp/1000/lxc//home/deploy/.local/share/lxc/u1
But the following works;
admin$ ssh deploy at 127.0.0.1
admin$ lxc-create -t download -n u1 -- -d ubuntu -r trusty -a amd64
Setting up the GPG keyring
Downloading the image index
It would seem that lxc-create is picking up a uid 999 (admin) for the
lock,
Post by Cal Leeming [Simplicity Media Ltd]
and uid 1000 (deploy) for the tmp directory.
I had a quick look at the source but couldn't pin point where/why this
was
Post by Cal Leeming [Simplicity Media Ltd]
happening.
Although there are other issues with creating unprivileged containers (as
per your previous discussion), this is probably a bug in its own rights.
Thoughts?
Cal
On Thu, Jan 9, 2014 at 4:11 PM, Serge Hallyn <serge.hallyn at ubuntu.com>
Post by Serge Hallyn
Sounds good. It might be worthwhile having a 'lxc-setup-images'
command
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
which requires root and builds the base images. Then unprileged users
could untar/unsquash those images.
To be clear, I absolutely *can* create and run ubuntu-cloud images
without being root.
-serge
Quoting Cal Leeming [Simplicity Media Ltd] (
Post by Cal Leeming [Simplicity Media Ltd]
It's also worth mentioning that fakeroot/fakechroot have some nasty
issues
Post by Cal Leeming [Simplicity Media Ltd]
with debootstrap;
https://bugs.launchpad.net/ubuntu/+source/fakechroot/+bug/1265857
One theory I'm exploring is building "base images" on a machine that
does
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
have root, by running debootstrap on every flavor/arch then using
mksquashfs to compress it down into an image. You could then use
unsquashfs
Post by Cal Leeming [Simplicity Media Ltd]
to force whatever uid/gid you wanted, then fakechroot/fakeroot to
make
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
whatever changes you need to the container before launching. The
downside
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
is that there is no public mirror that offers this at the moment
(other
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
than the latest 13.x ubuntu, which contains a filesystem.squashfs
you can
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
extract, but it's 700mb). You could create your own set of base
images,
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
then wrap scripts around them to create the templates, but this is
absolutely not going to work out of the box, there is a lot of
tedious
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
work
Post by Cal Leeming [Simplicity Media Ltd]
involved.
I'm planning on doing a better write up about this (as its something
I'm
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
actively working on), will update this thread at a later date.
Hope this helps a bit
Cal
On Thu, Jan 9, 2014 at 3:39 PM, Michael H. Warfield <
mhw at wittsend.com
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
Post by Kevin Wilson
Hello,
I believe that creating a container as non root user should be
straight-forward.
Sigh... I'm afraid not...
Funny, Serge and I just had a couple of comments in exchange about
this
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
very thing with regards to templates. He's been working on getting
containers to run under unprivileged users and I know the Fedora
and
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
CentOS templates will not even run under a non-user (they check).
His
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
remark was that most templates will not and can not, including the
Ubuntu template. Problem with the Ubuntu template (and,
presumably the
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
Debian template) is the use of debboot which, in turn, uses mknod
to
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
create devices for the container - and you're then toast.
The problem there is that there are going to be privileged
operations
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
(chown, mknod, etc) that are simply going to require privileges in
the
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
host which are not available to the non-priv user.
I'm not so sure about the busybox template but I wouldn't be
optimistic.
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
It does look like it checks to see if it's in a user namespace and
uses
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
mknod if not and does something else if it is. So, it looks like
it
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
SHOULD work. But you have to have user namespaces set up to work.
Once a container is created, it should be possible to run it under
a
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
non-priv user if you have a recent enough kernel along with the
latest
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
lxc tools. But it seems likely we could ever navigate the morass
of
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
creating a template using lxc-create as a non-priv user.
Post by Kevin Wilson
I added a user named "test" and I am trying to create a container
(see
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
Post by Kevin Wilson
below the sequence). I am running latest lxc git
(built from source, as root) on Fedora 20.
useradd test
su test
lxc-create -t busybox -n busyboxTest
You lack access to /home/test/.local/share/lxc/
I ran;
mkdir -p /home/test/.local/share/lxc/
lxc-create -t busybox -n busyboxTest
lxc-create: Permission denied - failed to create directory
'/run/user/0/lock/'
Post by Kevin Wilson
failed to create lock
System error loading container
What should I do ?
Regards,
Kevin
Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 978-7061 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 |
http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the
best
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
of
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
all
PGP Key: 0x674627FF | possible worlds. A pessimist is
sure of
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
it!
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
Cal Leeming [Simplicity Media Ltd]
2014-08-06 00:45:37 UTC
Permalink
Interesting, I'm running 14.04.1.

Could you paste your output of /proc/self/cgroup from inside your "sudo su"
? I'd be interested to see if the systemd entry is correct too

Cal


On Wed, Aug 6, 2014 at 1:43 AM, Serge Hallyn <serge.hallyn at ubuntu.com>
Post by Serge Hallyn
Quoting Cal Leeming [Simplicity Media Ltd] (
Post by Cal Leeming [Simplicity Media Ltd]
Sure;
deploy$ echo $XDG_RUNTIME_DIR
/run/user/999
Right, so we're not going to have lxc second-guess your environment.
Note actually that on my host (ubuntu 14.10) 'sudo su otheruser' clears
out XDG_RUNTIME_DIR, so lxc would correctly fall back to using the new
$HOME.
I'd simply recomment ssh'ing in to get a proper login environment.
Post by Cal Leeming [Simplicity Media Ltd]
deploy$ echo $HOME
/home/deploy
deploy$ cat /proc/self/cgroup
11:hugetlb:/
10:perf_event:/
9:blkio:/
8:freezer:/
7:devices:/
6:memory:/
5:cpuacct:/
4:cpu:/
3:cpuset:/
2:name=systemd:/user/999.user/5.session
Expected uid is 1000 (deploy) but its showing 999 (admin).
Cal
On Wed, Aug 6, 2014 at 12:22 AM, Serge Hallyn <serge.hallyn at ubuntu.com>
Post by Serge Hallyn
Quoting Cal Leeming [Simplicity Media Ltd] (
Post by Cal Leeming [Simplicity Media Ltd]
Just wanted to chime in on this, it would seem that creating
unprivileged
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
containers works fine, at least for download template of Ubuntu.
However the problem starts when you use "sudo su".
For example, the following breaks;
admin$ sudo su deploy
admin$ lxc-create -t download -n u1 -- -d ubuntu -r trusty -a amd64
lxc-create: Permission denied - failed to create directory
'/run/user/999/lock/'
From this shell, what do 'echo $XDG_RUNTIME_DIR' and 'echo $HOME' say?
Post by Cal Leeming [Simplicity Media Ltd]
lxc-create: Error opening
/tmp/1000/lxc//home/deploy/.local/share/lxc/u1
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
But the following works;
admin$ ssh deploy at 127.0.0.1
admin$ lxc-create -t download -n u1 -- -d ubuntu -r trusty -a amd64
Setting up the GPG keyring
Downloading the image index
It would seem that lxc-create is picking up a uid 999 (admin) for the
lock,
Post by Cal Leeming [Simplicity Media Ltd]
and uid 1000 (deploy) for the tmp directory.
I had a quick look at the source but couldn't pin point where/why
this
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
was
Post by Cal Leeming [Simplicity Media Ltd]
happening.
Although there are other issues with creating unprivileged
containers (as
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
per your previous discussion), this is probably a bug in its own
rights.
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Thoughts?
Cal
On Thu, Jan 9, 2014 at 4:11 PM, Serge Hallyn <
serge.hallyn at ubuntu.com>
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Sounds good. It might be worthwhile having a 'lxc-setup-images'
command
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
which requires root and builds the base images. Then unprileged
users
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
could untar/unsquash those images.
To be clear, I absolutely *can* create and run ubuntu-cloud images
without being root.
-serge
Quoting Cal Leeming [Simplicity Media Ltd] (
Post by Cal Leeming [Simplicity Media Ltd]
It's also worth mentioning that fakeroot/fakechroot have some
nasty
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
issues
Post by Cal Leeming [Simplicity Media Ltd]
with debootstrap;
https://bugs.launchpad.net/ubuntu/+source/fakechroot/+bug/1265857
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
One theory I'm exploring is building "base images" on a machine
that
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
does
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
have root, by running debootstrap on every flavor/arch then using
mksquashfs to compress it down into an image. You could then use
unsquashfs
Post by Cal Leeming [Simplicity Media Ltd]
to force whatever uid/gid you wanted, then fakechroot/fakeroot to
make
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
whatever changes you need to the container before launching. The
downside
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
is that there is no public mirror that offers this at the moment
(other
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
than the latest 13.x ubuntu, which contains a filesystem.squashfs
you can
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
extract, but it's 700mb). You could create your own set of base
images,
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
then wrap scripts around them to create the templates, but this
is
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
absolutely not going to work out of the box, there is a lot of
tedious
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
work
Post by Cal Leeming [Simplicity Media Ltd]
involved.
I'm planning on doing a better write up about this (as its
something
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
I'm
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
actively working on), will update this thread at a later date.
Hope this helps a bit
Cal
On Thu, Jan 9, 2014 at 3:39 PM, Michael H. Warfield <
mhw at wittsend.com
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
Post by Kevin Wilson
Hello,
I believe that creating a container as non root user should
be
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
straight-forward.
Sigh... I'm afraid not...
Funny, Serge and I just had a couple of comments in exchange
about
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
this
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
very thing with regards to templates. He's been working on
getting
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
containers to run under unprivileged users and I know the
Fedora
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
and
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
CentOS templates will not even run under a non-user (they
check).
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
His
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
remark was that most templates will not and can not, including
the
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
Ubuntu template. Problem with the Ubuntu template (and,
presumably the
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
Debian template) is the use of debboot which, in turn, uses
mknod
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
to
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
create devices for the container - and you're then toast.
The problem there is that there are going to be privileged
operations
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
(chown, mknod, etc) that are simply going to require
privileges in
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
the
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
host which are not available to the non-priv user.
I'm not so sure about the busybox template but I wouldn't be
optimistic.
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
It does look like it checks to see if it's in a user namespace
and
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
uses
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
mknod if not and does something else if it is. So, it looks
like
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
it
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
SHOULD work. But you have to have user namespaces set up to
work.
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
Once a container is created, it should be possible to run it
under
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
a
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
non-priv user if you have a recent enough kernel along with the
latest
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
lxc tools. But it seems likely we could ever navigate the
morass
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
of
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
creating a template using lxc-create as a non-priv user.
Post by Kevin Wilson
I added a user named "test" and I am trying to create a
container
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
(see
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
Post by Kevin Wilson
below the sequence). I am running latest lxc git
(built from source, as root) on Fedora 20.
useradd test
su test
lxc-create -t busybox -n busyboxTest
You lack access to /home/test/.local/share/lxc/
I ran;
mkdir -p /home/test/.local/share/lxc/
lxc-create -t busybox -n busyboxTest
lxc-create: Permission denied - failed to create directory
'/run/user/0/lock/'
Post by Kevin Wilson
failed to create lock
System error loading container
What should I do ?
Regards,
Kevin
Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 978-7061 |
mhw at WittsEnd.com
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
/\/\|=mhw=|\/\/ | (678) 463-0932 |
http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in
the
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
best
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
of
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
all
PGP Key: 0x674627FF | possible worlds. A pessimist is
sure of
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
it!
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140806/0a125313/attachment.html>
Cal Leeming [Simplicity Media Ltd]
2014-08-06 00:52:19 UTC
Permalink
Also I tried to unset XDG_RUNTIME_DIR but it resulted in a new error (which
I believe is related to "sudo su" not placing into the correct cgroup)

deploy$ lxc-start -n u1
lxc_container: call to cgmanager_create_sync failed: invalid request
lxc_container: Failed to create hugetlb:u1
lxc_container: Error creating cgroup hugetlb:u1
lxc_container: failed creating cgroups
lxc_container: failed to spawn 'u1'
lxc_container: The container failed to start.
lxc_container: Additional information can be obtained by setting the
--logfile and --log-priority options.

deploy$ declare -x XDG_RUNTIME_DIR="/run/user/999"
deploy$ lxc-start -n u1
lxc-start: Permission denied - failed to create directory
'/run/user/999/lock/'
lxc-start: Error opening /tmp/1000/lxc//home/deploy/.local/share/lxc/u1
lxc-start: Failed to create lxc_container

Having to loop back using SSH feels really hacky, but I don't know enough
about LXC internals to submit a patch or suggest a cleaner workaround.

Should this be treated as a bug, or feature, or neither?

Cal



On Wed, Aug 6, 2014 at 1:45 AM, Cal Leeming [Simplicity Media Ltd] <
Post by Cal Leeming [Simplicity Media Ltd]
Interesting, I'm running 14.04.1.
Could you paste your output of /proc/self/cgroup from inside your "sudo
su" ? I'd be interested to see if the systemd entry is correct too
Cal
On Wed, Aug 6, 2014 at 1:43 AM, Serge Hallyn <serge.hallyn at ubuntu.com>
Post by Serge Hallyn
Quoting Cal Leeming [Simplicity Media Ltd] (
Post by Cal Leeming [Simplicity Media Ltd]
Sure;
deploy$ echo $XDG_RUNTIME_DIR
/run/user/999
Right, so we're not going to have lxc second-guess your environment.
Note actually that on my host (ubuntu 14.10) 'sudo su otheruser' clears
out XDG_RUNTIME_DIR, so lxc would correctly fall back to using the new
$HOME.
I'd simply recomment ssh'ing in to get a proper login environment.
Post by Cal Leeming [Simplicity Media Ltd]
deploy$ echo $HOME
/home/deploy
deploy$ cat /proc/self/cgroup
11:hugetlb:/
10:perf_event:/
9:blkio:/
8:freezer:/
7:devices:/
6:memory:/
5:cpuacct:/
4:cpu:/
3:cpuset:/
2:name=systemd:/user/999.user/5.session
Expected uid is 1000 (deploy) but its showing 999 (admin).
Cal
On Wed, Aug 6, 2014 at 12:22 AM, Serge Hallyn <serge.hallyn at ubuntu.com>
Post by Serge Hallyn
Quoting Cal Leeming [Simplicity Media Ltd] (
Post by Cal Leeming [Simplicity Media Ltd]
Just wanted to chime in on this, it would seem that creating
unprivileged
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
containers works fine, at least for download template of Ubuntu.
However the problem starts when you use "sudo su".
For example, the following breaks;
admin$ sudo su deploy
admin$ lxc-create -t download -n u1 -- -d ubuntu -r trusty -a amd64
lxc-create: Permission denied - failed to create directory
'/run/user/999/lock/'
From this shell, what do 'echo $XDG_RUNTIME_DIR' and 'echo $HOME' say?
Post by Cal Leeming [Simplicity Media Ltd]
lxc-create: Error opening
/tmp/1000/lxc//home/deploy/.local/share/lxc/u1
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
But the following works;
admin$ ssh deploy at 127.0.0.1
admin$ lxc-create -t download -n u1 -- -d ubuntu -r trusty -a amd64
Setting up the GPG keyring
Downloading the image index
It would seem that lxc-create is picking up a uid 999 (admin) for
the
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
lock,
Post by Cal Leeming [Simplicity Media Ltd]
and uid 1000 (deploy) for the tmp directory.
I had a quick look at the source but couldn't pin point where/why
this
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
was
Post by Cal Leeming [Simplicity Media Ltd]
happening.
Although there are other issues with creating unprivileged
containers (as
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
per your previous discussion), this is probably a bug in its own
rights.
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Thoughts?
Cal
On Thu, Jan 9, 2014 at 4:11 PM, Serge Hallyn <
serge.hallyn at ubuntu.com>
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Sounds good. It might be worthwhile having a 'lxc-setup-images'
command
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
which requires root and builds the base images. Then unprileged
users
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
could untar/unsquash those images.
To be clear, I absolutely *can* create and run ubuntu-cloud images
without being root.
-serge
Quoting Cal Leeming [Simplicity Media Ltd] (
Post by Cal Leeming [Simplicity Media Ltd]
It's also worth mentioning that fakeroot/fakechroot have some
nasty
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
issues
Post by Cal Leeming [Simplicity Media Ltd]
with debootstrap;
https://bugs.launchpad.net/ubuntu/+source/fakechroot/+bug/1265857
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
One theory I'm exploring is building "base images" on a machine
that
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
does
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
have root, by running debootstrap on every flavor/arch then
using
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
mksquashfs to compress it down into an image. You could then use
unsquashfs
Post by Cal Leeming [Simplicity Media Ltd]
to force whatever uid/gid you wanted, then fakechroot/fakeroot
to
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
make
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
whatever changes you need to the container before launching. The
downside
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
is that there is no public mirror that offers this at the moment
(other
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
than the latest 13.x ubuntu, which contains a
filesystem.squashfs
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
you can
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
extract, but it's 700mb). You could create your own set of base
images,
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
then wrap scripts around them to create the templates, but this
is
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
absolutely not going to work out of the box, there is a lot of
tedious
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
work
Post by Cal Leeming [Simplicity Media Ltd]
involved.
I'm planning on doing a better write up about this (as its
something
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
I'm
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
actively working on), will update this thread at a later date.
Hope this helps a bit
Cal
On Thu, Jan 9, 2014 at 3:39 PM, Michael H. Warfield <
mhw at wittsend.com
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
Post by Kevin Wilson
Hello,
I believe that creating a container as non root user should
be
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
straight-forward.
Sigh... I'm afraid not...
Funny, Serge and I just had a couple of comments in exchange
about
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
this
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
very thing with regards to templates. He's been working on
getting
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
containers to run under unprivileged users and I know the
Fedora
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
and
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
CentOS templates will not even run under a non-user (they
check).
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
His
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
remark was that most templates will not and can not,
including the
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
Ubuntu template. Problem with the Ubuntu template (and,
presumably the
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
Debian template) is the use of debboot which, in turn, uses
mknod
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
to
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
create devices for the container - and you're then toast.
The problem there is that there are going to be privileged
operations
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
(chown, mknod, etc) that are simply going to require
privileges in
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
the
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
host which are not available to the non-priv user.
I'm not so sure about the busybox template but I wouldn't be
optimistic.
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
It does look like it checks to see if it's in a user
namespace and
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
uses
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
mknod if not and does something else if it is. So, it looks
like
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
it
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
SHOULD work. But you have to have user namespaces set up to
work.
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
Once a container is created, it should be possible to run it
under
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
a
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
non-priv user if you have a recent enough kernel along with
the
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
latest
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
lxc tools. But it seems likely we could ever navigate the
morass
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
of
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
creating a template using lxc-create as a non-priv user.
Post by Kevin Wilson
I added a user named "test" and I am trying to create a
container
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
(see
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
Post by Kevin Wilson
below the sequence). I am running latest lxc git
(built from source, as root) on Fedora 20.
useradd test
su test
lxc-create -t busybox -n busyboxTest
You lack access to /home/test/.local/share/lxc/
I ran;
mkdir -p /home/test/.local/share/lxc/
lxc-create -t busybox -n busyboxTest
lxc-create: Permission denied - failed to create directory
'/run/user/0/lock/'
Post by Kevin Wilson
failed to create lock
System error loading container
What should I do ?
Regards,
Kevin
Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 978-7061 |
mhw at WittsEnd.com
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
/\/\|=mhw=|\/\/ | (678) 463-0932 |
http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in
the
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
best
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
of
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
all
PGP Key: 0x674627FF | possible worlds. A pessimist is
sure of
Post by Cal Leeming [Simplicity Media Ltd]
Post by Serge Hallyn
it!
Post by Cal Leeming [Simplicity Media Ltd]
Post by Kevin Wilson
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140806/c4b6f876/attachment-0001.html>
Serge Hallyn
2014-08-06 02:33:18 UTC
Permalink
Post by Cal Leeming [Simplicity Media Ltd]
Also I tried to unset XDG_RUNTIME_DIR but it resulted in a new error (which
I believe is related to "sudo su" not placing into the correct cgroup)
deploy$ lxc-start -n u1
lxc_container: call to cgmanager_create_sync failed: invalid request
lxc_container: Failed to create hugetlb:u1
lxc_container: Error creating cgroup hugetlb:u1
lxc_container: failed creating cgroups
Right, you didn't have the rights to create your cgroup. As I expected
based on your earlier email where you listed /proc/self/cgroup.
Post by Cal Leeming [Simplicity Media Ltd]
lxc_container: failed to spawn 'u1'
lxc_container: The container failed to start.
lxc_container: Additional information can be obtained by setting the
--logfile and --log-priority options.
deploy$ declare -x XDG_RUNTIME_DIR="/run/user/999"
deploy$ lxc-start -n u1
lxc-start: Permission denied - failed to create directory
'/run/user/999/lock/'
lxc-start: Error opening /tmp/1000/lxc//home/deploy/.local/share/lxc/u1
lxc-start: Failed to create lxc_container
Having to loop back using SSH feels really hacky, but I don't know enough
about LXC internals to submit a patch or suggest a cleaner workaround.
You need a proper environment. Something with privilege needs to create
your cgroup for you. You can do it yourself in advance with privilege
by doing

sudo cgm create all deploy
sudo cgm chown all deploy $(id -u deploy) $(id -g deploy)

and then do

cgm movepid all deploy $$

after your sudo su. (And then you can set XDG_RUNTIME_DIR correctly by
hand if you like) But if you want pam to do that with privilege after
you authenticate, then you have to login somehow.
Post by Cal Leeming [Simplicity Media Ltd]
Should this be treated as a bug, or feature, or neither?
I'm seeing it as neither at the moment.

-serge
Serge Hallyn
2014-08-06 02:34:38 UTC
Permalink
Post by Cal Leeming [Simplicity Media Ltd]
Interesting, I'm running 14.04.1.
Could you paste your output of /proc/self/cgroup from inside your "sudo su"
? I'd be interested to see if the systemd entry is correct too
12:name=systemd:/user.slice/user-1000.slice/session-c2.scope
11:perf_event:/user.slice/user-1000.slice/session-c2.scope
10:net_prio:/user.slice/user-1000.slice/session-c2.scope
9:net_cls:/user.slice/user-1000.slice/session-c2.scope
8:memory:/user.slice/user-1000.slice/session-c2.scope
7:hugetlb:/user.slice/user-1000.slice/session-c2.scope
6:freezer:/user.slice/user-1000.slice/session-c2.scope
5:devices:/user.slice/user-1000.slice/session-c2.scope
4:cpuset:/user.slice/user-1000.slice/session-c2.scope
3:cpuacct:/user.slice/user-1000.slice/session-c2.scope
2:cpu:/user.slice/user-1000.slice/session-c2.scope
1:blkio:/user.slice/user-1000.slice/session-c2.scope

where uid 1000 is the old useruid, not the one i sudo su'd to. Since
pam did not move me.
Cal Leeming [Simplicity Media Ltd]
2014-08-06 02:39:27 UTC
Permalink
Thanks for the detailed reply, much appreciated.

I'll give cgm a try and see how it goes.

Cal


On Wed, Aug 6, 2014 at 3:34 AM, Serge Hallyn <serge.hallyn at ubuntu.com>
Post by Serge Hallyn
Quoting Cal Leeming [Simplicity Media Ltd] (
Post by Cal Leeming [Simplicity Media Ltd]
Interesting, I'm running 14.04.1.
Could you paste your output of /proc/self/cgroup from inside your "sudo
su"
Post by Cal Leeming [Simplicity Media Ltd]
? I'd be interested to see if the systemd entry is correct too
12:name=systemd:/user.slice/user-1000.slice/session-c2.scope
11:perf_event:/user.slice/user-1000.slice/session-c2.scope
10:net_prio:/user.slice/user-1000.slice/session-c2.scope
9:net_cls:/user.slice/user-1000.slice/session-c2.scope
8:memory:/user.slice/user-1000.slice/session-c2.scope
7:hugetlb:/user.slice/user-1000.slice/session-c2.scope
6:freezer:/user.slice/user-1000.slice/session-c2.scope
5:devices:/user.slice/user-1000.slice/session-c2.scope
4:cpuset:/user.slice/user-1000.slice/session-c2.scope
3:cpuacct:/user.slice/user-1000.slice/session-c2.scope
2:cpu:/user.slice/user-1000.slice/session-c2.scope
1:blkio:/user.slice/user-1000.slice/session-c2.scope
where uid 1000 is the old useruid, not the one i sudo su'd to. Since
pam did not move me.
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140806/81119dcd/attachment.html>
Serge Hallyn
2014-01-09 16:09:36 UTC
Permalink
Post by Michael H. Warfield
Post by Kevin Wilson
Hello,
I believe that creating a container as non root user should be straight-forward.
Sigh... I'm afraid not...
Funny, Serge and I just had a couple of comments in exchange about this
very thing with regards to templates. He's been working on getting
containers to run under unprivileged users and I know the Fedora and
CentOS templates will not even run under a non-user (they check). His
remark was that most templates will not and can not, including the
Ubuntu template. Problem with the Ubuntu template (and, presumably the
Debian template) is the use of debboot which, in turn, uses mknod to
create devices for the container - and you're then toast.
The problem there is that there are going to be privileged operations
(chown, mknod, etc) that are simply going to require privileges in the
host which are not available to the non-priv user.
Note though that anything that just untars an image will work fine.
This is why ubuntu-cloud works, and cirros should too (I just need
to test it and then presumably do some tweaks).

Main thing is that any image bootstrap mechanism which exits in failure
when it can't create devices is not gonna fly, unless we do some
ld_preload hackery.

-serge
Continue reading on narkive:
Loading...