Hello,
I have an odd sort of problem. I created an unprivileged container (as a dedicated non-root user) on my Debian system running stretch (current stable). The container starts alright and I can attach to it, but I cannot stop it or shut it down using any of:
- ‘halt’, ‘poweroff’, ‘reboot’ or ‘/sbin/shutdown -h’ from within the container,
- ‘lxc-stop [–kill [–nolock]]’ on the host, as the user who “owns” the container,
- or even ‘kill [-9]’ with the container’s systemd PID as ‘root’ on the host.
To create the container, I mostly followed the LXC page on the Debian Wiki, but I referred to another guide, as well, since I wanted to understand this SUBUID/SUBGID stuff and it was explained better there.
Here’s what I did to create the container:
1. Made sure all required packages were installed:
cgroupfs-mount
liblxc1
libpam-cgroup
libvirt0
lxc
and their dependencies:
libcgroup1
libnl-3-200
libnl-route-3-200
libxen-4.8
libxenstore3.0
libyajl2
python3-lxc
Some other relevant packages (like cgmanager) were already installed from earlier
experiments with LXC.
2. Checked system configuration:
# lxc-checkconfig
Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-4.9.0-4-amd64
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
--- Control groups ---
Cgroup: enabled
Cgroup clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled
--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
Bridges: enabled
Advanced netfilter: enabled
CONFIG_NF_NAT_IPV4: enabled
CONFIG_NF_NAT_IPV6: enabled
CONFIG_IP_NF_TARGET_MASQUERADE: enabled
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled
FUSE (for use with lxcfs): enabled
--- Checkpoint/Restore ---
checkpoint restore: enabled
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: enabled
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: enabled
File capabilities: enabled
3. Created a new user and system group, specially for LXC:
The system group is called ‘lxc’ and has GID 113.
The user is called ‘metis’, has UID 30000, is in a user group ‘metis’ (GID 30000) AND the system group ‘lxc’.
The user got the following SUBUID/SUBGID ranges assigned to them:
# grep metis /etc/sub[gu]id
/etc/subgid:metis:493216:65536
/etc/subuid:metis:493216:65536
The user’s home directory ‘/srv/lxc/metis’ exists, belongs to metis:metis, has permissions 0750 and is a btrfs subvolume (if that matters).
4. Enabled user namespaces:
# echo 1 > /proc/sys/kernel/unprivileged_userns_clone
# echo "kernel.unprivileged_userns_clone=1" > /etc/sysctl.d/80-lxc-userns.conf
5. Copied and adjusted the default configuration:
As the new, dedicated LXC user ‘metis’:
$ mkdir -p .config/lxc
$ cp /etc/lxc/default.conf .config/lxc/
$ echo "lxc.id_map = u 0 "`grep $USER /etc/subuid | cut --delimiter=":" --output-delimiter=" " --fields=2,3` >> .config/lxc/default.conf
$ echo "lxc.id_map = g 0 "`grep $USER /etc/subgid | cut --delimiter=":" --output-delimiter=" " --fields=2,3` >> .config/lxc/default.conf
$ echo "lxc.mount.auto = proc:mixed sys:ro cgroup:mixed" >> .config/lxc/default.conf
Result:
$ cat .config/lxc/default.conf
lxc.network.type = empty
lxc.id_map = u 0 493216 65536
lxc.id_map = g 0 493216 65536
lxc.mount.auto = proc:mixed sys:ro cgroup:mixed
6. Fixed access permissions to /srv/lxc/metis/.local/…
As ‘root’ (on the host):
# setfacl -m u:493216:x /srv/lxc/metis /srv/lxc/metis/.local /srv/lxc/metis/.local/share /srv/lxc/metis/.local/share/lxc
7. Actually created the container:
$ lxc-create --name metis --template download
Setting up the GPG keyring
Downloading the image index
[...]
Distribution: debian
Release: stretch
Architecture: amd64
Downloading the image index
Downloading the rootfs
Downloading the metadata
The image cache is now ready
Unpacking the rootfs
---
You just created a Debian container (release=stretch, arch=amd64, variant=default)
[...]
Use lxc-attach or chroot directly into the rootfs to set a root password
or create user accounts.
At this point, the container existed and could be started and used:
metis@iupiter:~$ lxc-ls
metis
metis@iupiter:~$ lxc-info -n metis
Name: metis
State: STOPPED
metis@iupiter:~$ lxc-start -n metis
metis@iupiter:~$ lxc-attach -n metis
root@metis:/# ps -eF
UID PID PPID C SZ RSS PSR STIME TTY TIME CMD
root 1 0 0 14076 3036 1 23:03 ? 00:00:00 /sbin/init
root 23 0 0 4953 3656 1 23:03 pts/2 00:00:00 /bin/bash
root 24 23 0 9576 3104 1 23:03 pts/2 00:00:00 ps -eF
But it was apparent that something was wrong with systemd:
root@metis:/# systemctl
Failed to connect to bus: No such file or directory
… and there wasn’t even a way toshut the container down.
Not from within:
root@metis:/# /sbin/shutdown -h
Failed to connect to bus: No such file or directory
root@metis:/# /sbin/halt
Failed to connect to bus: No such file or directory
Failed to talk to init daemon.
root@metis:/# /sbin/poweroff
Failed to connect to bus: No such file or directory
Failed to talk to init daemon.
root@metis:/# /sbin/init 0
Couldn't find an alternative telinit implementation to spawn.
root@metis:/# kill 1
root@metis:/# kill -9 1
Not as user ‘metis’ from the host:
metis@iupiter:~$ lxc-stop -n metis
(hung forever, had to kill with ^C)
metis@iupiter:~$ lxc-stop -n metis --kill
(likewise -> ^C)
metis@iupiter:~$ lxc-stop -n metis --kill --nolock
(likewise -> ^C)
And not even by killing the container’s systemd process
as ‘root’ on the host:
root@iupiter:~# pstree -p
systemd(1)─┬─...
...
├─lxc-start(5971)───systemd(5982)
...
root@iupiter:~# kill 5982
root@iupiter:~# kill -9 5982
root@iupiter:~# ps 5982
PID TTY STAT TIME COMMAND
5982 ? Ds 0:00 /sbin/init
In the end, the only way to shut the container down
was to reboot the system.
I would greatly appreciate any help anyone could give me
and will gladly provide any further info you might need.