4

I have successfully been able to run privileged lxc containers (as root). My system:

uname -a
Linux ruby-dev 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

sudo apt-get install cgmanager cgmanager-utils cgroup-bin

The following are available on system: libcap, libapparmor, libselinux, libseccomp, pyhton3-dev

sudo apt-get install lxc
sudo lxc-create -t download -n semiprivcont1 -- -d ubuntu -r trusty -a amd64
sudo lxc-start -n semiprivcont1 -d

This starts the semiprivcont1

lxc-ls -f
NAME           STATE    IPV4       IPV6  AUTOSTART  
--------------------------------------------------
semiprivcont1      RUNNING  10.0.3.99  -     NO

Now I stopped the container using lxc-stop.

Created a user lxchostuser. (sudo adduser lxchostuser)

cat /etc/subuid
lxchostuser:165536:65536

cat /etc/subgid
lxchostuser:165536:65536

vi /var/lib/lxc/semiprivcont1/config

added the following lines:

lxc.id_map = u 0 165536 65536
lxc.id_map = g 0 165536 65536

Now trying to start semiprivcont1:

sudo lxc-start -n semiprivcont1 -d

lxc-start: lxc_start.c: main: 342 The container failed to start.
lxc-start: lxc_start.c: main: 344 To get more details, run the container in foreground mode.
lxc-start: lxc_start.c: main: 346 Additional information can be obtained by setting the --logfile

sudo lxc-start -n semiprivcont1 -d --logfile semiprivcont1.log --logpriority=DEBUG

lxc-start: lxc_start.c: main: 342 The container failed to start.
lxc-start: lxc_start.c: main: 344 To get more details, run the container in foreground mode.

As seen in the log semiprivcont1.log, the container is having errors with the id mappings introduced in the config file.

lxc-start 1427506372.212 ERROR    lxc_conf - conf.c:userns_exec_1:4735 - Error setting up child mappings
      lxc-start 1427506372.212 ERROR    lxc_cgmanager - cgmanager.c:chown_cgroup:485 - Error requesting cgroup chown in new namespace
      lxc-start 1427506372.212 WARN     lxc_cgmanager - cgmanager.c:cgm_chown:1266 - Failed to chown lxc/semiprivcont1 to container root
      lxc-start 1427506372.219 DEBUG    lxc_conf - conf.c:lxc_assign_network:3420 - move '(null)' to '17213'
      lxc-start 1427506372.242 ERROR    lxc_start - start.c:lxc_spawn:955 - failed to set up id mapping
      lxc-start 1427506372.242 WARN     lxc_conf - conf.c:lxc_delete_network:3296 - failed to remove interface '(null)'
      lxc-start 1427506372.243 ERROR    lxc_start - start.c:__lxc_start:1080 - failed to spawn 'semiprivcont1'
      lxc-start 1427506372.243 WARN     lxc_commands - commands.c:lxc_cmd_rsp_recv:172 - command get_init_pid failed to receive response
      lxc-start 1427506372.243 WARN     lxc_cgmanager - cgmanager.c:cgm_get:954 - do_cgm_get exited with error
      lxc-start 1427506377.250 ERROR    lxc_start_ui - lxc_start.c:main:342 - The container failed to start.
      lxc-start 1427506377.250 ERROR    lxc_start_ui - lxc_start.c:main:344 - To get more

Any pointers/suggestion would be greatly appreciated.

mg03
  • 197
  • 1
  • 8
  • When trying to do the same, I had the log line: `Permission denied - could not access /var/lib/lxc. Please grant it 'x' access, or add an ACL for the container root.`. `chmod +x /var/lib/lxc/` solved it for me. And instead of `lxchostuser:165536:65536` I had `root:165536:65536` in `/etc/subuid` and `/etc/subgid` – Daniel Alder May 25 '15 at 14:10

0 Answers0