Arch Linux: Containers only run when security.privileged=true?


(Patrick Goetz) #1

If I attempt to create and run a container under Arch linux:

# lxc launch ubuntu14 archon

The container builds but refuses to launch, with these error messages:

lxc arc 20190206200354.953 ERROR    conf - conf.c:lxc_map_ids:3052 - newuidmap failed to write mapping "": newuidmap 10475 0 1000000 1000000000
lxc arc 20190206200354.954 ERROR    start - start.c:lxc_spawn:1727 - Failed to set up id mapping.
lxc arc 20190206200354.121 WARN     network - network.c:lxc_delete_network_priv:2613 - Invalid argument - Failed to remove interface "vethEQMOP7" from "lxdbr0"
lxc arc 20190206200354.121 ERROR    start - start.c:__lxc_start:1972 - Failed to spawn container "arc"
lxc arc 20190206200354.124 ERROR    lxccontainer - lxccontainer.c:wait_on_daemonized_start:864 - Received container state "ABORTING" instead of "RUNNING"
lxc arc 20190206200354.127 ERROR    conf - conf.c:lxc_map_ids:3052 - newuidmap failed to write mapping "": newuidmap 10490 0 1000000 1000000000 1000000000 0 1
lxc arc 20190206200354.127 ERROR    conf - conf.c:userns_exec_1:4422 - Error setting up {g,u}id mappings for child process "10490"
lxc arc 20190206200354.128 WARN     cgfsng - cgroups/cgfsng.c:cgfsng_payload_destroy:1122 - Failed to destroy cgroups
lxc 20190206200354.129 WARN     commands - commands.c:lxc_cmd_rsp_recv:132 - Connection reset by peer - Failed to receive response for command "get_state"

I understand that the default Arch linux kernel has User Namespaces enabled only for the root user, but presumably I should still be able to launch containers as root?


(Stéphane Graber) #2

That suggests that your /etc/subuid and /etc/subgid may be misconfigured.


(Patrick Goetz) #3

Thank you. The Arch VM I’m testing lxd in doesn’t currently have a /etc/subuid or /etc/subgid file, so this seems likely. The Arch implementation of lxd comes by way of a user-supported AUR package, and is quite bare bones. I’ve been spinning up an Ubuntu 16.04 VM and mirroring the steps there in order to figure out what is being done for me automagically, but didn’t know to look for these.

I’m in the process of reading through your fantastically well written lxd blog posts (thanks for taking the time to write these) and should probably finish the RTFM process before posting additional questions on this forum.