I’m using Gentoo with OpenRC. I’ve created a user account to run containers from, along with the ID maps, cgconfig, and PAM modules. I can log in as this user, or su, and start the container with lxc-start, but I can’t get OpenRC to run it as the specific user.
I’ve documented my process here: LXC - Gentoo Wiki
I’m not sure how related this is, but running lxc-start from that user sometimes gives this error:
su lxc-dnscrypt -c "lxc-start dnscrypt -F"
lxc-start: dnscrypt: ../lxc-5.0.2/src/lxc/cgroups/cgfsng.c: __cgfsng_delegate_controllers: 3341 Device or resource busy - Could not enable "+cpuset +cpu +io +memory +hugetlb +pids" controllers in the unified cgroup 10
lxc-start: dnscrypt: ../lxc-5.0.2/src/lxc/cgroups/cgfsng.c: __cgfsng_delegate_controllers: 3341 Device or resource busy - Could not enable "+cpuset +cpu +io +memory +hugetlb +pids" controllers in the unified cgroup 10
The cgroups seem to be set correctly:
cat /sys/fs/cgroup/lxc-dnscrypt/cgroup.controllers
cpuset cpu io memory hugetlb pids
Additional info:
cat /proc/1/mountinfo
19 22 0:5 / /dev rw,nosuid,noexec,relatime - devtmpfs devtmpfs rw,seclabel,size=10240k,nr_inodes=66002518,mode=755
22 1 0:18 / / rw,relatime - btrfs /dev/mapper/crypt1 rw,seclabel,ssd,space_cache=v2,subvolid=5,subvol=/
18 22 0:20 / /sys rw,relatime - sysfs sysfs rw,seclabel
20 18 0:14 / /sys/fs/selinux rw,nosuid,noexec,relatime - selinuxfs selinuxfs rw
17 22 0:21 / /proc rw,nosuid,nodev,noexec,relatime - proc proc rw,gid=10,hidepid=invisible
21 22 0:22 / /run rw,nosuid,nodev,relatime - tmpfs tmpfs rw,rootcontext=system_u:object_r:var_run_t,seclabel,mode=755
23 18 0:24 / /sys/firmware/efi/efivars rw,nosuid,nodev,noexec,relatime - efivarfs efivarfs rw
24 18 0:25 / /sys/fs/cgroup rw,nosuid,nodev,noexec,relatime - cgroup2 none rw,seclabel
25 19 0:13 / /dev/mqueue rw,nosuid,nodev,noexec,relatime - mqueue mqueue rw,seclabel
26 19 0:26 / /dev/pts rw,nosuid,noexec,relatime - devpts devpts
27 19 0:27 / /dev/shm rw,nosuid,nodev,noexec,relatime - tmpfs shm rw,seclabel rw,seclabel,ssd,space_cache=v2,subvolid=5,subvol=/
30 22 0:29 /binpkgs /var/cache/binpkgs rw,relatime - btrfs /dev/mapper/minicrypt1 rw,seclabel,ssd,space_cache=v2,subvolid=261,subvol=/binpkgs
31 22 0:29 /distfiles /var/cache/distfiles rw,relatime - btrfs /dev/mapper/minicrypt1 rw,seclabel,ssd,space_cache=v2,subvolid=263,subvol=/distfiles
28 22 0:39 / /tmp rw,nosuid,noexec,relatime - tmpfs tmpfs rw,rootcontext=system_u:object_r:tmp_t,seclabel
35 28 0:40 / /tmp/portage rw,relatime - tmpfs tmpfs rw,rootcontext=system_u:object_r:portage_tmp_t,seclabel,size=33554432k,mode=775,uid=250,gid=250
46 22 0:18 /var/db/repos /export/repos rw,relatime - btrfs /dev/mapper/crypt1 rw,seclabel,ssd,space_cache=v2,subvolid=462,subvol=/var/db/repos
48 22 0:18 /var/lib/docker /var/lib/docker rw,relatime shared:1 - btrfs /dev/mapper/crypt1 rw,seclabel,ssd,space_cache=v2,subvolid=465,subvol=/var/lib/docker
53 48 0:18 /var/lib/docker/btrfs /var/lib/docker/btrfs rw,relatime shared:1 - btrfs /dev/mapper/crypt1 rw,seclabel,ssd,space_cache=v2,subvolid=465,subvol=/var/lib/docker
225 21 0:4 net:[4026535351] /run/docker/netns/d00fdecb43eb rw - nsfs nsfs rw
226 21 0:4 net:[4026535382] /run/docker/netns/f32bb392cab3 rw - nsfs nsfs rw
227 21 0:4 net:[4026535300] /run/docker/netns/6e913ec0d899 rw - nsfs nsfs rw
327 21 0:4 net:[4026535461] /run/docker/netns/97823714f784 rw - nsfs nsfs rw
144 21 0:4 net:[4026535513] /run/docker/netns/9b73e0125269 rw - nsfs nsfs rw
79 22 0:192 / /var/lib/nfs/rpc_pipefs rw,relatime - rpc_pipefs rpc_pipefs rw
80 17 0:193 / /proc/fs/nfsd rw,nosuid,nodev,noexec,relatime - nfsd nfsd rw
CGConfig:
group lxc-dnscrypt {
perm {
task {
uid = lxc-dnscrypt;
gid = lxc-dnscrypt;
}
admin {
uid = lxc-dnscrypt;
gid = lxc-dnscrypt;
}
}
cpu {}
cpuset {}
hugetlb {}
io {}
memory {}
pids {}
}
Container config:
lxc.idmap = u 0 165536 65536
lxc.idmap = g 0 165536 65536
lxc.rootfs.path = dir:/home/lxc-dnscrypt/.local/share/lxc/dnscrypt/rootfs
lxc.uts.name = dnscrypt
# Network configuration
lxc.net.0.type = veth
lxc.net.0.link = lxcbr53
lxc.net.0.flags = up
lxc.net.0.ipv4.address = 10.53.53.2/24
lxc.net.0.ipv4.gateway = 10.53.53.1
lxc.net.0.hwaddr = aa:bb:cc:dd:ee:ff
# Init
lxc.init.cmd = /usr/bin/dnscrypt-proxy -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml
Both UID entries look like:
lxc-dnscrypt:165536:65536