3

LXC documentation says:

Just before you create your first container, you probably should logout and login again, or even reboot your machine to make sure that your user is placed in the right cgroups.

Can somebody explain why this is required to run something like:

lxc-usernsexec -m b:0:100000:1 -- bash

I have proper mappings in /etc/subgid and /etc/subuid. But this command simply says permission denied before I reboot. What does right cgroups stands for?

EDIT

Before installing LXC:

jml@somehost:~$ cat /proc/self/cgroup 
2:name=systemd:/user/1002.user/123.session

After installing LXC and rebooting:

jml@somehost:~$ cat /proc/self/cgroup 
11:hugetlb:/user/1002.user/5.session
10:perf_event:/user/1002.user/5.session
9:blkio:/user/1002.user/5.session
8:freezer:/user/1002.user/5.session
7:devices:/user/1002.user/5.session
6:memory:/user/1002.user/5.session
5:cpuacct:/user/1002.user/5.session
4:cpu:/user/1002.user/5.session
3:cpuset:/user/1002.user/5.session
2:name=systemd:/user/1002.user/5.session

Note that there is no difference in groups I'm belonging to. The only change I noticed are those cgroups. Now having those cgroups impacts the ability to map a user in the namespace?

Jacek L.
  • 131
  • 2
  • If you run a daemon, it needs restart. See https://discuss.linuxcontainers.org/t/is-it-necessary-to-reload-subuid-subgid/12676 – akostadinov Feb 27 '23 at 15:15

1 Answers1

1

Group IDs (GIDs) are inhereted from the parent process. When you login you get a terminal, launched with a set of GIDs and each process you launch gets the same GIDs. For security reasons you can't change the GIDs yourself and any changes don't take effect until you log out and log in so the login process launches your terminal with the new GIDs.

Robo
  • 171
  • 3