Discussion:
Status: Debian Jessie support for unprivileged containers?
(too old to reply)
Christian Benke
2015-10-13 08:32:05 UTC
Permalink
Hello!

I'm struggling to create an unprivileged Jessie container on a Jessie
host. I came across this chart:
https://www.flockport.com/lxc-and-lxd-support-across-distributions/,
which points out that unprivileged containers are currently not
supported on Debian Jessie.

Can someone tell me if this information is up-to-date? Is my struggle
to get this working futile?

If there is a way (Several mailinglist-posts suggest so) - I'm not
even able to create the container, as an unprivileged user the
template is not available:

~$ lxc-create -n my-container -t debian -- -r jessie
This template can't be used for unprivileged containers.
You may want to try the "download" template instead.
lxc_container: container creation template for my-container failed
lxc_container: Error creating container my-container

##

~$ lxc-create -t download -n my-container -l DEBUG
Setting up the GPG keyring
Downloading the image index
---
DIST RELEASE ARCH VARIANT BUILD
---
[..]
centos 6 i386 default 20151013_02:16
debian wheezy amd64 default 20151012_22:42
debian wheezy armel default 20151012_22:42
debian wheezy armhf default 20151012_22:42
debian wheezy i386 default 20151012_22:42
gentoo current amd64 default 20151012_14:12
[..]
---

Distribution: debian
Release: jessie
Architecture: amd64

Downloading the image index
ERROR: Couldn't find a matching image.
lxc_container: container creation template for my-container failed
lxc_container: Error creating container my-container


Creating a privileged Jessie container is not an issue. Thanks for any hints.

Best regards,
Christian
Fajar A. Nugraha
2015-10-13 09:15:15 UTC
Permalink
Post by Christian Benke
Hello!
I'm struggling to create an unprivileged Jessie container on a Jessie
https://www.flockport.com/lxc-and-lxd-support-across-distributions/,
which points out that unprivileged containers are currently not
supported on Debian Jessie.
Can someone tell me if this information is up-to-date?
Looking at jessie's systemd version, yes.
Post by Christian Benke
Is my struggle
to get this working futile?
Yes, unless you're willing to compile your own systemd with ubuntu's patches.
Post by Christian Benke
~$ lxc-create -t download -n my-container -l DEBUG
Setting up the GPG keyring
Downloading the image index
---
DIST RELEASE ARCH VARIANT BUILD
---
[..]
centos 6 i386 default 20151013_02:16
debian wheezy amd64 default 20151012_22:42
debian wheezy armel default 20151012_22:42
debian wheezy armhf default 20151012_22:42
debian wheezy i386 default 20151012_22:42
gentoo current amd64 default 20151012_14:12
[..]
---
Distribution: debian
Release: jessie
Architecture: amd64
Downloading the image index
ERROR: Couldn't find a matching image.
lxc_container: container creation template for my-container failed
lxc_container: Error creating container my-container
Creating a privileged Jessie container is not an issue. Thanks for any hints.
There are several parts to this issue.

First one, why jessie is not present on the template list. It might be
due to the fact the default jessie installation will not work as
unpriv container. Or the devs probably didn't have time to upload the
image yet.

Second, how to get the unpriv systemd container working. You'd need:
- a suitable systemd version on the host, which include ubuntu's patch
to make pam_systemd create a slice for all cgroups (and not just the
systemd cgroup). I don't think debian has a version for this (as the
patch is not upstream yet), so you might need to port ubuntu wily's
version to debian.
- a suitable systemd version on the guest. I believe systemd-224
works. You could probably backport stretch's version to jessie.

Third, how to convert a privileged container to unprivileged (assuming
you already have the second issue sorted out). One way would be:
- use a suitable container config file (a config file from unpriv
ubuntu willy should do), combined with
- a working privileged container rootfs, but with uid/gid modified
using uidmapshift (search Google or list archive for this)

So bottom line, don't bother unless you're willing to run a
"frakenstein", unsupported distro. Either retry with stretch and hope
it works better, or switch to ubuntu.
--
Fajar
Christian Benke
2015-10-13 09:44:13 UTC
Permalink
Post by Fajar A. Nugraha
So bottom line, don't bother unless you're willing to run a
"frakenstein", unsupported distro. Either retry with stretch and hope
it works better, or switch to ubuntu.
Thanks a lot for the detailed explanation Fajar! Looks like I'm just
going to run privileged containers and hope for the best. Turns out,
doing the testing on the right distribution too is essential :-) (I
tried LXC on my Ubuntu Trusty workstation and deemed it working, but
the server is running Debian Jessie)

Regards,
Christian
Fajar A. Nugraha
2015-10-13 09:49:20 UTC
Permalink
Post by Christian Benke
Post by Fajar A. Nugraha
So bottom line, don't bother unless you're willing to run a
"frakenstein", unsupported distro. Either retry with stretch and hope
it works better, or switch to ubuntu.
Thanks a lot for the detailed explanation Fajar! Looks like I'm just
going to run privileged containers and hope for the best. Turns out,
doing the testing on the right distribution too is essential :-) (I
tried LXC on my Ubuntu Trusty workstation and deemed it working, but
the server is running Debian Jessie)
Yep, trusty is probably the best distro for host lxc right now.
Particularly if you also add ppa:ubuntu-lxc/lxc-stable to get
lxc-1.1.4 and lxcfs.

Privilged containers on jessie should work, although I'd still
recommend using lxc-1.1.x (either compile from source, or port
ubuntu's package recipe) instead of the bundled 1.0.6
--
Fajar
Xavier Gendre
2015-10-13 10:11:55 UTC
Permalink
Post by Fajar A. Nugraha
Post by Christian Benke
Post by Fajar A. Nugraha
So bottom line, don't bother unless you're willing to run a
"frakenstein", unsupported distro. Either retry with stretch and hope
it works better, or switch to ubuntu.
Thanks a lot for the detailed explanation Fajar! Looks like I'm just
going to run privileged containers and hope for the best. Turns out,
doing the testing on the right distribution too is essential :-) (I
tried LXC on my Ubuntu Trusty workstation and deemed it working, but
the server is running Debian Jessie)
Yep, trusty is probably the best distro for host lxc right now.
Particularly if you also add ppa:ubuntu-lxc/lxc-stable to get
lxc-1.1.4 and lxcfs.
Privilged containers on jessie should work, although I'd still
recommend using lxc-1.1.x (either compile from source, or port
ubuntu's package recipe) instead of the bundled 1.0.6
You can run unprivileged Jessie container in a Jessie host. The point is
that the container fails to start mainly because of systemd in the
Jessie container.

To tackle that problem, i create a custom image of Jessie without
systemd and it runs perfectly. I give the details to create the image
and the container in my blog (in french, sorry):

https://www.meseira.fr/blog/post/2015/08/02/unprivileged-jessie-container/

It consists in using the tools of lxc-ci and modifying the script
devoted to Jessie image to replace systemd by sysvinit. After, you just
have to set your cache directory to provide the custom Jessie image to
lxc-create.

Xavier
Christian Benke
2015-10-14 15:07:07 UTC
Permalink
Post by Xavier Gendre
You can run unprivileged Jessie container in a Jessie host. The point is
that the container fails to start mainly because of systemd in the Jessie
container.
To tackle that problem, i create a custom image of Jessie without systemd
and it runs perfectly. I give the details to create the image and the
https://www.meseira.fr/blog/post/2015/08/02/unprivileged-jessie-container/
It consists in using the tools of lxc-ci and modifying the script devoted to
Jessie image to replace systemd by sysvinit. After, you just have to set
your cache directory to provide the custom Jessie image to lxc-create.
Xavier, thanks for your the link to your blog and your contribution.
Apparently that's the most simple way to get this done - I hope
there's an upgrade-path to systemd in the future.

Although setting it up was not as straightforward as your tutorial:

- Package "python3-all-dev" currently has dependency issues
(https://bugs.launchpad.net/ubuntu/+source/python3.4/+bug/1503382,
http://askubuntu.com/a/683604/331398)

I was able to solve this by adding a time.sleep(120) in
lxc-ci/__init__.py before self.update(), attaching to the new
temporary container while the timer was running and downgrading the
python3-packages (See askubuntu-answer)

- cgroups caused some trouble. Setting them with cgmanager/cgm for the
specific user helped (See http://unix.stackexchange.com/a/171478/88252
and http://bit.ly/1jokrFl)
If anyone knows a good way to make this permanent, let me know!

Basically it's:

sudo service cgmanager start
sudo cgm create all $USER
sudo cgm chown all $USER $(id -u) $(id -g)
sudo cgm movepid all $USER $$

- "lxc-attach -n $jessiecontainer" does not set the full
$PATH-environment-variable which is quite inconvenient when
unexpected, "export
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
helps

- The Jessie-template does not include man-db, iputils-ping,
apt-utils, rsyslog - I found it easier to configure the container with
these installed, could be added to the debian.json-file (But they
where probably left out to make the template slimmer)

But it looks like this is otherwise working quite ok, thanks a lot!
Xavier Gendre
2015-10-14 15:46:39 UTC
Permalink
Post by Christian Benke
- Package "python3-all-dev" currently has dependency issues
(https://bugs.launchpad.net/ubuntu/+source/python3.4/+bug/1503382,
http://askubuntu.com/a/683604/331398)
I was able to solve this by adding a time.sleep(120) in
lxc-ci/__init__.py before self.update(), attaching to the new
temporary container while the timer was running and downgrading the
python3-packages (See askubuntu-answer)
I never encounter this problem. What is the version of Ubuntu that you
are using for building the Jessie image? In my explanations, i use the
14.04 LTS and everything works.
Post by Christian Benke
- cgroups caused some trouble. Setting them with cgmanager/cgm for the
specific user helped (See http://unix.stackexchange.com/a/171478/88252
and http://bit.ly/1jokrFl)
If anyone knows a good way to make this permanent, let me know!
sudo service cgmanager start
sudo cgm create all $USER
sudo cgm chown all $USER $(id -u) $(id -g)
sudo cgm movepid all $USER $$
If you have to do such things, i think that you try to apply my tutorial
in a Debian host. It will work but, as you notice, you will have to
tweak cgroup by hand. On my side, i create the Jessie image in a VM with
Ubuntu (because there is not such problems with cgroups) and i use this
image in my Jessie host (where i tweak my cgroups through a custom
systemd service in order to give ownerships to the unprivileged users).
Post by Christian Benke
- "lxc-attach -n $jessiecontainer" does not set the full
$PATH-environment-variable which is quite inconvenient when
unexpected, "export
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
helps
When i attach to my unprivileged Jessie container, PATH is properly set.
I don't remind me if i did something specific for that...
Post by Christian Benke
- The Jessie-template does not include man-db, iputils-ping,
apt-utils, rsyslog - I found it easier to configure the container with
these installed, could be added to the debian.json-file (But they
where probably left out to make the template slimmer)
You can add them in debian.json, this is your custom Jessie image. For
example, i add rsyslog and vim in such a way. If you want a slim one and
an enhanced one, you are free to create two images. To use them
simultaneously in your cache directory, you can use the "variant" option.
Post by Christian Benke
But it looks like this is otherwise working quite ok, thanks a lot!
Welcome, happy to help ;-)

Xavier
Christian Benke
2015-10-14 17:32:52 UTC
Permalink
This post might be inappropriate. Click to display it.
Xavier Gendre
2015-10-14 18:18:16 UTC
Permalink
This post might be inappropriate. Click to display it.
Christian Benke
2015-10-14 18:48:42 UTC
Permalink
Post by Xavier Gendre
Post by Christian Benke
sudo service cgmanager start
sudo cgm create all $USER
sudo cgm chown all $USER $(id -u) $(id -g)
sudo cgm movepid all $USER $$
echo \$\$ >> /sys/fs/cgroup/perf_event/lxc-bobby/tasks; \
echo \$\$ >> /sys/fs/cgroup/blkio/lxc-bobby/tasks; \
echo \$\$ >> /sys/fs/cgroup/net_cls,net_prio/lxc-bobby/tasks; \
echo \$\$ >> /sys/fs/cgroup/freezer/lxc-bobby/tasks; \
echo \$\$ >> /sys/fs/cgroup/devices/lxc-bobby/tasks; \
echo \$\$ >> /sys/fs/cgroup/cpu,cpuacct/lxc-bobby/tasks; \
echo \$\$ >> /sys/fs/cgroup/cpuset/lxc-bobby/tasks; \
Oh, ok, thought it's more fancy :-P Thanks however!

I'll probably adapt that to modify the cgroups with cgmanager, all of
the groups are covered by "cgm <command> all" (See the full
cgm-commands I mentioned above).

Cheers,
Christian
Carlos Alberto Lopez Perez
2016-01-08 19:23:51 UTC
Permalink
Post by Xavier Gendre
You can run unprivileged Jessie container in a Jessie host. The point is
that the container fails to start mainly because of systemd in the
Jessie container.
To tackle that problem, i create a custom image of Jessie without
systemd and it runs perfectly. I give the details to create the image
https://www.meseira.fr/blog/post/2015/08/02/unprivileged-jessie-container/
Is not that simple.

Once you replace systemd with sysvinit in the container, you get it
booting and starting the services, but you can't login on it (via the
login prompt) or ssh on it.

You will get the following error:

" Cannot make/remove an entry for the specified session "

This is caused because Debian now requires pam_loginuid for both login
an sshd

# grep pam_loginuid /etc/pam.d/*
/etc/pam.d/login:session required pam_loginuid.so
/etc/pam.d/sshd:session required pam_loginuid.so

You have to remove that line from both files to be able to login on the
container via the login prompt or via ssh

More info:

http://gaijin-nippon.blogspot.com.es/2013/07/audit-on-lxc-host.html
https://www.pld-linux.org/docs/lxc#loginuid
https://github.com/lxc/lxc/issues/661
Xavier Gendre
2016-01-08 20:40:12 UTC
Permalink
Hello Carlos,
Post by Carlos Alberto Lopez Perez
Once you replace systemd with sysvinit in the container, you get it
booting and starting the services, but you can't login on it (via the
login prompt) or ssh on it.
I didn't know that, i always use lxc-attach to get a prompt in my
containers and it works like a charm.
Post by Carlos Alberto Lopez Perez
" Cannot make/remove an entry for the specified session "
This is caused because Debian now requires pam_loginuid for both login
an sshd
# grep pam_loginuid /etc/pam.d/*
/etc/pam.d/login:session required pam_loginuid.so
/etc/pam.d/sshd:session required pam_loginuid.so
You have to remove that line from both files to be able to login on the
container via the login prompt or via ssh
Thanks for that point, i will use it one day if i need to properly login
or ssh into one of my containers.

Xavier
Fajar A. Nugraha
2016-01-09 02:23:24 UTC
Permalink
Post by Xavier Gendre
Hello Carlos,
Post by Carlos Alberto Lopez Perez
Once you replace systemd with sysvinit in the container, you get it
booting and starting the services, but you can't login on it (via the
login prompt) or ssh on it.
I didn't know that, i always use lxc-attach to get a prompt in my
containers and it works like a charm.
Post by Carlos Alberto Lopez Perez
" Cannot make/remove an entry for the specified session "
This is caused because Debian now requires pam_loginuid for both login
an sshd
# grep pam_loginuid /etc/pam.d/*
/etc/pam.d/login:session required pam_loginuid.so
/etc/pam.d/sshd:session required pam_loginuid.so
You have to remove that line from both files to be able to login on the
container via the login prompt or via ssh
Thanks for that point, i will use it one day if i need to properly login
or ssh into one of my containers.
Hmmm ... I wonder why this old thread is suddenly active again.

Anyway, I wrote this several months ago, should be the easiest way to
get unpriv jessie on jessie: http://debian-lxc.github.io/
The repo has lxc-1.1.5 and cgmanager, ported from ubuntu.

You can choose between a custom cgroup (like what you suggested in
eariler mail), or have systemd create it automatically with a ported
ubuntu's version of systemd (also available in the repo). It also
address ssh login issue (by comenting out the pam_loginuid line above)
and root-inside-container-path issue (by using "lxc-attach -n
CONTAINER_NAME -- sudo -i")
--
Fajar
Xavier Gendre
2016-01-09 07:10:04 UTC
Permalink
Hello Fajar,
Post by Fajar A. Nugraha
Anyway, I wrote this several months ago, should be the easiest way to
get unpriv jessie on jessie: http://debian-lxc.github.io/
The repo has lxc-1.1.5 and cgmanager, ported from ubuntu.
I just discover your link and I wonder how I could miss it! Thanks a
lot, it seems that everything is well explained. I will test your
tutorials soon ;-)

Xavier
Xavier Gendre
2016-01-09 09:58:13 UTC
Permalink
Post by Fajar A. Nugraha
Anyway, I wrote this several months ago, should be the easiest way to
get unpriv jessie on jessie: http://debian-lxc.github.io/
The repo has lxc-1.1.5 and cgmanager, ported from ubuntu.
I have followed your tutorials and it works perfectly well, thanks
Fajar! This is definitly cleaner than my way and, now, I have a lot to
do to update my stuff ;-) I will add a link to your tutorials in my blog
post to indicate this better way.

A little question, the repositories that you use for lxc and systemd are
maintained with up-to-date packages? Do you plan to maintain it for some
times or is it only experimental?

Thanks,
Xavier
Fajar A. Nugraha
2016-01-09 10:59:16 UTC
Permalink
Post by Xavier Gendre
Post by Fajar A. Nugraha
Anyway, I wrote this several months ago, should be the easiest way to
get unpriv jessie on jessie: http://debian-lxc.github.io/
The repo has lxc-1.1.5 and cgmanager, ported from ubuntu.
I have followed your tutorials and it works perfectly well, thanks
Fajar! This is definitly cleaner than my way and, now, I have a lot to
do to update my stuff ;-) I will add a link to your tutorials in my blog
post to indicate this better way.
A little question, the repositories that you use for lxc and systemd are
maintained with up-to-date packages? Do you plan to maintain it for some
times or is it only experimental?
It's maintained in my free time, so expect some delays. Volunteers
welcome. The site, packaging recipe, and binaries are available on
https://github.com/debian-lxc , and sometimes the update effort is as
simple as recompiling sources from ubuntu ppa, so the effort shouldn't
be too hard.

lxcfs is another story. I held up from updating as upgrading it (or to
be exact, restarting lxcfs) would cause all running containers to lose
access to lxcfs-provided ressources (e.g. some parts of /proc and
/sys), so you need to restart all containers as well. There's a recent
change in packaging to not restart lxcfs when upgrading though
(https://github.com/lxc/lxcfs-pkg-ubuntu/commit/904f24), so I'll
probably update it after the next lxc release.
--
Fajar
Serge Hallyn
2016-01-11 17:45:38 UTC
Permalink
Post by Fajar A. Nugraha
Post by Xavier Gendre
Post by Fajar A. Nugraha
Anyway, I wrote this several months ago, should be the easiest way to
get unpriv jessie on jessie: http://debian-lxc.github.io/
The repo has lxc-1.1.5 and cgmanager, ported from ubuntu.
I have followed your tutorials and it works perfectly well, thanks
Fajar! This is definitly cleaner than my way and, now, I have a lot to
do to update my stuff ;-) I will add a link to your tutorials in my blog
post to indicate this better way.
A little question, the repositories that you use for lxc and systemd are
maintained with up-to-date packages? Do you plan to maintain it for some
times or is it only experimental?
It's maintained in my free time, so expect some delays. Volunteers
welcome. The site, packaging recipe, and binaries are available on
https://github.com/debian-lxc , and sometimes the update effort is as
simple as recompiling sources from ubuntu ppa, so the effort shouldn't
be too hard.
lxcfs is another story. I held up from updating as upgrading it (or to
be exact, restarting lxcfs) would cause all running containers to lose
access to lxcfs-provided ressources (e.g. some parts of /proc and
/sys), so you need to restart all containers as well. There's a recent
change in packaging to not restart lxcfs when upgrading though
(https://github.com/lxc/lxcfs-pkg-ubuntu/commit/904f24), so I'll
probably update it after the next lxc release.
If someone would like to work on a patch to do upstart-style
serialize-reexec-unserialize that would rock :)

Paul Jones
2015-10-13 12:16:04 UTC
Permalink
Unprivileged containers are indeed possible on Debian.

You need to set unprivileged_userns_clone

Also, if I recall the download template may only support wheezy.

I'm sorry I'm answering from my phone about to go to work, but if you
search around you should be able to find more about this information.

Paul
Post by Christian Benke
Hello!
I'm struggling to create an unprivileged Jessie container on a Jessie
https://www.flockport.com/lxc-and-lxd-support-across-distributions/,
which points out that unprivileged containers are currently not
supported on Debian Jessie.
Can someone tell me if this information is up-to-date? Is my struggle
to get this working futile?
If there is a way (Several mailinglist-posts suggest so) - I'm not
even able to create the container, as an unprivileged user the
~$ lxc-create -n my-container -t debian -- -r jessie
This template can't be used for unprivileged containers.
You may want to try the "download" template instead.
lxc_container: container creation template for my-container failed
lxc_container: Error creating container my-container
##
~$ lxc-create -t download -n my-container -l DEBUG
Setting up the GPG keyring
Downloading the image index
---
DIST RELEASE ARCH VARIANT BUILD
---
[..]
centos 6 i386 default 20151013_02:16
debian wheezy amd64 default 20151012_22:42
debian wheezy armel default 20151012_22:42
debian wheezy armhf default 20151012_22:42
debian wheezy i386 default 20151012_22:42
gentoo current amd64 default 20151012_14:12
[..]
---
Distribution: debian
Release: jessie
Architecture: amd64
Downloading the image index
ERROR: Couldn't find a matching image.
lxc_container: container creation template for my-container failed
lxc_container: Error creating container my-container
Creating a privileged Jessie container is not an issue. Thanks for any hints.
Best regards,
Christian
_______________________________________________
lxc-users mailing list
http://lists.linuxcontainers.org/listinfo/lxc-users
Continue reading on narkive:
Loading...