Cannot create privileged containers with lxc

deniz_caglar · January 27, 2024, 12:50am

I believe I’m having a very interesting issue with lxc.

I’m using Arch, specifically if I use uname -a I get

Linux 6.7.1-arch1-1 #1 SMP PREEMPT_DYNAMIC Sun, 21 Jan 2024 22:14:10 +0000 x86_64 GNU/Linux

I’ve installled the lxc package found here, which gives me the lxc utilities

When I use

# lxc-create -n demo -t download – --dist ubuntu --release jammy --arch amd64

I get the following output

Using image from local cache
Unpacking the rootfs

---
You just created an Ubuntu jammy amd64 (20240120_07:42) container.

To enable SSH, run: apt install openssh-server
No default root or user password are set by LXC

which is perfectly fine, but when I check the container with lxc-ls -f I see

NAME       STATE   AUTOSTART GROUPS IPV4 IPV6 UNPRIVILEGED       
demo       STOPPED 0         -      -    -    true

which should not be happening if I understand correctly as I’m using all the above commands with root privileges (using sudo), so the containers that I’m creating should also be privileged containers right?

I have been using lxc so far without realising that I’ve been creating unprivileged containers.

Now I’m trying to run a kubernetes cluster inside LXC which led me to try to get nested containers working.

I honestly have no clue why I’m not able to create a privileged container.

Here’s the output of lxc-checkconfig

LXC version 5.0.3

--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Warning: newuidmap is not setuid-root
Warning: newgidmap is not setuid-root
Network namespace: enabled

--- Control groups ---
Cgroups: enabled
Cgroup namespace: enabled
Cgroup v1 mount points: 
Cgroup v2 mount points: 
 - /sys/fs/cgroup
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled, loaded
Macvlan: enabled, not loaded
Vlan: enabled, not loaded
Bridges: enabled, loaded
Advanced netfilter: enabled, loaded
CONFIG_IP_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled, not loaded
CONFIG_NETFILTER_XT_MATCH_COMMENT: enabled, not loaded
FUSE (for use with lxcfs): enabled, loaded

--- Checkpoint/Restore ---
checkpoint restore: enabled
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: enabled
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: enabled
File capabilities: enabled

Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig

Here’s my /etc/lxc/default.conf, /etc/subuid/ and /etc/subgid

/etc/lxc/default.conf

lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up
lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx
lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536

/etc/subuid , /etc/subgid

root:100000:65536

I have no clue why this might be happening and would love to hear your take on it

I mainly followed the arch wikis lxc article to setup

Thank you in advance for your help