The example described in /usr/share/doc/lxc/README.Debian.gz from Debian 11 under "Unprivileged containers" gives Failed to mount "proc" with an AppArmor error in dmesg (even though the configuration has unconfined).
Thank you for trying to pinpoint the issue. The mount command succeeded without any dmesg or console output, but the container still fails, with unchanged lxc and dmesg outputs, as above.
To rule out machine-specific issues, this was also reproduced on a Debian live DVD.
At some point Debian introduced additional sysctl to restrict user namespaces for unprivileged users, maybe they still do that and that’s what’s getting in the way here?
At some point Debian introduced additional sysctl to restrict user namespaces for unprivileged users, maybe they still do that and that’s what’s getting in the way here?
Are the above configuration file and systemd-run command sufficient to run an unprivileged container? The configuration file is copied verbatim, it is not an extract.
Is an unprvileged container expected to work when using / as root? Or must the container filesystem be made by the non-root user?
Oh, sorry, it looked like it was an extract. So you’re indeed instructing LXC to use your existing rootfs as the unprivileged container’s rootfs.
This isn’t going to work and isn’t something that we support with LXC.
That kind of setup is very problematic as your unprivileged user doesn’t own any of the mount table entries from the existing system and on top of that, you’d get a bunch of conflicts on unix sockets, lock files, … There’s also the issue that your container would not be able to correctly see the ownership of any file on your system’s rootfs (everything would show up as nobody:nogroup) and paths that are normally restricted for only root to access would be completely unreachable from the container.
So the short version is that for unprivileged containers to work, you really need a rootfs which is separate from your system’s and which is fully owned by the uids and gids that you’re assigning to the container.