Hello,
I have a CentOS 7.6 host with EPEL lxc 1.0.11-1 and try to use CentOS unprivileged containers (no problem with privileged) with the root account.
On the host I added “root:100000:65536” to the files “/etc/subuid” and “/etc/subgid”,
“lxc.id_map = u 0 100000 65536” and “lxc.id_map = g 0 100000 65536” to the file “/etc/lxc/default.conf”,
“user.max_user_namespaces = 7976” (default 0 on CentOS 7) to the file /etc/sysctl.conf.
I created/started the CentOS 7 container with no network.
lxc-create -n centos-nopriv -i download – -d centos -r 7 -a amd64
lxc-start -n centos-nopriv -L DEBUG -d
But the container startup do not complete I have only the “init” process and in the file DEBUG
Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted
systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN)
Detected virtualization lxc.
Detected architecture x86-64.
Welcome to CentOS Linux 7 (Core)!
Failed to read AF_UNIX datagram queue length, ignoring: No such file or directory
Failed to install release agent, ignoring: No such file or directory
Failed to create root cgroup hierarchy: No such file or directory
Failed to allocate manager object: No such file or directory
[!!!] Failed to allocate manager object, freezing.
I can access the container
lxc-attach -n centos-nopriv
[root@centos-nopriv /]# ps -ef
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 08:38 ? 00:00:00 /sbin/init
root 4 0 0 08:39 ? 00:00:00 /bin/bash
root 42 4 0 08:43 ? 00:00:00 ps -ef
[root@centos-nopriv /]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/vgxxx-lvxxx 20957184 2136916 18820268 11% /
devtmpfs 1020884 0 1020884 0% /dev
tmpfs 1022520 0 1022520 0% /dev/shm
tmpfs 1022520 4 1022516 1% /run
tmpfs 1022520 0 1022520 0% /sys/fs/cgroup
[root@centos-nopriv /]# ls -ld /sys/fs/cgroup/systemd
drwxr-xr-x. 3 root root 60 Dec 19 08:39 /sys/fs/cgroup/systemd
[root@centos-nopriv /]# touch /sys/fs/cgroup/systemd/toto
[root@centos-nopriv /]# rm -f /sys/fs/cgroup/systemd/toto
[root@centos-nopriv /]# exit
The container config:
lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
lxc.mount.auto = proc:mixed sys:ro
lxc.tty = 4
lxc.pts = 1024
lxc.arch = x86_64
lxc.seccomp = /usr/share/lxc/config/common.seccomp
lxc.utsname = centos-nopriv
lxc.network.type = empty
lxc.cap.drop = mac_admin
lxc.cap.drop = mac_override
lxc.cap.drop = setfcap
lxc.cap.drop = sys_module
lxc.cap.drop = sys_nice
lxc.cap.drop = sys_pacct
lxc.cap.drop = sys_rawio
lxc.cap.drop = sys_time
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536
lxc.hook.clone = /usr/share/lxc/hooks/clonehostname
lxc.rootfs = /srv/diode/lxc/centos-nopriv/rootfs
I have no problem with unprivileged containers and a Fedora fc29/lxc 3.0.3-1(no success with fc28/lxc 2…) but I can not used Fedora in prod.
Best regards.
Francis