Cannot start unprivileged container as root

bitbanger · July 30, 2021, 11:04pm

Hello,

OS: Debian 10

I created an unprivileged container following these instructions and a bit of googling:

This container only starts when either no UID mapping is done (all the UIDs leak to the host and you get weird things like filed being owned by the GPU) or {G,U}ID 0 in the container is mapped to root outside, everything else mapped to a root sub{g,u}id.

I would like this container to mount two directories (to which lxc-jail has RWX permissions through a group, that’s why root in the container is being mapped to the user that can RW to the folder) and to be able to write on those (I still need to map probably user/group 1000 to 1002 and 1003, but the container doesn’t even start so I haven’t gone that far).

Some relevant information (deluge is the problematic container):

Checking it is actually an unprivileged container:

root@lilchewchew2-0:/var/lib/lxc/deluge# lxc-ls -f
NAME    STATE   AUTOSTART GROUPS IPV4 IPV6 UNPRIVILEGED 
deluge  STOPPED 0         -      -    -    true         
jackett STOPPED 0         -      -    -    false

Full configuration:

root@lilchewchew2-0:/var/lib/lxc/deluge# lxc-checkconfig 
Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-4.19.0-17-amd64
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled

--- Control groups ---
Cgroups: enabled

Cgroup v1 mount points: 
/sys/fs/cgroup/systemd
/sys/fs/cgroup/blkio
/sys/fs/cgroup/cpuset
/sys/fs/cgroup/memory
/sys/fs/cgroup/freezer
/sys/fs/cgroup/rdma
/sys/fs/cgroup/cpu,cpuacct
/sys/fs/cgroup/net_cls,net_prio
/sys/fs/cgroup/devices
/sys/fs/cgroup/pids
/sys/fs/cgroup/perf_event

Cgroup v2 mount points: 
/sys/fs/cgroup/unified

Cgroup v1 clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled, loaded
Macvlan: enabled, not loaded
Vlan: enabled, not loaded
Bridges: enabled, loaded
Advanced netfilter: enabled, loaded
CONFIG_NF_NAT_IPV4: enabled, not loaded
CONFIG_NF_NAT_IPV6: enabled, not loaded
CONFIG_IP_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled, not loaded
CONFIG_NETFILTER_XT_MATCH_COMMENT: enabled, not loaded
FUSE (for use with lxcfs): enabled, loaded

--- Checkpoint/Restore ---
checkpoint restore: enabled
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: enabled
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: enabled
File capabilities: 

Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig

Default config file:

root@lilchewchew2-0:/var/lib/lxc/deluge# cat /etc/lxc/default.conf 
lxc.net.0.type = veth
lxc.net.0.link = br0
lxc.net.0.flags = up

lxc.apparmor.profile = generated
lxc.apparmor.allow_nesting = 1

Container config file:

root@lilchewchew2-0:/var/lib/lxc/deluge# cat config 
# Template used to create this container: /usr/share/lxc/templates/lxc-debian
# Parameters passed to the template: -r buster
# Template script checksum (SHA-1): d5aa397522e36a17c64c014dd63c70d8607c9873
# For additional config options, please look at lxc.container.conf(5)

# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)

lxc.net.0.type = veth
lxc.net.0.hwaddr = 00:16:3e:5d:0a:87
lxc.net.0.link = br0
lxc.net.0.flags = up
lxc.apparmor.profile = generated
lxc.apparmor.allow_nesting = 1
lxc.rootfs.path = dir:/var/lib/lxc/deluge/rootfs

# Common configuration
lxc.include = /usr/share/lxc/config/debian.common.conf

# Container specific configuration
lxc.tty.max = 4
lxc.uts.name = deluge
lxc.arch = amd64
lxc.pty.max = 1024

# Manual config

# Mounts
lxc.mount.entry = /vault-712 vault-712 none bind 0 0
lxc.mount.entry = /gringotts/dl gringotts/dl none bind 0 0

# UID /GID mapping

# root -> lxc-jail
lxc.idmap = u 0 1002 1
lxc.idmap = g 0 1003 1
# others -> sub lxc-jail
lxc.idmap = u 1 231072 65535
lxc.idmap = g 1 231072 65535

Sub{g,u}ids:

root@lilchewchew2-0:/var/lib/lxc/deluge# cat /etc/sub*id
root:100000:65536
frodo:165536:65536
lxc-jail:231072:65536
root:100000:65536
frodo:165536:65536
lxc-jail:231072:65536

User with access to the folder to be mounted:

root@lilchewchew2-0:/var/lib/lxc/deluge# grep lxc /etc/passwd
lxc-jail:x:1002:1003:,,,:/home/lxc-jail:/bin/bash

Permissions on rootfs:

root@lilchewchew2-0:/var/lib/lxc/deluge# ls -lt
total 52
-rw-r-----  1 root root  1141 Jul 30 17:56 config
-rw-r-----  1 root root 44482 Jul 30 17:51 deluge.log
drwxr-xr-x 20 root root  4096 Jul 20 19:17 rootfs

Full log created when running lxc-start:

# root -> lxc-jail
lxc.idmap = u 0 1002 1
lxc.idmap = g 0 1003 1
# others -> sub lxc-jail
lxc.idmap = u 1 231072 65535
lxc.idmap = g 1 231072 65535
root@lilchewchew2-0:/var/lib/lxc/deluge# grep lxc /etc/passwd
lxc-jail:x:1002:1003:,,,:/home/lxc-jail:/bin/bash
root@lilchewchew2-0:/var/lib/lxc/deluge# nvim config 
root@lilchewchew2-0:/var/lib/lxc/deluge# ls -lt
total 52
-rw-r-----  1 root root  1141 Jul 30 17:56 config
-rw-r-----  1 root root 44482 Jul 30 17:51 deluge.log
drwxr-xr-x 20 root root  4096 Jul 20 19:17 rootfs
root@lilchewchew2-0:/var/lib/lxc/deluge# rm deluge.log 
root@lilchewchew2-0:/var/lib/lxc/deluge# lxc-start deluge --logfile deluge.log --logpriority debug
lxc-start: deluge: lxccontainer.c: wait_on_daemonized_start: 842 Received container state "ABORTING" instead of "RUNNING"
lxc-start: deluge: tools/lxc_start.c: main: 330 The container failed to start
lxc-start: deluge: tools/lxc_start.c: main: 333 To get more details, run the container in foreground mode
lxc-start: deluge: tools/lxc_start.c: main: 336 Additional information can be obtained by setting the --logfile and --logpriority options
root@lilchewchew2-0:/var/lib/lxc/deluge# 
root@lilchewchew2-0:/var/lib/lxc/deluge# 
root@lilchewchew2-0:/var/lib/lxc/deluge# 
root@lilchewchew2-0:/var/lib/lxc/deluge# 
root@lilchewchew2-0:/var/lib/lxc/deluge# 
root@lilchewchew2-0:/var/lib/lxc/deluge# 
root@lilchewchew2-0:/var/lib/lxc/deluge# cat deluge.log 
lxc-start deluge 20210730230157.283 INFO     confile - confile.c:set_config_idmaps:1605 - Read uid map: type u nsid 0 hostid 1002 range 1
lxc-start deluge 20210730230157.283 INFO     confile - confile.c:set_config_idmaps:1605 - Read uid map: type g nsid 0 hostid 1003 range 1
lxc-start deluge 20210730230157.283 INFO     confile - confile.c:set_config_idmaps:1605 - Read uid map: type u nsid 1 hostid 231072 range 65535
lxc-start deluge 20210730230157.283 INFO     confile - confile.c:set_config_idmaps:1605 - Read uid map: type g nsid 1 hostid 231072 range 65535
lxc-start deluge 20210730230157.285 INFO     lxccontainer - lxccontainer.c:do_lxcapi_start:961 - Set process title to [lxc monitor] /var/lib/lxc deluge
lxc-start deluge 20210730230157.288 INFO     lsm - lsm/lsm.c:lsm_init:50 - LSM security driver AppArmor
lxc-start deluge 20210730230157.289 INFO     seccomp - seccomp.c:parse_config_v2:759 - Processing "reject_force_umount  # comment this to allow umount -f;  not recommended"
lxc-start deluge 20210730230157.289 INFO     seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts
lxc-start deluge 20210730230157.289 INFO     seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for reject_force_umount action 0(kill)
lxc-start deluge 20210730230157.289 INFO     seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts
lxc-start deluge 20210730230157.289 INFO     seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for reject_force_umount action 0(kill)
lxc-start deluge 20210730230157.290 INFO     seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts
lxc-start deluge 20210730230157.290 INFO     seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for reject_force_umount action 0(kill)
lxc-start deluge 20210730230157.290 INFO     seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts
lxc-start deluge 20210730230157.290 INFO     seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for reject_force_umount action 0(kill)
lxc-start deluge 20210730230157.290 INFO     seccomp - seccomp.c:parse_config_v2:759 - Processing "[all]"
lxc-start deluge 20210730230157.290 INFO     seccomp - seccomp.c:parse_config_v2:759 - Processing "kexec_load errno 1"
lxc-start deluge 20210730230157.290 INFO     seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for kexec_load action 327681(errno)
lxc-start deluge 20210730230157.290 INFO     seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for kexec_load action 327681(errno)
lxc-start deluge 20210730230157.290 INFO     seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for kexec_load action 327681(errno)
lxc-start deluge 20210730230157.290 INFO     seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for kexec_load action 327681(errno)
lxc-start deluge 20210730230157.290 INFO     seccomp - seccomp.c:parse_config_v2:759 - Processing "open_by_handle_at errno 1"
lxc-start deluge 20210730230157.290 INFO     seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for open_by_handle_at action 327681(errno)
lxc-start deluge 20210730230157.290 INFO     seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for open_by_handle_at action 327681(errno)
lxc-start deluge 20210730230157.290 INFO     seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for open_by_handle_at action 327681(errno)
lxc-start deluge 20210730230157.290 INFO     seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for open_by_handle_at action 327681(errno)
lxc-start deluge 20210730230157.290 INFO     seccomp - seccomp.c:parse_config_v2:759 - Processing "init_module errno 1"
lxc-start deluge 20210730230157.290 INFO     seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for init_module action 327681(errno)
lxc-start deluge 20210730230157.290 INFO     seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for init_module action 327681(errno)
lxc-start deluge 20210730230157.290 INFO     seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for init_module action 327681(errno)
lxc-start deluge 20210730230157.290 INFO     seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for init_module action 327681(errno)
lxc-start deluge 20210730230157.290 INFO     seccomp - seccomp.c:parse_config_v2:759 - Processing "finit_module errno 1"
lxc-start deluge 20210730230157.290 INFO     seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for finit_module action 327681(errno)
lxc-start deluge 20210730230157.291 INFO     seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for finit_module action 327681(errno)
lxc-start deluge 20210730230157.291 INFO     seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for finit_module action 327681(errno)
lxc-start deluge 20210730230157.291 INFO     seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for finit_module action 327681(errno)
lxc-start deluge 20210730230157.291 INFO     seccomp - seccomp.c:parse_config_v2:759 - Processing "delete_module errno 1"
lxc-start deluge 20210730230157.291 INFO     seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for delete_module action 327681(errno)
lxc-start deluge 20210730230157.291 INFO     seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for delete_module action 327681(errno)
lxc-start deluge 20210730230157.291 INFO     seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for delete_module action 327681(errno)
lxc-start deluge 20210730230157.291 INFO     seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for delete_module action 327681(errno)
lxc-start deluge 20210730230157.291 INFO     seccomp - seccomp.c:parse_config_v2:970 - Merging compat seccomp contexts into main context
lxc-start deluge 20210730230157.294 DEBUG    terminal - terminal.c:lxc_terminal_peer_default:707 - No such device - The process does not have a controlling terminal
lxc-start deluge 20210730230157.754 INFO     start - start.c:lxc_init:904 - Container "deluge" is initialized
lxc-start deluge 20210730230157.755 DEBUG    storage - storage/storage.c:get_storage_by_name:231 - Detected rootfs type "dir"
lxc-start deluge 20210730230157.765 INFO     network - network.c:instantiate_veth:147 - Retrieved mtu 1500 from br0
lxc-start deluge 20210730230157.766 INFO     network - network.c:instantiate_veth:175 - Attached "vethDX0LVP" to bridge "br0"
lxc-start deluge 20210730230157.766 DEBUG    network - network.c:instantiate_veth:201 - Instantiated veth "vethDX0LVP/veth3R6A0Q", index is "18"
lxc-start deluge 20210730230157.766 ERROR    cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1219 - File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc/deluge"
lxc-start deluge 20210730230157.766 ERROR    cgfsng - cgroups/cgfsng.c:create_path_for_hierarchy:1243 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge"
lxc-start deluge 20210730230157.766 ERROR    cgfsng - cgroups/cgfsng.c:cgfsng_payload_create:1321 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge"
lxc-start deluge 20210730230157.766 ERROR    cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1219 - File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc/deluge-1"
lxc-start deluge 20210730230157.766 ERROR    cgfsng - cgroups/cgfsng.c:create_path_for_hierarchy:1243 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge-1"
lxc-start deluge 20210730230157.766 ERROR    cgfsng - cgroups/cgfsng.c:cgfsng_payload_create:1321 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge-1"
lxc-start deluge 20210730230157.767 ERROR    cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1219 - File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc/deluge-2"
lxc-start deluge 20210730230157.767 ERROR    cgfsng - cgroups/cgfsng.c:create_path_for_hierarchy:1243 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge-2"
lxc-start deluge 20210730230157.767 ERROR    cgfsng - cgroups/cgfsng.c:cgfsng_payload_create:1321 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge-2"
lxc-start deluge 20210730230157.767 ERROR    cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1219 - File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc/deluge-3"
lxc-start deluge 20210730230157.767 ERROR    cgfsng - cgroups/cgfsng.c:create_path_for_hierarchy:1243 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge-3"
lxc-start deluge 20210730230157.767 ERROR    cgfsng - cgroups/cgfsng.c:cgfsng_payload_create:1321 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge-3"
lxc-start deluge 20210730230157.767 ERROR    cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1219 - File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc/deluge-4"
lxc-start deluge 20210730230157.767 ERROR    cgfsng - cgroups/cgfsng.c:create_path_for_hierarchy:1243 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge-4"
lxc-start deluge 20210730230157.767 ERROR    cgfsng - cgroups/cgfsng.c:cgfsng_payload_create:1321 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge-4"
lxc-start deluge 20210730230157.768 DEBUG    cgfsng - cgroups/cgfsng.c:cg_legacy_handle_cpuset_hierarchy:620 - "cgroup.clone_children" was already set to "1"
lxc-start deluge 20210730230157.771 INFO     start - start.c:lxc_spawn:1700 - Cloned CLONE_NEWUSER
lxc-start deluge 20210730230157.771 INFO     start - start.c:lxc_spawn:1700 - Cloned CLONE_NEWNS
lxc-start deluge 20210730230157.771 INFO     start - start.c:lxc_spawn:1700 - Cloned CLONE_NEWPID
lxc-start deluge 20210730230157.771 INFO     start - start.c:lxc_spawn:1700 - Cloned CLONE_NEWUTS
lxc-start deluge 20210730230157.771 INFO     start - start.c:lxc_spawn:1700 - Cloned CLONE_NEWIPC
lxc-start deluge 20210730230157.771 DEBUG    start - start.c:lxc_try_preserve_namespaces:196 - Preserved user namespace via fd 14
lxc-start deluge 20210730230157.771 DEBUG    start - start.c:lxc_try_preserve_namespaces:196 - Preserved mnt namespace via fd 15
lxc-start deluge 20210730230157.771 DEBUG    start - start.c:lxc_try_preserve_namespaces:196 - Preserved pid namespace via fd 16
lxc-start deluge 20210730230157.771 DEBUG    start - start.c:lxc_try_preserve_namespaces:196 - Preserved uts namespace via fd 17
lxc-start deluge 20210730230157.771 DEBUG    start - start.c:lxc_try_preserve_namespaces:196 - Preserved ipc namespace via fd 18
lxc-start deluge 20210730230157.771 DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2860 - The binary "/usr/bin/newuidmap" does have the setuid bit set
lxc-start deluge 20210730230157.771 DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2860 - The binary "/usr/bin/newgidmap" does have the setuid bit set
lxc-start deluge 20210730230157.771 DEBUG    conf - conf.c:lxc_map_ids:2952 - Functional newuidmap and newgidmap binary found
lxc-start deluge 20210730230157.788 ERROR    conf - conf.c:lxc_map_ids:3023 - newuidmap failed to write mapping "newuidmap: uid range [0-1) -> [1002-1003) not allowed": newuidmap 19875 0 1002 1 1 231072 65535
lxc-start deluge 20210730230157.789 ERROR    start - start.c:lxc_spawn:1720 - Failed to set up id mapping.
lxc-start deluge 20210730230157.122 INFO     network - network.c:lxc_delete_network_priv:2594 - Removed interface "(null)" with index 18
lxc-start deluge 20210730230157.124 WARN     network - network.c:lxc_delete_network_priv:2613 - Invalid argument - Failed to remove interface "vethDX0LVP" from "br0"
lxc-start deluge 20210730230157.124 DEBUG    network - network.c:lxc_delete_network:3180 - Deleted network devices
lxc-start deluge 20210730230157.124 DEBUG    lxccontainer - lxccontainer.c:wait_on_daemonized_start:830 - First child 19868 exited
lxc-start deluge 20210730230157.124 ERROR    lxccontainer - lxccontainer.c:wait_on_daemonized_start:842 - Received container state "ABORTING" instead of "RUNNING"
lxc-start deluge 20210730230157.124 ERROR    lxc_start - tools/lxc_start.c:main:330 - The container failed to start
lxc-start deluge 20210730230157.124 ERROR    lxc_start - tools/lxc_start.c:main:333 - To get more details, run the container in foreground mode
lxc-start deluge 20210730230157.124 ERROR    lxc_start - tools/lxc_start.c:main:336 - Additional information can be obtained by setting the --logfile and --logpriority options
lxc-start deluge 20210730230157.124 ERROR    start - start.c:__lxc_start:1951 - Failed to spawn container "deluge"
lxc-start deluge 20210730230157.170 DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2860 - The binary "/usr/bin/newuidmap" does have the setuid bit set
lxc-start deluge 20210730230157.170 DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2860 - The binary "/usr/bin/newgidmap" does have the setuid bit set
lxc-start deluge 20210730230157.170 DEBUG    conf - conf.c:lxc_map_ids:2952 - Functional newuidmap and newgidmap binary found
lxc-start deluge 20210730230157.172 ERROR    conf - conf.c:lxc_map_ids:3023 - newuidmap failed to write mapping "newuidmap: uid range [0-1) -> [1002-1003) not allowed": newuidmap 19902 0 1002 1 65536 0 1
lxc-start deluge 20210730230157.172 ERROR    conf - conf.c:userns_exec_1:4391 - Error setting up {g,u}id mappings for child process "19902"
lxc-start deluge 20210730230157.172 WARN     cgfsng - cgroups/cgfsng.c:cgfsng_payload_destroy:1122 - Failed to destroy cgroups
lxc-start deluge 20210730230157.172 INFO     conf - conf.c:run_script_argv:356 - Executing script "/usr/share/lxcfs/lxc.reboot.hook" for container "deluge", config section "lxc"

Any help will be greatly appreciated!

Thanks!

MTL · August 12, 2021, 8:45am

can u try with
lxc.idmap = u 0 231072 1002
lxc.idmap = g 0 231072 1003
lxc.idmap = u 1002 1002 1
lxc.idmap = g 1003 1003 1
lxc idmap = u 1004 232075 64533
lxc.idmap = g 1005 232076 64532

bitbanger · August 23, 2021, 7:42pm

Hello,

Using the configuration you provided still gives the same error:

root@lilchewchew2-0:/var/lib/lxc/deluge# lxc-start deluge --logfile deluge.log --logpriority debug
lxc-start: deluge: lxccontainer.c: wait_on_daemonized_start: 842 Received container state "ABORTING" instead of "RUNNING"
lxc-start: deluge: tools/lxc_start.c: main: 330 The container failed to start
lxc-start: deluge: tools/lxc_start.c: main: 333 To get more details, run the container in foreground mode
lxc-start: deluge: tools/lxc_start.c: main: 336 Additional information can be obtained by setting the --logfile and --logpriority options
root@lilchewchew2-0:/var/lib/lxc/deluge# cat deluge.log 
lxc-start deluge 20210823185246.262 INFO     confile - confile.c:set_config_idmaps:1605 - Read uid map: type u nsid 0 hostid 231072 range 1002
lxc-start deluge 20210823185246.262 INFO     confile - confile.c:set_config_idmaps:1605 - Read uid map: type g nsid 0 hostid 231072 range 1003
lxc-start deluge 20210823185246.262 INFO     confile - confile.c:set_config_idmaps:1605 - Read uid map: type u nsid 1002 hostid 1002 range 1
lxc-start deluge 20210823185246.263 INFO     confile - confile.c:set_config_idmaps:1605 - Read uid map: type g nsid 1003 hostid 1003 range 1
lxc-start deluge 20210823185246.263 INFO     confile - confile.c:set_config_idmaps:1605 - Read uid map: type g nsid 1005 hostid 232076 range 64532
lxc-start deluge 20210823185246.265 INFO     lxccontainer - lxccontainer.c:do_lxcapi_start:961 - Set process title to [lxc monitor] /var/lib/lxc deluge
lxc-start deluge 20210823185246.269 INFO     lsm - lsm/lsm.c:lsm_init:50 - LSM security driver AppArmor
lxc-start deluge 20210823185246.270 INFO     seccomp - seccomp.c:parse_config_v2:759 - Processing "reject_force_umount  # comment this to allow umount -f;  not recommended"
lxc-start deluge 20210823185246.270 INFO     seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts
lxc-start deluge 20210823185246.270 INFO     seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for reject_force_umount action 0(kill)
lxc-start deluge 20210823185246.270 INFO     seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts
lxc-start deluge 20210823185246.270 INFO     seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for reject_force_umount action 0(kill)
lxc-start deluge 20210823185246.270 INFO     seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts
lxc-start deluge 20210823185246.270 INFO     seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for reject_force_umount action 0(kill)
lxc-start deluge 20210823185246.270 INFO     seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts
lxc-start deluge 20210823185246.271 INFO     seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for reject_force_umount action 0(kill)
lxc-start deluge 20210823185246.271 INFO     seccomp - seccomp.c:parse_config_v2:759 - Processing "[all]"
lxc-start deluge 20210823185246.271 INFO     seccomp - seccomp.c:parse_config_v2:759 - Processing "kexec_load errno 1"
lxc-start deluge 20210823185246.271 INFO     seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for kexec_load action 327681(errno)
lxc-start deluge 20210823185246.271 INFO     seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for kexec_load action 327681(errno)
lxc-start deluge 20210823185246.271 INFO     seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for kexec_load action 327681(errno)
lxc-start deluge 20210823185246.271 INFO     seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for kexec_load action 327681(errno)
lxc-start deluge 20210823185246.271 INFO     seccomp - seccomp.c:parse_config_v2:759 - Processing "open_by_handle_at errno 1"
lxc-start deluge 20210823185246.271 INFO     seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for open_by_handle_at action 327681(errno)
lxc-start deluge 20210823185246.271 INFO     seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for open_by_handle_at action 327681(errno)
lxc-start deluge 20210823185246.271 INFO     seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for open_by_handle_at action 327681(errno)
lxc-start deluge 20210823185246.271 INFO     seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for open_by_handle_at action 327681(errno)
lxc-start deluge 20210823185246.271 INFO     seccomp - seccomp.c:parse_config_v2:759 - Processing "init_module errno 1"
lxc-start deluge 20210823185246.271 INFO     seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for init_module action 327681(errno)
lxc-start deluge 20210823185246.271 INFO     seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for init_module action 327681(errno)
lxc-start deluge 20210823185246.271 INFO     seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for init_module action 327681(errno)
lxc-start deluge 20210823185246.271 INFO     seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for init_module action 327681(errno)
lxc-start deluge 20210823185246.271 INFO     seccomp - seccomp.c:parse_config_v2:759 - Processing "finit_module errno 1"
lxc-start deluge 20210823185246.271 INFO     seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for finit_module action 327681(errno)
lxc-start deluge 20210823185246.271 INFO     seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for finit_module action 327681(errno)
lxc-start deluge 20210823185246.271 INFO     seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for finit_module action 327681(errno)
lxc-start deluge 20210823185246.272 INFO     seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for finit_module action 327681(errno)
lxc-start deluge 20210823185246.272 INFO     seccomp - seccomp.c:parse_config_v2:759 - Processing "delete_module errno 1"
lxc-start deluge 20210823185246.272 INFO     seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for delete_module action 327681(errno)
lxc-start deluge 20210823185246.272 INFO     seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for delete_module action 327681(errno)
lxc-start deluge 20210823185246.272 INFO     seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for delete_module action 327681(errno)
lxc-start deluge 20210823185246.272 INFO     seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for delete_module action 327681(errno)
lxc-start deluge 20210823185246.272 INFO     seccomp - seccomp.c:parse_config_v2:970 - Merging compat seccomp contexts into main context
lxc-start deluge 20210823185246.275 DEBUG    terminal - terminal.c:lxc_terminal_peer_default:707 - No such device - The process does not have a controlling terminal
lxc-start deluge 20210823185246.771 INFO     start - start.c:lxc_init:904 - Container "deluge" is initialized
lxc-start deluge 20210823185246.771 DEBUG    storage - storage/storage.c:get_storage_by_name:231 - Detected rootfs type "dir"
lxc-start deluge 20210823185246.783 INFO     network - network.c:instantiate_veth:147 - Retrieved mtu 1500 from br0
lxc-start deluge 20210823185246.784 INFO     network - network.c:instantiate_veth:175 - Attached "vethES4TAD" to bridge "br0"
lxc-start deluge 20210823185246.785 DEBUG    network - network.c:instantiate_veth:201 - Instantiated veth "vethES4TAD/vethHBMESP", index is "20"
lxc-start deluge 20210823185246.785 ERROR    cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1219 - File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc/deluge"
lxc-start deluge 20210823185246.785 ERROR    cgfsng - cgroups/cgfsng.c:create_path_for_hierarchy:1243 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge"
lxc-start deluge 20210823185246.785 ERROR    cgfsng - cgroups/cgfsng.c:cgfsng_payload_create:1321 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge"
lxc-start deluge 20210823185246.785 ERROR    cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1219 - File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc/deluge-1"
lxc-start deluge 20210823185246.785 ERROR    cgfsng - cgroups/cgfsng.c:create_path_for_hierarchy:1243 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge-1"
lxc-start deluge 20210823185246.785 ERROR    cgfsng - cgroups/cgfsng.c:cgfsng_payload_create:1321 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge-1"
lxc-start deluge 20210823185246.786 ERROR    cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1219 - File exists - Failed to create directory "/sys/fs/cgroup/uni
fied//lxc/deluge-2"
lxc-start deluge 20210823185246.786 ERROR    cgfsng - cgroups/cgfsng.c:create_path_for_hierarchy:1243 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge-2"
lxc-start deluge 20210823185246.786 ERROR    cgfsng - cgroups/cgfsng.c:cgfsng_payload_create:1321 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge-2"
lxc-start deluge 20210823185246.786 ERROR    cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1219 - File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc/deluge-3"
lxc-start deluge 20210823185246.786 ERROR    cgfsng - cgroups/cgfsng.c:create_path_for_hierarchy:1243 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge-3"
lxc-start deluge 20210823185246.786 ERROR    cgfsng - cgroups/cgfsng.c:cgfsng_payload_create:1321 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge-3"
lxc-start deluge 20210823185246.786 ERROR    cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1219 - File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc/deluge-4"
lxc-start deluge 20210823185246.786 ERROR    cgfsng - cgroups/cgfsng.c:create_path_for_hierarchy:1243 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge-4"
lxc-start deluge 20210823185246.786 ERROR    cgfsng - cgroups/cgfsng.c:cgfsng_payload_create:1321 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge-4"
lxc-start deluge 20210823185246.786 ERROR    cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1219 - File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc/deluge-5"
lxc-start deluge 20210823185246.786 ERROR    cgfsng - cgroups/cgfsng.c:create_path_for_hierarchy:1243 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge-5"
lxc-start deluge 20210823185246.786 ERROR    cgfsng - cgroups/cgfsng.c:cgfsng_payload_create:1321 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge-5"
lxc-start deluge 20210823185246.786 ERROR    cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1219 - File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc/deluge-6"
lxc-start deluge 20210823185246.786 ERROR    cgfsng - cgroups/cgfsng.c:create_path_for_hierarchy:1243 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge-6"
lxc-start deluge 20210823185246.786 ERROR    cgfsng - cgroups/cgfsng.c:cgfsng_payload_create:1321 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge-6"
lxc-start deluge 20210823185246.787 ERROR    cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1219 - File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc/deluge-7"
lxc-start deluge 20210823185246.787 ERROR    cgfsng - cgroups/cgfsng.c:create_path_for_hierarchy:1243 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge-7"
lxc-start deluge 20210823185246.787 ERROR    cgfsng - cgroups/cgfsng.c:cgfsng_payload_create:1321 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge-7"
lxc-start deluge 20210823185246.789 DEBUG    cgfsng - cgroups/cgfsng.c:cg_legacy_handle_cpuset_hierarchy:620 - "cgroup.clone_children" was already set to "1"
lxc-start deluge 20210823185246.793 INFO     start - start.c:lxc_spawn:1700 - Cloned CLONE_NEWUSER
lxc-start deluge 20210823185246.793 INFO     start - start.c:lxc_spawn:1700 - Cloned CLONE_NEWNS
lxc-start deluge 20210823185246.793 INFO     start - start.c:lxc_spawn:1700 - Cloned CLONE_NEWPID
lxc-start deluge 20210823185246.793 INFO     start - start.c:lxc_spawn:1700 - Cloned CLONE_NEWUTS
lxc-start deluge 20210823185246.793 INFO     start - start.c:lxc_spawn:1700 - Cloned CLONE_NEWIPC
lxc-start deluge 20210823185246.793 DEBUG    start - start.c:lxc_try_preserve_namespaces:196 - Preserved user namespace via fd 14
lxc-start deluge 20210823185246.793 DEBUG    start - start.c:lxc_try_preserve_namespaces:196 - Preserved mnt namespace via fd 15
lxc-start deluge 20210823185246.793 DEBUG    start - start.c:lxc_try_preserve_namespaces:196 - Preserved pid namespace via fd 16
lxc-start deluge 20210823185246.793 DEBUG    start - start.c:lxc_try_preserve_namespaces:196 - Preserved uts namespace via fd 17
lxc-start deluge 20210823185246.794 DEBUG    start - start.c:lxc_try_preserve_namespaces:196 - Preserved ipc namespace via fd 18
lxc-start deluge 20210823185246.794 DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2860 - The binary "/usr/bin/newuidmap" does have the setuid bit set
lxc-start deluge 20210823185246.794 DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2860 - The binary "/usr/bin/newgidmap" does have the setuid bit set
lxc-start deluge 20210823185246.794 DEBUG    conf - conf.c:lxc_map_ids:2952 - Functional newuidmap and newgidmap binary found
lxc-start deluge 20210823185246.807 ERROR    conf - conf.c:lxc_map_ids:3023 - newuidmap failed to write mapping "newuidmap: uid range [0-1002) -> [231072-232074) not allowed": newuidmap 10073 0 231072 1002 1002 1002 1
lxc-start deluge 20210823185246.807 ERROR    start - start.c:lxc_spawn:1720 - Failed to set up id mapping.
lxc-start deluge 20210823185246.135 INFO     network - network.c:lxc_delete_network_priv:2594 - Removed interface "(null)" with index 20
lxc-start deluge 20210823185246.138 WARN     network - network.c:lxc_delete_network_priv:2613 - Invalid argument - Failed to remove interface "vethES4TAD" from "br0"
lxc-start deluge 20210823185246.138 DEBUG    network - network.c:lxc_delete_network:3180 - Deleted network devices
lxc-start deluge 20210823185246.138 DEBUG    lxccontainer - lxccontainer.c:wait_on_daemonized_start:830 - First child 10067 exited
lxc-start deluge 20210823185246.138 ERROR    lxccontainer - lxccontainer.c:wait_on_daemonized_start:842 - Received container state "ABORTING" instead of "RUNNING"
lxc-start deluge 20210823185246.138 ERROR    lxc_start - tools/lxc_start.c:main:330 - The container failed to start
lxc-start deluge 20210823185246.138 ERROR    lxc_start - tools/lxc_start.c:main:333 - To get more details, run the container in foreground mode
lxc-start deluge 20210823185246.138 ERROR    lxc_start - tools/lxc_start.c:main:336 - Additional information can be obtained by setting the --logfile and --logpriority options
lxc-start deluge 20210823185246.138 ERROR    start - start.c:__lxc_start:1951 - Failed to spawn container "deluge"
lxc-start deluge 20210823185246.184 DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2860 - The binary "/usr/bin/newuidmap" does have the setuid bit set
lxc-start deluge 20210823185246.184 DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2860 - The binary "/usr/bin/newgidmap" does have the setuid bit set
lxc-start deluge 20210823185246.184 DEBUG    conf - conf.c:lxc_map_ids:2952 - Functional newuidmap and newgidmap binary found
lxc-start deluge 20210823185246.185 ERROR    conf - conf.c:lxc_map_ids:3023 - newuidmap failed to write mapping "newuidmap: uid range [0-1002) -> [231072-232074) not allowed": newuidmap 10095 0 231072 1002 1003 0 1
lxc-start deluge 20210823185246.185 ERROR    conf - conf.c:userns_exec_1:4391 - Error setting up {g,u}id mappings for child process "10095"
lxc-start deluge 20210823185246.186 WARN     cgfsng - cgroups/cgfsng.c:cgfsng_payload_destroy:1122 - Failed to destroy cgroups
lxc-start deluge 20210823185246.186 INFO     conf - conf.c:run_script_argv:356 - Executing script "/usr/share/lxcfs/lxc.reboot.hook" for container "deluge", config section "lxc"

There’s also no user 1002 or group 1003 in my setup, the correct user would be 107 and the correct group would be 109, like so:

deluge:x:107:109:Deluge Service,,,:/var/lib/deluge:/usr/sbin/nologin

However, this also fails to launch, the error is the same, config file:

lxc.idmap = u 0 231072 107 
lxc.idmap = g 0 231072 109 
lxc.idmap = u 107 1002 1 
lxc.idmap = g 109 1003 1 
lxc idmap = u 108 231179 65428 
lxc.idmap = g 110 231181 65426

Log:

root@lilchewchew2-0:/var/lib/lxc/deluge# lxc-start deluge --logfile deluge.log --logpriority debug
lxc-start: deluge: lxccontainer.c: wait_on_daemonized_start: 842 Received container state "ABORTING" instead of "RUNNING"
lxc-start: deluge: tools/lxc_start.c: main: 330 The container failed to start
lxc-start: deluge: tools/lxc_start.c: main: 333 To get more details, run the container in foreground mode
lxc-start: deluge: tools/lxc_start.c: main: 336 Additional information can be obtained by setting the --logfile and --logpriority options
root@lilchewchew2-0:/var/lib/lxc/deluge# cat deluge.log 
lxc-start deluge 20210823190337.562 INFO     confile - confile.c:set_config_idmaps:1605 - Read uid map: type u nsid 0 hostid 231072 range 107
lxc-start deluge 20210823190337.562 INFO     confile - confile.c:set_config_idmaps:1605 - Read uid map: type g nsid 0 hostid 231072 range 109
lxc-start deluge 20210823190337.562 INFO     confile - confile.c:set_config_idmaps:1605 - Read uid map: type u nsid 107 hostid 1002 range 1
lxc-start deluge 20210823190337.562 INFO     confile - confile.c:set_config_idmaps:1605 - Read uid map: type g nsid 109 hostid 1003 range 1
lxc-start deluge 20210823190337.562 INFO     confile - confile.c:set_config_idmaps:1605 - Read uid map: type g nsid 110 hostid 231181 range 65426
lxc-start deluge 20210823190337.563 INFO     lxccontainer - lxccontainer.c:do_lxcapi_start:961 - Set process title to [lxc monitor] /var/lib/lxc deluge
lxc-start deluge 20210823190337.563 INFO     lsm - lsm/lsm.c:lsm_init:50 - LSM security driver AppArmor
lxc-start deluge 20210823190337.563 INFO     seccomp - seccomp.c:parse_config_v2:759 - Processing "reject_force_umount  # comment this to allow umount -f;  not recommended"
lxc-start deluge 20210823190337.563 INFO     seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts
lxc-start deluge 20210823190337.563 INFO     seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for reject_force_umount action 0(kill)
lxc-start deluge 20210823190337.563 INFO     seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts
lxc-start deluge 20210823190337.563 INFO     seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for reject_force_umount action 0(kill)
lxc-start deluge 20210823190337.563 INFO     seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts
lxc-start deluge 20210823190337.563 INFO     seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for reject_force_umount action 0(kill)
lxc-start deluge 20210823190337.563 INFO     seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts
lxc-start deluge 20210823190337.563 INFO     seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for reject_force_umount action 0(kill)
lxc-start deluge 20210823190337.563 INFO     seccomp - seccomp.c:parse_config_v2:759 - Processing "[all]"
lxc-start deluge 20210823190337.563 INFO     seccomp - seccomp.c:parse_config_v2:759 - Processing "kexec_load errno 1"
lxc-start deluge 20210823190337.563 INFO     seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for kexec_load action 327681(errno)
lxc-start deluge 20210823190337.563 INFO     seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for kexec_load action 327681(errno)
lxc-start deluge 20210823190337.563 INFO     seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for kexec_load action 327681(errno)
lxc-start deluge 20210823190337.563 INFO     seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for kexec_load action 327681(errno)
lxc-start deluge 20210823190337.563 INFO     seccomp - seccomp.c:parse_config_v2:759 - Processing "open_by_handle_at errno 1"
lxc-start deluge 20210823190337.563 INFO     seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for open_by_handle_at action 327681(errno)
lxc-start deluge 20210823190337.563 INFO     seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for open_by_handle_at action 327681(errno)
lxc-start deluge 20210823190337.563 INFO     seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for open_by_handle_at action 327681(errno)
lxc-start deluge 20210823190337.563 INFO     seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for open_by_handle_at action 327681(errno)
lxc-start deluge 20210823190337.563 INFO     seccomp - seccomp.c:parse_config_v2:759 - Processing "init_module errno 1"
lxc-start deluge 20210823190337.563 INFO     seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for init_module action 327681(errno)
lxc-start deluge 20210823190337.563 INFO     seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for init_module action 327681(errno)
lxc-start deluge 20210823190337.563 INFO     seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for init_module action 327681(errno)
lxc-start deluge 20210823190337.563 INFO     seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for init_module action 327681(errno)
lxc-start deluge 20210823190337.563 INFO     seccomp - seccomp.c:parse_config_v2:759 - Processing "finit_module errno 1"
lxc-start deluge 20210823190337.563 INFO     seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for finit_module action 327681(errno)
lxc-start deluge 20210823190337.563 INFO     seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for finit_module action 327681(errno)
lxc-start deluge 20210823190337.563 INFO     seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for finit_module action 327681(errno)
lxc-start deluge 20210823190337.563 INFO     seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for finit_module action 327681(errno)
lxc-start deluge 20210823190337.563 INFO     seccomp - seccomp.c:parse_config_v2:759 - Processing "delete_module errno 1"
lxc-start deluge 20210823190337.563 INFO     seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for delete_module action 327681(errno)
lxc-start deluge 20210823190337.563 INFO     seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for delete_module action 327681(errno)
lxc-start deluge 20210823190337.563 INFO     seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for delete_module action 327681(errno)
lxc-start deluge 20210823190337.563 INFO     seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for delete_module action 327681(errno)
lxc-start deluge 20210823190337.563 INFO     seccomp - seccomp.c:parse_config_v2:970 - Merging compat seccomp contexts into main context
lxc-start deluge 20210823190337.564 DEBUG    terminal - terminal.c:lxc_terminal_peer_default:707 - No such device - The process does not have a controlling terminal
lxc-start deluge 20210823190337.612 INFO     start - start.c:lxc_init:904 - Container "deluge" is initialized
lxc-start deluge 20210823190337.612 DEBUG    storage - storage/storage.c:get_storage_by_name:231 - Detected rootfs type "dir"
lxc-start deluge 20210823190337.614 INFO     network - network.c:instantiate_veth:147 - Retrieved mtu 1500 from br0
lxc-start deluge 20210823190337.614 INFO     network - network.c:instantiate_veth:175 - Attached "vethB7XF5N" to bridge "br0"
lxc-start deluge 20210823190337.614 DEBUG    network - network.c:instantiate_veth:201 - Instantiated veth "vethB7XF5N/veth9PP78J", index is "22"
lxc-start deluge 20210823190337.614 ERROR    cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1219 - File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc/deluge"
lxc-start deluge 20210823190337.614 ERROR    cgfsng - cgroups/cgfsng.c:create_path_for_hierarchy:1243 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge"
lxc-start deluge 20210823190337.614 ERROR    cgfsng - cgroups/cgfsng.c:cgfsng_payload_create:1321 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge"
lxc-start deluge 20210823190337.614 ERROR    cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1219 - File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc/deluge-1"
lxc-start deluge 20210823190337.614 ERROR    cgfsng - cgroups/cgfsng.c:create_path_for_hierarchy:1243 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge-1"
lxc-start deluge 20210823190337.614 ERROR    cgfsng - cgroups/cgfsng.c:cgfsng_payload_create:1321 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge-1"
lxc-start deluge 20210823190337.614 ERROR    cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1219 - File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc/deluge-2"
lxc-start deluge 20210823190337.614 ERROR    cgfsng - cgroups/cgfsng.c:create_path_for_hierarchy:1243 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge-2"
lxc-start deluge 20210823190337.614 ERROR    cgfsng - cgroups/cgfsng.c:cgfsng_payload_create:1321 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge-2"
lxc-start deluge 20210823190337.614 ERROR    cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1219 - File exists - Failed to create directory "/sys/fs/cgroup/uni
fied//lxc/deluge-3"
lxc-start deluge 20210823190337.614 ERROR    cgfsng - cgroups/cgfsng.c:create_path_for_hierarchy:1243 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge-3"
lxc-start deluge 20210823190337.614 ERROR    cgfsng - cgroups/cgfsng.c:cgfsng_payload_create:1321 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge-3"
lxc-start deluge 20210823190337.614 ERROR    cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1219 - File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc/deluge-4"
lxc-start deluge 20210823190337.614 ERROR    cgfsng - cgroups/cgfsng.c:create_path_for_hierarchy:1243 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge-4"
lxc-start deluge 20210823190337.614 ERROR    cgfsng - cgroups/cgfsng.c:cgfsng_payload_create:1321 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge-4"
lxc-start deluge 20210823190337.614 ERROR    cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1219 - File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc/deluge-5"
lxc-start deluge 20210823190337.614 ERROR    cgfsng - cgroups/cgfsng.c:create_path_for_hierarchy:1243 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge-5"
lxc-start deluge 20210823190337.614 ERROR    cgfsng - cgroups/cgfsng.c:cgfsng_payload_create:1321 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge-5"
lxc-start deluge 20210823190337.614 ERROR    cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1219 - File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc/deluge-6"
lxc-start deluge 20210823190337.614 ERROR    cgfsng - cgroups/cgfsng.c:create_path_for_hierarchy:1243 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge-6"
lxc-start deluge 20210823190337.614 ERROR    cgfsng - cgroups/cgfsng.c:cgfsng_payload_create:1321 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge-6"
lxc-start deluge 20210823190337.614 ERROR    cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1219 - File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc/deluge-7"
lxc-start deluge 20210823190337.614 ERROR    cgfsng - cgroups/cgfsng.c:create_path_for_hierarchy:1243 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge-7"
lxc-start deluge 20210823190337.614 ERROR    cgfsng - cgroups/cgfsng.c:cgfsng_payload_create:1321 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge-7"
lxc-start deluge 20210823190337.614 ERROR    cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1219 - File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc/deluge-8"
lxc-start deluge 20210823190337.614 ERROR    cgfsng - cgroups/cgfsng.c:create_path_for_hierarchy:1243 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge-8"
lxc-start deluge 20210823190337.614 ERROR    cgfsng - cgroups/cgfsng.c:cgfsng_payload_create:1321 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc/deluge-8"
lxc-start deluge 20210823190337.614 DEBUG    cgfsng - cgroups/cgfsng.c:cg_legacy_handle_cpuset_hierarchy:620 - "cgroup.clone_children" was already set to "1"
lxc-start deluge 20210823190337.615 INFO     start - start.c:lxc_spawn:1700 - Cloned CLONE_NEWUSER
lxc-start deluge 20210823190337.615 INFO     start - start.c:lxc_spawn:1700 - Cloned CLONE_NEWNS
lxc-start deluge 20210823190337.615 INFO     start - start.c:lxc_spawn:1700 - Cloned CLONE_NEWPID
lxc-start deluge 20210823190337.615 INFO     start - start.c:lxc_spawn:1700 - Cloned CLONE_NEWUTS
lxc-start deluge 20210823190337.615 INFO     start - start.c:lxc_spawn:1700 - Cloned CLONE_NEWIPC
lxc-start deluge 20210823190337.615 DEBUG    start - start.c:lxc_try_preserve_namespaces:196 - Preserved user namespace via fd 14
lxc-start deluge 20210823190337.615 DEBUG    start - start.c:lxc_try_preserve_namespaces:196 - Preserved mnt namespace via fd 15
lxc-start deluge 20210823190337.615 DEBUG    start - start.c:lxc_try_preserve_namespaces:196 - Preserved pid namespace via fd 16
lxc-start deluge 20210823190337.615 DEBUG    start - start.c:lxc_try_preserve_namespaces:196 - Preserved uts namespace via fd 17
lxc-start deluge 20210823190337.615 DEBUG    start - start.c:lxc_try_preserve_namespaces:196 - Preserved ipc namespace via fd 18
lxc-start deluge 20210823190337.615 DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2860 - The binary "/usr/bin/newuidmap" does have the setuid bit set
lxc-start deluge 20210823190337.615 DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2860 - The binary "/usr/bin/newgidmap" does have the setuid bit set
lxc-start deluge 20210823190337.615 DEBUG    conf - conf.c:lxc_map_ids:2952 - Functional newuidmap and newgidmap binary found
lxc-start deluge 20210823190337.616 ERROR    conf - conf.c:lxc_map_ids:3023 - newuidmap failed to write mapping "newuidmap: uid range [0-107) -> [231072-231179) not allowed": newuidmap 10324 0 231072 107 107 1002 1
lxc-start deluge 20210823190337.617 ERROR    start - start.c:lxc_spawn:1720 - Failed to set up id mapping.
lxc-start deluge 20210823190337.687 INFO     network - network.c:lxc_delete_network_priv:2594 - Removed interface "(null)" with index 22
lxc-start deluge 20210823190337.690 WARN     network - network.c:lxc_delete_network_priv:2613 - Invalid argument - Failed to remove interface "vethB7XF5N" from "br0"
lxc-start deluge 20210823190337.690 DEBUG    network - network.c:lxc_delete_network:3180 - Deleted network devices
lxc-start deluge 20210823190337.690 DEBUG    lxccontainer - lxccontainer.c:wait_on_daemonized_start:830 - First child 10317 exited
lxc-start deluge 20210823190337.690 ERROR    lxccontainer - lxccontainer.c:wait_on_daemonized_start:842 - Received container state "ABORTING" instead of "RUNNING"
lxc-start deluge 20210823190337.690 ERROR    lxc_start - tools/lxc_start.c:main:330 - The container failed to start
lxc-start deluge 20210823190337.690 ERROR    lxc_start - tools/lxc_start.c:main:333 - To get more details, run the container in foreground mode
lxc-start deluge 20210823190337.690 ERROR    lxc_start - tools/lxc_start.c:main:336 - Additional information can be obtained by setting the --logfile and --logpriority options
lxc-start deluge 20210823190337.690 ERROR    start - start.c:__lxc_start:1951 - Failed to spawn container "deluge"
lxc-start deluge 20210823190337.738 DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2860 - The binary "/usr/bin/newuidmap" does have the setuid bit set
lxc-start deluge 20210823190337.738 DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2860 - The binary "/usr/bin/newgidmap" does have the setuid bit set
lxc-start deluge 20210823190337.738 DEBUG    conf - conf.c:lxc_map_ids:2952 - Functional newuidmap and newgidmap binary found
lxc-start deluge 20210823190337.740 ERROR    conf - conf.c:lxc_map_ids:3023 - newuidmap failed to write mapping "newuidmap: uid range [0-107) -> [231072-231179) not allowed": newuidmap 10346 0 231072 107 108 0 1
lxc-start deluge 20210823190337.740 ERROR    conf - conf.c:userns_exec_1:4391 - Error setting up {g,u}id mappings for child process "10346"
lxc-start deluge 20210823190337.740 WARN     cgfsng - cgroups/cgfsng.c:cgfsng_payload_destroy:1122 - Failed to destroy cgroups
lxc-start deluge 20210823190337.740 INFO     conf - conf.c:run_script_argv:356 - Executing script "/usr/share/lxcfs/lxc.reboot.hook" for container "deluge", config section "lxc"

Is there a potential problem of the rootfs of this container being owned by root:root when also being started by root?

root@lilchewchew2-0:/var/lib/lxc/deluge# ls -lt
total 24
-rw-r-----  1 root root 16189 Aug 23 14:03 deluge.log
-rw-r-----  1 root root  1493 Aug 23 14:03 config
drwxr-xr-x 20 root root  4096 Jul 20 19:17 rootfs

From the getting started article on LXC:

To run a system-wide unprivileged container (that is, an unprivileged container started by root) you’ll need to follow only a subset of the steps above.
Specifically, you need to manually allocate a uid and gid range to root in /etc/subuid and /etc/subgid. And then set that range in /etc/lxc/default.conf using lxc.idmap entries similar to those above.

When I map my container to subuids/subgids of root, it launches successfully, however if I map any user in the container to a user on the host different from root when starting as root I get “not allowed” and fail to start.

So, mapping this container to subuid/subgid of root makes it completely unprivileged but am I wrong to understand that I also cannot map the users in the container to another user? Meaning, the user that launches the container must be the same as the one that the container maps its users to?

For example, is it impossible to create an unprivileged container that will be started as root but has all its users mapped to subuid/subgid of user123? Or is the only acceptable to map the users of a container to the same user that starts it?

My problem is I don’t want to go over all the configuration required to launch this container from within a non-superuser, don’t want it to have any users on the container mapped to root on the host and I need to map the container to a user that can access the shared folder, is this even possible?

I think I’m using the wrong tool for this and that I shouldn’t even be using a container in this particular case.

Could you please advise?

Thanks!