Container fails to start if made to share the namespace of other container

dineshk · July 6, 2018, 9:27am

Hi,

I created a container C4 which is running :

Then I added config to share the namespace of other container “test”

Using following :

root@ubuntu1804lts:~# lxc config set c4 raw.lxc “lxc.namespace.share.pid = test”
root@ubuntu1804lts:~# lxc config set c4 raw.lxc “lxc.namespace.share.user = test”

And when I restart the container, it fails to start with following :

root@ubuntu1804lts:~# lxc info --show-log c4
Name: c4
Remote: unix://
Architecture: x86_64
Created: 2018/07/06 05:36 UTC
Status: Stopped
Type: persistent
Profiles: default

Log:

lxc 20180706090747.867 WARN lxc_commands - commands.c:lxc_cmd_rsp_recv:130 - Connection reset by peer - Failed to receive response for command “get_cgroup”

Any idea what’s going on ? Both containers are privileged containers.

root@ubuntu1804lts:~# lxc list security.privileged=true
±-----±--------±-----±-----±-----------±----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
±-----±--------±-----±-----±-----------±----------+
| c3 | STOPPED | | | PERSISTENT | 0 |
±-----±--------±-----±-----±-----------±----------+
| c4 | STOPPED | | | PERSISTENT | 0 |
±-----±--------±-----±-----±-----------±----------+
| test | RUNNING | | | PERSISTENT | 0 |
±-----±--------±-----±-----±-----------±----------+

Regards,
Dinesh

stgraber · July 6, 2018, 2:11pm

Note that what you did above will not result in:

lxc.namespace.share.pid = test
lxc.namespace.share.user = test

But in just:

lxc.namespace.share.user = test

You’d need to do something like:

printf "lxc.namespace.share.user=test\nlxc.namespace.share.user=test" | lxc config set c4 raw.lxc -

I doubt that this would fix the problem though, sharing user namespace for privileged containers doesn’t really make sense and sharing pid namespace is going to cause you some major issues as the init process of the second container will immediately fail.

dineshk · July 9, 2018, 4:53am

Thanks Stephane, for correction. I did change that to reflect it correctly and also changed the privileges for both containers but it still doesn’t work.

Documentation for lxc 3.0.0 however, seems to suggest that lxc.namespace.share works with sharing user and net namespace.

Regards,
Dinesh

stgraber · July 9, 2018, 2:07pm

Right but you’re trying to share user and pid here which is a bit different.
Also sharing the user namespace is meaningless when the containers are privileged since they by definition do not have a user namespace.

dineshk · July 9, 2018, 2:28pm

Thanks again.

This is what the documentation says :

To inherit the namespace from another container set the lxc.namespace.share.[namespace identifier] to the name of the container, e.g. lxc.namespace.share.pid = c3.

I’ve tried lxc.namespace.share.net also and not very different.

I converted the containers to non privileged ones and result is not different

What would be the correct config for sharing the namespace of another container when both are privileged, if that’s possible to do ?

Regards,

dinesh