Lxc lvm backend moving a container from privileged to unprivileged

laurenthdl · January 16, 2024, 5:54pm

Dear lxc team,
I hope you are fine.
thanks for your work.

lxc containers with lvm backend have been working fine for me for quite a long time.

But for some reason I had to upgrade my host from debian 10 to debian 12. And I had a container running docker elements.
So i tried to go with unprivileged containers.
But dbus is going messy (errors in the journal, and it is running under yet another group 300101 where root user is supposed to be uid 300000) and when starting the container, i get some errors in the logs about some services.

ps on host

root      457385  0.0  0.0   5828  3144 ?        Ss   17:44   0:00 /usr/bin/lxc-start -n myhost
300000    457389  4.5  0.0 167212 11384 ?        Rs   17:44   0:00  \_ /sbin/init
300000    457443  4.0  0.0  24636  8652 ?        Ss   17:44   0:00      \_ /lib/systemd/systemd-journald
300000    457458  0.0  0.0   2524  1740 ?        Ss   17:44   0:00      \_ /sbin/ifup -a --read-environment
300000    457476  0.0  0.0   2572   916 ?        S    17:44   0:00      |   \_ /bin/sh -c CLIENT="-i";  dhclient -4 -v $CLIENT -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leases et
300000    457477  0.0  0.0   5048  1180 ?        S    17:44   0:00      |       \_ dhclient -4 -v -i -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leases eth0
300000    457480  0.0  0.0   5736  3500 ?        S    17:44   0:00      |           \_ dhclient -4 -v -i -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leases eth0
300101    457481  0.0  0.0   7904  3580 ?        Ss   17:44   0:00      \_ /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only

lxc-checkconfig -n container

LXC version 5.0.2

--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled

--- Control groups ---
Cgroups: enabled
Cgroup namespace: enabled
Cgroup v1 mount points: 
Cgroup v2 mount points: 
 - /sys/fs/cgroup
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled, not loaded
Macvlan: enabled, not loaded
Vlan: enabled, not loaded
Bridges: enabled, not loaded
Advanced netfilter: enabled, not loaded
CONFIG_NF_NAT_IPV4: enabled, not loaded
CONFIG_NF_NAT_IPV6: enabled, not loaded
CONFIG_IP_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled, not loaded
CONFIG_NETFILTER_XT_MATCH_COMMENT: enabled, not loaded
FUSE (for use with lxcfs): enabled, not loaded

--- Checkpoint/Restore ---
checkpoint restore: missing
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: missing
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: missing
File capabilities: enabled

entering the system using nsenter
when I use journalctl, output contains :

janv. 16 17:44:54 container systemd-sysusers[40]: Failed to take /etc/passwd lock: Permission denied
janv. 16 17:44:54 container systemd[1]: systemd-sysusers.service: Main process exited, code=exited, status=1/FAILURE
janv. 16 17:44:54 container systemd[1]: systemd-sysusers.service: Failed with result 'exit-code'.
janv. 16 17:44:54 container systemd[1]: Failed to start systemd-sysusers.service - Create System Users.
janv. 16 17:44:54 container systemd[1]: Starting systemd-tmpfiles-setup-dev.service - Create Static Device Nodes in /dev...
janv. 16 17:44:54 container systemd[1]: Finished systemd-tmpfiles-setup-dev.service - Create Static Device Nodes in /dev.
janv. 16 17:44:54 container systemd[1]: Reached target local-fs-pre.target - Preparation for Local File Systems.
janv. 16 17:44:54 container systemd[1]: Reached target local-fs.target - Local File Systems.
janv. 16 17:44:54 container systemd[1]: apparmor.service - Load AppArmor profiles was skipped because of an unmet condition check (ConditionSecurity=apparmor).
janv. 16 17:44:54 container systemd[1]: Starting networking.service - Raise network interfaces...
janv. 16 17:44:54 container systemd[1]: systemd-binfmt.service - Set Up Additional Binary Formats was skipped because of an unmet condition check (ConditionPathIsReadWrite=/proc/sys).
janv. 16 17:44:54 container systemd[1]: systemd-machine-id-commit.service - Commit a transient machine-id on disk was skipped because of an unmet condition check (ConditionPathIsMountPoint=/etc/machine-id).
janv. 16 17:44:54 container systemd[1]: Starting systemd-tmpfiles-setup.service - Create Volatile Files and Directories...
janv. 16 17:44:55 container systemd-tmpfiles[49]: rm_rf(/tmp/.XIM-unix): Operation not permitted
janv. 16 17:44:55 container systemd-tmpfiles[49]: rm_rf(/tmp/.X11-unix): Operation not permitted
janv. 16 17:44:55 container systemd-tmpfiles[49]: rm_rf(/tmp/.ICE-unix): Operation not permitted
janv. 16 17:44:55 container systemd-tmpfiles[49]: rm_rf(/tmp/.font-unix): Operation not permitted
janv. 16 17:44:55 container systemd-tmpfiles[49]: rm_rf(/tmp): Operation not permitted
janv. 16 17:44:55 container systemd-tmpfiles[49]: Detected unsafe path transition / (owned by nobody) → /run (owned by root) during canonicalization of /run/dbus.
janv. 16 17:44:55 container systemd-tmpfiles[49]: Detected unsafe path transition / (owned by nobody) → /run (owned by root) during canonicalization of /run.
janv. 16 17:44:55 container systemd-tmpfiles[49]: Detected unsafe path transition / (owned by nobody) → /run (owned by root) during canonicalization of /run.
janv. 16 17:44:55 container systemd-tmpfiles[49]: Detected unsafe path transition / (owned by nobody) → /run (owned by root) during canonicalization of /run/lock.
janv. 16 17:44:55 container systemd-tmpfiles[49]: fchownat() of /root failed: Opération non permise
janv. 16 17:44:55 container systemd-tmpfiles[49]: Failed to create directory or subvolume "/root/.ssh", ignoring: Permission non accordée
janv. 16 17:44:55 container systemd-tmpfiles[49]: Detected unsafe path transition / (owned by nobody) → /run (owned by root) during canonicalization of /run/systemd.
janv. 16 17:44:55 container systemd-tmpfiles[49]: Detected unsafe path transition / (owned by nobody) → /run (owned by root) during canonicalization of /run/systemd/netif.
janv. 16 17:44:55 container systemd-tmpfiles[49]: Detected unsafe path transition / (owned by nobody) → /run (owned by root) during canonicalization of /run/systemd/netif.
janv. 16 17:44:55 container systemd-tmpfiles[49]: Detected unsafe path transition / (owned by nobody) → /run (owned by root) during canonicalization of /run/systemd/netif.
janv. 16 17:44:55 container systemd-tmpfiles[49]: Detected unsafe path transition / (owned by nobody) → /run (owned by root) during canonicalization of /run.
janv. 16 17:44:55 container systemd-tmpfiles[49]: fchownat() of /var/lib/systemd failed: Opération non permise
janv. 16 17:44:55 container systemd-tmpfiles[49]: fchownat() of /var/lib/systemd/pstore failed: Opération non permise
janv. 16 17:44:55 container systemd-tmpfiles[49]: Setting access ACL "u::rwx,g::r-x,g:adm:r-x,g:4294967295:r-x,m::r-x,o::r-x" on /var/log/journal failed: Argument invalide
janv. 16 17:44:55 container systemd-tmpfiles[49]: Failed to re-open '/var/log/journal': Opération non permise
janv. 16 17:44:55 container systemd-tmpfiles[49]: fchownat() of /var/log/journal failed: Opération non permise
janv. 16 17:44:55 container systemd-tmpfiles[49]: Setting access ACL "u::rwx,g::r-x,g:adm:r-x,g:4294967295:r-x,m::r-x,o::r-x" on /var/log/journal/61a0413b78484c8db08d3c6bb0b8e77c failed: Argument invalide
janv. 16 17:44:55 container systemd-tmpfiles[49]: Failed to re-open '/var/log/journal/61a0413b78484c8db08d3c6bb0b8e77c': Opération non permise
janv. 16 17:44:55 container systemd-tmpfiles[49]: fchownat() of /var/log/journal/61a0413b78484c8db08d3c6bb0b8e77c failed: Opération non permise
janv. 16 17:44:55 container systemd-tmpfiles[49]: Detected unsafe path transition / (owned by nobody) → /run (owned by root) during canonicalization of /run/log/journal.
janv. 16 17:44:55 container systemd-tmpfiles[49]: Detected unsafe path transition / (owned by nobody) → /run (owned by root) during canonicalization of /run/log/journal.
janv. 16 17:44:55 container systemd-tmpfiles[49]: Detected unsafe path transition / (owned by nobody) → /run (owned by root) during canonicalization of /run/log/journal/61a0413b78484c8db08d3c6bb0b8e77c.
janv. 16 17:44:55 container systemd-tmpfiles[49]: Detected unsafe path transition / (owned by nobody) → /run (owned by root) during canonicalization of /run/log/journal/61a0413b78484c8db08d3c6bb0b8e77c/system.journal.
janv. 16 17:44:55 container systemd-tmpfiles[49]: Setting access ACL "u::rw-,g::r-x,g:adm:r--,g:4294967295:r--,m::r--,o::---" on /var/log/journal/61a0413b78484c8db08d3c6bb0b8e77c/system.journal failed: Argument invalide
janv. 16 17:44:55 container systemd-tmpfiles[49]: fchownat() of /var/log/journal/61a0413b78484c8db08d3c6bb0b8e77c/system.journal failed: Opération non permise
janv. 16 17:44:55 container systemd-tmpfiles[49]: Setting access ACL "u::rwx,g::r-x,g:adm:r-x,g:4294967295:r-x,m::r-x,o::r-x" on /var/log/journal failed: Argument invalide
janv. 16 17:44:55 container systemd-tmpfiles[49]: Failed to re-open '/var/log/journal': Opération non permise
janv. 16 17:44:55 container systemd-tmpfiles[49]: fchownat() of /var/log/journal failed: Opération non permise
janv. 16 17:44:55 container systemd-tmpfiles[49]: Setting access ACL "u::rwx,g::r-x,g:adm:r-x,g:4294967295:r-x,m::r-x,o::r-x" on /var/log/journal/61a0413b78484c8db08d3c6bb0b8e77c failed: Argument invalide
janv. 16 17:44:55 container systemd-tmpfiles[49]: Failed to re-open '/var/log/journal/61a0413b78484c8db08d3c6bb0b8e77c': Opération non permise
janv. 16 17:44:55 container systemd-tmpfiles[49]: fchownat() of /var/log/journal/61a0413b78484c8db08d3c6bb0b8e77c failed: Opération non permise
janv. 16 17:44:55 container systemd-tmpfiles[49]: Detected unsafe path transition / (owned by nobody) → /run (owned by root) during canonicalization of /run/log/journal.
janv. 16 17:44:55 container systemd-tmpfiles[49]: Detected unsafe path transition / (owned by nobody) → /run (owned by root) during canonicalization of /run/log/journal.
janv. 16 17:44:55 container systemd-tmpfiles[49]: Detected unsafe path transition / (owned by nobody) → /run (owned by root) during canonicalization of /run/log/journal/61a0413b78484c8db08d3c6bb0b8e77c.
janv. 16 17:44:55 container systemd-tmpfiles[49]: Detected unsafe path transition / (owned by nobody) → /run (owned by root) during canonicalization of /run/log/journal/61a0413b78484c8db08d3c6bb0b8e77c/system.journal.
janv. 16 17:44:55 container systemd-tmpfiles[49]: Setting access ACL "u::rw-,g::r-x,g:adm:r--,g:4294967295:r--,m::r--,o::---" on /var/log/journal/61a0413b78484c8db08d3c6bb0b8e77c/system.journal failed: Argument invalide
janv. 16 17:44:55 container systemd-tmpfiles[49]: fchownat() of /var/log/journal/61a0413b78484c8db08d3c6bb0b8e77c/system.journal failed: Opération non permise

Is there some way to fix the user id so that services are launched safely without errors ?
Regards.