Discussion:
Unprivileged containers do not auto-start
(too old to reply)
Robert Pendell
2014-05-06 18:00:30 UTC
Permalink
OS: Ubuntu 14.04 LTS x86_64
Kernel: Host-Supplied 3.14.1
Provider: Linode
Host Virtualization: Xen Paravirtualized
LXC Version: 1.0.3-0ubuntu3

On a fresh boot unprivileged containers are not starting automatically
even though they have lxc.start.auto enabled. lxc-ls as the user
confirms autostart is enabled as well.

Is this a bug or intended or am I just missing something really
obvious in my configuration?

Config:
shinji at icarus:~$ cat ~/.local/share/lxc/gateone/config
# Template used to create this container: /usr/share/lxc/templates/lxc-download
# Parameters passed to the template:
# For additional config options, please look at lxc.conf(5)

# Distribution configuration
lxc.include = /usr/share/lxc/config/centos.common.conf
lxc.include = /usr/share/lxc/config/centos.userns.conf
lxc.arch = x86

# Container specific configuration
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536
lxc.rootfs = /home/shinji/.local/share/lxc/gateone/rootfs
lxc.utsname = gateone

# Network configuration
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up

# Fixed mac address for static assignment via dnsmasq on host
lxc.network.hwaddr = 62:A9:A7:57:D2:CC

# Autostart baby!
lxc.start.auto = 1

Robert Pendell
shinji at elite-systems.org
A perfect world is one of chaos.
Serge Hallyn
2014-05-06 21:01:34 UTC
Permalink
Post by Robert Pendell
OS: Ubuntu 14.04 LTS x86_64
Kernel: Host-Supplied 3.14.1
Provider: Linode
Host Virtualization: Xen Paravirtualized
LXC Version: 1.0.3-0ubuntu3
On a fresh boot unprivileged containers are not starting automatically
even though they have lxc.start.auto enabled. lxc-ls as the user
confirms autostart is enabled as well.
Is this a bug or intended or am I just missing something really
obvious in my configuration?
By default only containers in /var/lib/lxc are autostarted. You
could edit /etc/lxc/lxc.conf to change that. If you're ok with
them only starting on login you might also be able to use a user
upstart session job, but I suspect tying the containers so closely
to your login session won't be what you want.
Post by Robert Pendell
shinji at icarus:~$ cat ~/.local/share/lxc/gateone/config
# Template used to create this container: /usr/share/lxc/templates/lxc-download
# For additional config options, please look at lxc.conf(5)
# Distribution configuration
lxc.include = /usr/share/lxc/config/centos.common.conf
lxc.include = /usr/share/lxc/config/centos.userns.conf
lxc.arch = x86
# Container specific configuration
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536
lxc.rootfs = /home/shinji/.local/share/lxc/gateone/rootfs
lxc.utsname = gateone
# Network configuration
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
# Fixed mac address for static assignment via dnsmasq on host
lxc.network.hwaddr = 62:A9:A7:57:D2:CC
# Autostart baby!
lxc.start.auto = 1
Robert Pendell
shinji at elite-systems.org
A perfect world is one of chaos.
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
Robert Pendell
2014-05-06 21:55:47 UTC
Permalink
Post by Serge Hallyn
Post by Robert Pendell
OS: Ubuntu 14.04 LTS x86_64
Kernel: Host-Supplied 3.14.1
Provider: Linode
Host Virtualization: Xen Paravirtualized
LXC Version: 1.0.3-0ubuntu3
On a fresh boot unprivileged containers are not starting automatically
even though they have lxc.start.auto enabled. lxc-ls as the user
confirms autostart is enabled as well.
Is this a bug or intended or am I just missing something really
obvious in my configuration?
By default only containers in /var/lib/lxc are autostarted. You
could edit /etc/lxc/lxc.conf to change that. If you're ok with
them only starting on login you might also be able to use a user
upstart session job, but I suspect tying the containers so closely
to your login session won't be what you want.
That would be an accurate assumption. At this point if I need to I
can login and start the container manually. I checked lxc.conf and
I'm not sure how to set it up the way you suggest. This system may
end up being home to multiple containers that are mixed between
locations.

P.S. - I noticed that lxc-autostart doesn't list unprivileged containers?
Serge Hallyn
2014-05-06 22:16:59 UTC
Permalink
Post by Robert Pendell
Post by Serge Hallyn
Post by Robert Pendell
OS: Ubuntu 14.04 LTS x86_64
Kernel: Host-Supplied 3.14.1
Provider: Linode
Host Virtualization: Xen Paravirtualized
LXC Version: 1.0.3-0ubuntu3
On a fresh boot unprivileged containers are not starting automatically
even though they have lxc.start.auto enabled. lxc-ls as the user
confirms autostart is enabled as well.
Is this a bug or intended or am I just missing something really
obvious in my configuration?
By default only containers in /var/lib/lxc are autostarted. You
could edit /etc/lxc/lxc.conf to change that. If you're ok with
them only starting on login you might also be able to use a user
upstart session job, but I suspect tying the containers so closely
to your login session won't be what you want.
That would be an accurate assumption. At this point if I need to I
can login and start the container manually. I checked lxc.conf and
I'm not sure how to set it up the way you suggest. This system may
end up being home to multiple containers that are mixed between
locations.
P.S. - I noticed that lxc-autostart doesn't list unprivileged containers?
It doesn't list containers under your home dir. However if you create
a root-owned unprivileged root-owned container, lxc-autostart will list
it:

cat > lxc.conf << EOF
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.id_map = u 0 100000 100000
lxc.id_map = g 0 100000 100000
lxc.aa_profile = lxc-container-default-with-nesting
lxc.start.auto = 1
lxc.mount.auto = cgroup
EOF
sudo lxc-create -t download -n listme1 -f lxc.conf

After this,
sudo lxc-autostart -L
should show
listme1 0

-serge
Robert Pendell
2014-05-08 16:48:19 UTC
Permalink
Post by Serge Hallyn
Post by Robert Pendell
Post by Serge Hallyn
Post by Robert Pendell
OS: Ubuntu 14.04 LTS x86_64
Kernel: Host-Supplied 3.14.1
Provider: Linode
Host Virtualization: Xen Paravirtualized
LXC Version: 1.0.3-0ubuntu3
On a fresh boot unprivileged containers are not starting automatically
even though they have lxc.start.auto enabled. lxc-ls as the user
confirms autostart is enabled as well.
Is this a bug or intended or am I just missing something really
obvious in my configuration?
By default only containers in /var/lib/lxc are autostarted. You
could edit /etc/lxc/lxc.conf to change that. If you're ok with
them only starting on login you might also be able to use a user
upstart session job, but I suspect tying the containers so closely
to your login session won't be what you want.
That would be an accurate assumption. At this point if I need to I
can login and start the container manually. I checked lxc.conf and
I'm not sure how to set it up the way you suggest. This system may
end up being home to multiple containers that are mixed between
locations.
P.S. - I noticed that lxc-autostart doesn't list unprivileged containers?
It doesn't list containers under your home dir. However if you create
a root-owned unprivileged root-owned container, lxc-autostart will list
cat > lxc.conf << EOF
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.id_map = u 0 100000 100000
lxc.id_map = g 0 100000 100000
lxc.aa_profile = lxc-container-default-with-nesting
lxc.start.auto = 1
lxc.mount.auto = cgroup
EOF
sudo lxc-create -t download -n listme1 -f lxc.conf
After this,
sudo lxc-autostart -L
should show
listme1 0
Ok. So I got a chance to give this a shot but unfortunately I'm being
denied the ability to actually change uid. Should I need to add root
to /etc/subuid and /etc/subgid in order to accomplish this? I left
the AA profile define out because it won't apply in my case since
apparmor is disabled at kernel level.

Error:
newuidmap: uid range [0-65536) -> [100000-165536) not allowed
error mapping child
setgid: Invalid argument
lxc_container: container creation template for gateone failed
lxc_container: Error creating container gateone

I tried to add it manually after the fact and it refuses to boot
giving the same error as what I got before. Finally I went back and
add root to subuid and subgid and it seemed to work fine at that point
however it still won't start. Here is the result of an info check.
Just so you know I gave root 65536 ids starting at 800000 for the
unprivileged containers. For some reason though it fails at a
permission denied error for /var/lib/lxc. It is obviously just a
permission error but I don't know if it would be safe to add x for
others.

root at icarus:/root# cat info.log
lxc-start 1399566440.761 INFO lxc_start_ui - using rcfile
/var/lib/lxc/test/config
lxc-start 1399566440.761 INFO lxc_confile - read uid map:
type u nsid 0 hostid 800000 range 65536
lxc-start 1399566440.761 INFO lxc_confile - read uid map:
type g nsid 0 hostid 800000 range 65536
lxc-start 1399566440.761 WARN lxc_log - lxc_log_init called
with log already initialized
lxc-start 1399566440.772 INFO lxc_lsm - LSM security driver nop
lxc-start 1399566440.774 INFO lxc_conf - tty's configured
lxc-start 1399566440.774 INFO lxc_start - 'test' is initialized
lxc-start 1399566440.780 INFO lxc_monitor - using monitor
sock name lxc/ad055575fe28ddd5//var/lib/lxc
lxc-start 1399566440.792 INFO lxc_start - Cloning a new user namespace
lxc-start 1399566440.798 INFO lxc_cgroup - cgroup driver
cgmanager initing for test
lxc-start 1399566440.994 NOTICE lxc_start - switching to
gid/uid 0 in new user namespace
lxc-start 1399566440.994 ERROR lxc_start - Permission denied
- could not access /var/lib/lxc. Please grant it 'x' access, or add
an ACL for the container root.
lxc-start 1399566440.995 ERROR lxc_sync - invalid sequence
number 1. expected 2
lxc-start 1399566440.995 WARN lxc_conf - failed to remove
interface '(null)'
lxc-start 1399566441.039 ERROR lxc_start - failed to spawn 'test'
lxc-start 1399566441.039 ERROR lxc_commands - command
get_cgroup failed to receive response

root at icarus:~# ls -ld /var/lib/lxc
drwx------ 4 root root 4096 May 8 16:24 /var/lib/lxc

Config:
# Distribution configuration
lxc.include = /usr/share/lxc/config/centos.common.conf
lxc.include = /usr/share/lxc/config/centos.userns.conf
lxc.arch = x86

# Container specific configuration
lxc.mount.auto = cgroup:mixed
lxc.id_map = u 0 800000 65536
lxc.id_map = g 0 800000 65536
lxc.rootfs = /var/lib/lxc/test/rootfs
lxc.utsname = test

# Network configuration
lxc.network.type = veth
lxc.network.link = lxcbr0
Robert Pendell
2014-05-08 17:27:45 UTC
Permalink
On Thu, May 8, 2014 at 12:48 PM, Robert Pendell
Post by Robert Pendell
Post by Serge Hallyn
Post by Robert Pendell
Post by Serge Hallyn
Post by Robert Pendell
OS: Ubuntu 14.04 LTS x86_64
Kernel: Host-Supplied 3.14.1
Provider: Linode
Host Virtualization: Xen Paravirtualized
LXC Version: 1.0.3-0ubuntu3
On a fresh boot unprivileged containers are not starting automatically
even though they have lxc.start.auto enabled. lxc-ls as the user
confirms autostart is enabled as well.
Is this a bug or intended or am I just missing something really
obvious in my configuration?
By default only containers in /var/lib/lxc are autostarted. You
could edit /etc/lxc/lxc.conf to change that. If you're ok with
them only starting on login you might also be able to use a user
upstart session job, but I suspect tying the containers so closely
to your login session won't be what you want.
That would be an accurate assumption. At this point if I need to I
can login and start the container manually. I checked lxc.conf and
I'm not sure how to set it up the way you suggest. This system may
end up being home to multiple containers that are mixed between
locations.
P.S. - I noticed that lxc-autostart doesn't list unprivileged containers?
It doesn't list containers under your home dir. However if you create
a root-owned unprivileged root-owned container, lxc-autostart will list
cat > lxc.conf << EOF
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.id_map = u 0 100000 100000
lxc.id_map = g 0 100000 100000
lxc.aa_profile = lxc-container-default-with-nesting
lxc.start.auto = 1
lxc.mount.auto = cgroup
EOF
sudo lxc-create -t download -n listme1 -f lxc.conf
After this,
sudo lxc-autostart -L
should show
listme1 0
Ok. So I got a chance to give this a shot but unfortunately I'm being
denied the ability to actually change uid. Should I need to add root
to /etc/subuid and /etc/subgid in order to accomplish this? I left
the AA profile define out because it won't apply in my case since
apparmor is disabled at kernel level.
newuidmap: uid range [0-65536) -> [100000-165536) not allowed
error mapping child
setgid: Invalid argument
lxc_container: container creation template for gateone failed
lxc_container: Error creating container gateone
I tried to add it manually after the fact and it refuses to boot
giving the same error as what I got before. Finally I went back and
add root to subuid and subgid and it seemed to work fine at that point
however it still won't start. Here is the result of an info check.
Just so you know I gave root 65536 ids starting at 800000 for the
unprivileged containers. For some reason though it fails at a
permission denied error for /var/lib/lxc. It is obviously just a
permission error but I don't know if it would be safe to add x for
others.
Right after posting I thought I give it a shot so I added 'x' to the
others so that it shows as rwx for root and just x for others and that
worked beautifully allowing the containers to boot. Checking with ps
axfO euser on the host confirms that processes within the container
are running "unprivileged".

However if there are any concerns that I should be aware of then
please tell me so that I might be able to try to address them in the
future. I have my own devils to contend with being I lack apparmor
support but I think it should be safe "enough" for my purposes if I
keep public services running in unprivileged containers.
Serge Hallyn
2014-05-09 03:35:04 UTC
Permalink
Post by Robert Pendell
On Thu, May 8, 2014 at 12:48 PM, Robert Pendell
Post by Robert Pendell
Post by Serge Hallyn
Post by Robert Pendell
Post by Serge Hallyn
Post by Robert Pendell
OS: Ubuntu 14.04 LTS x86_64
Kernel: Host-Supplied 3.14.1
Provider: Linode
Host Virtualization: Xen Paravirtualized
LXC Version: 1.0.3-0ubuntu3
On a fresh boot unprivileged containers are not starting automatically
even though they have lxc.start.auto enabled. lxc-ls as the user
confirms autostart is enabled as well.
Is this a bug or intended or am I just missing something really
obvious in my configuration?
By default only containers in /var/lib/lxc are autostarted. You
could edit /etc/lxc/lxc.conf to change that. If you're ok with
them only starting on login you might also be able to use a user
upstart session job, but I suspect tying the containers so closely
to your login session won't be what you want.
That would be an accurate assumption. At this point if I need to I
can login and start the container manually. I checked lxc.conf and
I'm not sure how to set it up the way you suggest. This system may
end up being home to multiple containers that are mixed between
locations.
P.S. - I noticed that lxc-autostart doesn't list unprivileged containers?
It doesn't list containers under your home dir. However if you create
a root-owned unprivileged root-owned container, lxc-autostart will list
cat > lxc.conf << EOF
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.id_map = u 0 100000 100000
lxc.id_map = g 0 100000 100000
lxc.aa_profile = lxc-container-default-with-nesting
lxc.start.auto = 1
lxc.mount.auto = cgroup
EOF
sudo lxc-create -t download -n listme1 -f lxc.conf
After this,
sudo lxc-autostart -L
should show
listme1 0
Ok. So I got a chance to give this a shot but unfortunately I'm being
denied the ability to actually change uid. Should I need to add root
to /etc/subuid and /etc/subgid in order to accomplish this? I left
the AA profile define out because it won't apply in my case since
apparmor is disabled at kernel level.
newuidmap: uid range [0-65536) -> [100000-165536) not allowed
error mapping child
setgid: Invalid argument
lxc_container: container creation template for gateone failed
lxc_container: Error creating container gateone
I tried to add it manually after the fact and it refuses to boot
giving the same error as what I got before. Finally I went back and
add root to subuid and subgid and it seemed to work fine at that point
however it still won't start. Here is the result of an info check.
Just so you know I gave root 65536 ids starting at 800000 for the
unprivileged containers. For some reason though it fails at a
permission denied error for /var/lib/lxc. It is obviously just a
permission error but I don't know if it would be safe to add x for
others.
Right after posting I thought I give it a shot so I added 'x' to the
others so that it shows as rwx for root and just x for others and that
fwiw the reason you had to do that is that /var/lib/lxc could have
vulnerable setuid-root binaries from a non-updated container, so
/var/lib/lxc is now not accessible by default by non-root users. It
may be worth adding a lxc group and making /var/lib/lxc g+w. Then the
upstart jobs could run as user jdoe and group lxc and still access
the container rootfs as they should.
Post by Robert Pendell
worked beautifully allowing the containers to boot. Checking with ps
axfO euser on the host confirms that processes within the container
are running "unprivileged".
However if there are any concerns that I should be aware of then
please tell me so that I might be able to try to address them in the
future. I have my own devils to contend with being I lack apparmor
support but I think it should be safe "enough" for my purposes if I
keep public services running in unprivileged containers.
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
Robert Pendell
2014-05-09 04:30:58 UTC
Permalink
Post by Serge Hallyn
Post by Robert Pendell
On Thu, May 8, 2014 at 12:48 PM, Robert Pendell
Post by Robert Pendell
Post by Serge Hallyn
Post by Robert Pendell
Post by Serge Hallyn
Post by Robert Pendell
OS: Ubuntu 14.04 LTS x86_64
Kernel: Host-Supplied 3.14.1
Provider: Linode
Host Virtualization: Xen Paravirtualized
LXC Version: 1.0.3-0ubuntu3
On a fresh boot unprivileged containers are not starting automatically
even though they have lxc.start.auto enabled. lxc-ls as the user
confirms autostart is enabled as well.
Is this a bug or intended or am I just missing something really
obvious in my configuration?
By default only containers in /var/lib/lxc are autostarted. You
could edit /etc/lxc/lxc.conf to change that. If you're ok with
them only starting on login you might also be able to use a user
upstart session job, but I suspect tying the containers so closely
to your login session won't be what you want.
That would be an accurate assumption. At this point if I need to I
can login and start the container manually. I checked lxc.conf and
I'm not sure how to set it up the way you suggest. This system may
end up being home to multiple containers that are mixed between
locations.
P.S. - I noticed that lxc-autostart doesn't list unprivileged containers?
It doesn't list containers under your home dir. However if you create
a root-owned unprivileged root-owned container, lxc-autostart will list
cat > lxc.conf << EOF
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.id_map = u 0 100000 100000
lxc.id_map = g 0 100000 100000
lxc.aa_profile = lxc-container-default-with-nesting
lxc.start.auto = 1
lxc.mount.auto = cgroup
EOF
sudo lxc-create -t download -n listme1 -f lxc.conf
After this,
sudo lxc-autostart -L
should show
listme1 0
Ok. So I got a chance to give this a shot but unfortunately I'm being
denied the ability to actually change uid. Should I need to add root
to /etc/subuid and /etc/subgid in order to accomplish this? I left
the AA profile define out because it won't apply in my case since
apparmor is disabled at kernel level.
newuidmap: uid range [0-65536) -> [100000-165536) not allowed
error mapping child
setgid: Invalid argument
lxc_container: container creation template for gateone failed
lxc_container: Error creating container gateone
I tried to add it manually after the fact and it refuses to boot
giving the same error as what I got before. Finally I went back and
add root to subuid and subgid and it seemed to work fine at that point
however it still won't start. Here is the result of an info check.
Just so you know I gave root 65536 ids starting at 800000 for the
unprivileged containers. For some reason though it fails at a
permission denied error for /var/lib/lxc. It is obviously just a
permission error but I don't know if it would be safe to add x for
others.
Right after posting I thought I give it a shot so I added 'x' to the
others so that it shows as rwx for root and just x for others and that
fwiw the reason you had to do that is that /var/lib/lxc could have
vulnerable setuid-root binaries from a non-updated container, so
/var/lib/lxc is now not accessible by default by non-root users. It
may be worth adding a lxc group and making /var/lib/lxc g+w. Then the
upstart jobs could run as user jdoe and group lxc and still access
the container rootfs as they should.
I just realized one other side effect of this. With o+x being present
I can traverse the entire tree down as non-root if I know the running
folder of the lxc container. Without it I can't get into any folder
at all.

Any idea on how one might accomplish what you suggest?
Serge Hallyn
2014-05-09 13:16:28 UTC
Permalink
Post by Robert Pendell
Post by Serge Hallyn
Post by Robert Pendell
On Thu, May 8, 2014 at 12:48 PM, Robert Pendell
Post by Robert Pendell
Post by Serge Hallyn
Post by Robert Pendell
Post by Serge Hallyn
Post by Robert Pendell
OS: Ubuntu 14.04 LTS x86_64
Kernel: Host-Supplied 3.14.1
Provider: Linode
Host Virtualization: Xen Paravirtualized
LXC Version: 1.0.3-0ubuntu3
On a fresh boot unprivileged containers are not starting automatically
even though they have lxc.start.auto enabled. lxc-ls as the user
confirms autostart is enabled as well.
Is this a bug or intended or am I just missing something really
obvious in my configuration?
By default only containers in /var/lib/lxc are autostarted. You
could edit /etc/lxc/lxc.conf to change that. If you're ok with
them only starting on login you might also be able to use a user
upstart session job, but I suspect tying the containers so closely
to your login session won't be what you want.
That would be an accurate assumption. At this point if I need to I
can login and start the container manually. I checked lxc.conf and
I'm not sure how to set it up the way you suggest. This system may
end up being home to multiple containers that are mixed between
locations.
P.S. - I noticed that lxc-autostart doesn't list unprivileged containers?
It doesn't list containers under your home dir. However if you create
a root-owned unprivileged root-owned container, lxc-autostart will list
cat > lxc.conf << EOF
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.id_map = u 0 100000 100000
lxc.id_map = g 0 100000 100000
lxc.aa_profile = lxc-container-default-with-nesting
lxc.start.auto = 1
lxc.mount.auto = cgroup
EOF
sudo lxc-create -t download -n listme1 -f lxc.conf
After this,
sudo lxc-autostart -L
should show
listme1 0
Ok. So I got a chance to give this a shot but unfortunately I'm being
denied the ability to actually change uid. Should I need to add root
to /etc/subuid and /etc/subgid in order to accomplish this? I left
the AA profile define out because it won't apply in my case since
apparmor is disabled at kernel level.
newuidmap: uid range [0-65536) -> [100000-165536) not allowed
error mapping child
setgid: Invalid argument
lxc_container: container creation template for gateone failed
lxc_container: Error creating container gateone
I tried to add it manually after the fact and it refuses to boot
giving the same error as what I got before. Finally I went back and
add root to subuid and subgid and it seemed to work fine at that point
however it still won't start. Here is the result of an info check.
Just so you know I gave root 65536 ids starting at 800000 for the
unprivileged containers. For some reason though it fails at a
permission denied error for /var/lib/lxc. It is obviously just a
permission error but I don't know if it would be safe to add x for
others.
Right after posting I thought I give it a shot so I added 'x' to the
others so that it shows as rwx for root and just x for others and that
fwiw the reason you had to do that is that /var/lib/lxc could have
vulnerable setuid-root binaries from a non-updated container, so
/var/lib/lxc is now not accessible by default by non-root users. It
may be worth adding a lxc group and making /var/lib/lxc g+w. Then the
upstart jobs could run as user jdoe and group lxc and still access
the container rootfs as they should.
I just realized one other side effect of this. With o+x being present
I can traverse the entire tree down as non-root if I know the running
folder of the lxc container. Without it I can't get into any folder
at all.
Any idea on how one might accomplish what you suggest?
Currently the permissions are set in debian/rules in the
override_dh_builddeb rule.

I suspect we'd have to add the lxc group in preinst, then chgrp
/var/lib/lxc in postinst (only on new installations).

Serge Hallyn
2014-05-09 03:31:31 UTC
Permalink
Post by Robert Pendell
Post by Serge Hallyn
Post by Robert Pendell
Post by Serge Hallyn
Post by Robert Pendell
OS: Ubuntu 14.04 LTS x86_64
Kernel: Host-Supplied 3.14.1
Provider: Linode
Host Virtualization: Xen Paravirtualized
LXC Version: 1.0.3-0ubuntu3
On a fresh boot unprivileged containers are not starting automatically
even though they have lxc.start.auto enabled. lxc-ls as the user
confirms autostart is enabled as well.
Is this a bug or intended or am I just missing something really
obvious in my configuration?
By default only containers in /var/lib/lxc are autostarted. You
could edit /etc/lxc/lxc.conf to change that. If you're ok with
them only starting on login you might also be able to use a user
upstart session job, but I suspect tying the containers so closely
to your login session won't be what you want.
That would be an accurate assumption. At this point if I need to I
can login and start the container manually. I checked lxc.conf and
I'm not sure how to set it up the way you suggest. This system may
end up being home to multiple containers that are mixed between
locations.
P.S. - I noticed that lxc-autostart doesn't list unprivileged containers?
It doesn't list containers under your home dir. However if you create
a root-owned unprivileged root-owned container, lxc-autostart will list
cat > lxc.conf << EOF
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.id_map = u 0 100000 100000
lxc.id_map = g 0 100000 100000
lxc.aa_profile = lxc-container-default-with-nesting
lxc.start.auto = 1
lxc.mount.auto = cgroup
EOF
sudo lxc-create -t download -n listme1 -f lxc.conf
After this,
sudo lxc-autostart -L
should show
listme1 0
Ok. So I got a chance to give this a shot but unfortunately I'm being
denied the ability to actually change uid. Should I need to add root
to /etc/subuid and /etc/subgid in order to accomplish this? I left
Yup, unfortuntaly you do. I've previously proposed a patch to shadow
to not require that, but that turned out to be controlversial.
Post by Robert Pendell
the AA profile define out because it won't apply in my case since
apparmor is disabled at kernel level.
newuidmap: uid range [0-65536) -> [100000-165536) not allowed
error mapping child
setgid: Invalid argument
lxc_container: container creation template for gateone failed
lxc_container: Error creating container gateone
I tried to add it manually after the fact and it refuses to boot
giving the same error as what I got before. Finally I went back and
add root to subuid and subgid and it seemed to work fine at that point
however it still won't start. Here is the result of an info check.
Just so you know I gave root 65536 ids starting at 800000 for the
unprivileged containers. For some reason though it fails at a
permission denied error for /var/lib/lxc. It is obviously just a
permission error but I don't know if it would be safe to add x for
others.
root at icarus:/root# cat info.log
lxc-start 1399566440.761 INFO lxc_start_ui - using rcfile
/var/lib/lxc/test/config
type u nsid 0 hostid 800000 range 65536
type g nsid 0 hostid 800000 range 65536
lxc-start 1399566440.761 WARN lxc_log - lxc_log_init called
with log already initialized
lxc-start 1399566440.772 INFO lxc_lsm - LSM security driver nop
lxc-start 1399566440.774 INFO lxc_conf - tty's configured
lxc-start 1399566440.774 INFO lxc_start - 'test' is initialized
lxc-start 1399566440.780 INFO lxc_monitor - using monitor
sock name lxc/ad055575fe28ddd5//var/lib/lxc
lxc-start 1399566440.792 INFO lxc_start - Cloning a new user namespace
lxc-start 1399566440.798 INFO lxc_cgroup - cgroup driver
cgmanager initing for test
lxc-start 1399566440.994 NOTICE lxc_start - switching to
gid/uid 0 in new user namespace
lxc-start 1399566440.994 ERROR lxc_start - Permission denied
- could not access /var/lib/lxc. Please grant it 'x' access, or add
an ACL for the container root.
Hm. This is unfortunate, but please go ahead and
sudo chmod o+x /var/lib/lxc
Post by Robert Pendell
lxc-start 1399566440.995 ERROR lxc_sync - invalid sequence
number 1. expected 2
lxc-start 1399566440.995 WARN lxc_conf - failed to remove
interface '(null)'
lxc-start 1399566441.039 ERROR lxc_start - failed to spawn 'test'
lxc-start 1399566441.039 ERROR lxc_commands - command
get_cgroup failed to receive response
root at icarus:~# ls -ld /var/lib/lxc
drwx------ 4 root root 4096 May 8 16:24 /var/lib/lxc
# Distribution configuration
lxc.include = /usr/share/lxc/config/centos.common.conf
lxc.include = /usr/share/lxc/config/centos.userns.conf
lxc.arch = x86
# Container specific configuration
lxc.mount.auto = cgroup:mixed
lxc.id_map = u 0 800000 65536
lxc.id_map = g 0 800000 65536
lxc.rootfs = /var/lib/lxc/test/rootfs
lxc.utsname = test
# Network configuration
lxc.network.type = veth
lxc.network.link = lxcbr0
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
Continue reading on narkive:
Loading...