LXC opensuse unprivileged container


(skies) #1

Hi, i just installed LXC on opensuse, did the subgid, subuid, and created the file into .config/lxc/default.conf with same values /etc/subgids-subuids . i was able to create a container but never run it, googled the error could not fidn any related to opensuse. here is the error.

lxc-start: conf.c: lxc_map_ids: 2657 newuidmap failed to write mapping "newuidmap: uid range [0-65536) -> [1258512-1324048) not allowed": newuidmap 2241 0 1258512 65536
                                                                                                                                                                        lxc-start: start.c: lxc_spawn: 1341 Failed to set up id mapping.
                                          lxc-start: start.c: __lxc_start: 1530 Failed to spawn container "csgo".
                                                                                                                 lxc-start: conf.c: lxc_map_ids: 2657 newuidmap failed to write mapping "newuidmap: uid range [0-65536) -> [1258512-1324048) not allowed": newuidmap 2267 0 1258512 65536 65536 0 1
                                                                                                     lxc-start: conf.c: userns_exec_1: 3825 error setting up {g,u}id mappings for child process "2267"
        lxc-start: cgroups/cgfsng.c: recursive_destroy: 1261 Error destroying /sys/fs/cgroup/unified//lxc/csgo
                                                                                                              lxc-start: conf.c: lxc_map_ids: 2657 newuidmap failed to write mapping "newuidmap: uid range [0-65536) -> [1258512-1324048) not allowed": newuidmap 2269 0 1258512 65536 65536 0 1
                                                                                                  lxc-start: conf.c: userns_exec_1: 3825 error setting up {g,u}id mappings for child process "2269"
     lxc-start: cgroups/cgfsng.c: recursive_destroy: 1261 Error destroying /sys/fs/cgroup/systemd//lxc/csgo
                                                                                                           lxc-start: conf.c: lxc_map_ids: 2657 newuidmap failed to write mapping "newuidmap: uid range [0-65536) -> [1258512-1324048) not allowed": newuidmap 2271 0 1258512 65536 65536 0 1
                                                                                               lxc-start: conf.c: userns_exec_1: 3825 error setting up {g,u}id mappings for child process "2271"
  lxc-start: cgroups/cgfsng.c: recursive_destroy: 1261 Error destroying /sys/fs/cgroup/cpu//lxc/csgo
                                                                                                    lxc-start: conf.c: lxc_map_ids: 2657 newuidmap failed to write mapping "newuidmap: uid range [0-65536) -> [1258512-1324048) not allowed": newuidmap 2273 0 1258512 65536 65536 0 1
                                                                                        lxc-start: conf.c: userns_exec_1: 3825 error setting up {g,u}id mappings for child process "2273"
                                                                                                                                                                                         lxc-start: cgroups/cgfsng.c: recursive_destroy: 1261 Error destroying /sys/fs/cgroup/memory//lxc/csgo
                                                                                                lxc-start: conf.c: lxc_map_ids: 2657 newuidmap failed to write mapping "newuidmap: uid range [0-65536) -> [1258512-1324048) not allowed": newuidmap 2275 0 1258512 65536 65536 0 1
                                                                                    lxc-start: conf.c: userns_exec_1: 3825 error setting up {g,u}id mappings for child process "2275"
                                                                                                                                                                                     lxc-start: cgroups/cgfsng.c: recursive_destroy: 1261 Error destroying /sys/fs/cgroup/pids//lxc/csgo
                                                                                          lxc-start: conf.c: lxc_map_ids: 2657 newuidmap failed to write mapping "newuidmap: uid range [0-65536) -> [1258512-1324048) not allowed": newuidmap 2277 0 1258512 65536 65536 0 1
                                                                              lxc-start: conf.c: userns_exec_1: 3825 error setting up {g,u}id mappings for child process "2277"
                                                                                                                                                                               lxc-start: cgroups/cgfsng.c: recursive_destroy: 1261 Error destroying /sys/fs/cgroup/rdma//lxc/csgo
                                                                                    lxc-start: conf.c: lxc_map_ids: 2657 newuidmap failed to write mapping "newuidmap: uid range [0-65536) -> [1258512-1324048) not allowed": newuidmap 2279 0 1258512 65536 65536 0 1
                                                                        lxc-start: conf.c: userns_exec_1: 3825 error setting up {g,u}id mappings for child process "2279"
                                                                                                                                                                         lxc-start: cgroups/cgfsng.c: recursive_destroy: 1261 Error destroying /sys/fs/cgroup/cpuset//lxc/csgo
                                                                                lxc-start: conf.c: lxc_map_ids: 2657 newuidmap failed to write mapping "newuidmap: uid range [0-65536) -> [1258512-1324048) not allowed": newuidmap 2281 0 1258512 65536 65536 0 1
                                                                    lxc-start: conf.c: userns_exec_1: 3825 error setting up {g,u}id mappings for child process "2281"
                                                                                                                                                                     lxc-start: cgroups/cgfsng.c: recursive_destroy: 1261 Error destroying /sys/fs/cgroup/hugetlb//lxc/csgo
                                                                             lxc-start: conf.c: lxc_map_ids: 2657 newuidmap failed to write mapping "newuidmap: uid range [0-65536) -> [1258512-1324048) not allowed": newuidmap 2283 0 1258512 65536 65536 0 1
                                                                 lxc-start: conf.c: userns_exec_1: 3825 error setting up {g,u}id mappings for child process "2283"
                                                                                                                                                                  lxc-start: cgroups/cgfsng.c: recursive_destroy: 1261 Error destroying /sys/fs/cgroup/blkio//lxc/csgo
                                                                        lxc-start: conf.c: lxc_map_ids: 2657 newuidmap failed to write mapping "newuidmap: uid range [0-65536) -> [1258512-1324048) not allowed": newuidmap 2285 0 1258512 65536 65536 0 1
                                                            lxc-start: conf.c: userns_exec_1: 3825 error setting up {g,u}id mappings for child process "2285"
                                                                                                                                                             lxc-start: cgroups/cgfsng.c: recursive_destroy: 1261 Error destroying /sys/fs/cgroup/net_cls//lxc/csgo
                                                                     lxc-start: conf.c: lxc_map_ids: 2657 newuidmap failed to write mapping "newuidmap: uid range [0-65536) -> [1258512-1324048) not allowed": newuidmap 2287 0 1258512 65536 65536 0 1
                                                         lxc-start: conf.c: userns_exec_1: 3825 error setting up {g,u}id mappings for child process "2287"
                                                                                                                                                          lxc-start: cgroups/cgfsng.c: recursive_destroy: 1261 Error destroying /sys/fs/cgroup/perf_event//lxc/csgo
                                                                     lxc-start: conf.c: lxc_map_ids: 2657 newuidmap failed to write mapping "newuidmap: uid range [0-65536) -> [1258512-1324048) not allowed": newuidmap 2289 0 1258512 65536 65536 0 1
                                                         lxc-start: conf.c: userns_exec_1: 3825 error setting up {g,u}id mappings for child process "2289"
                                                                                                                                                          lxc-start: cgroups/cgfsng.c: recursive_destroy: 1261 Error destroying /sys/fs/cgroup/freezer//lxc/csgo
                                                                  lxc-start: conf.c: lxc_map_ids: 2657 newuidmap failed to write mapping "newuidmap: uid range [0-65536) -> [1258512-1324048) not allowed": newuidmap 2291 0 1258512 65536 65536 0 1
                                                      lxc-start: conf.c: userns_exec_1: 3825 error setting up {g,u}id mappings for child process "2291"
                                                                                                                                                       lxc-start: cgroups/cgfsng.c: recursive_destroy: 1261 Error destroying /sys/fs/cgroup/devices//lxc/csgo
                                                               lxc-start: tools/lxc_start.c: main: 368 The container failed to start.```

(Stéphane Graber) #2

Sounds like there’s a mismatch between /etc/subuid, /etc/subgid, the user you’re running lxc-start as and the LXC configuration for the container.

Can you show all of those so we can figure it out?


(skies) #3

To be honest i dropped on using LXC anymore, i felt stuck with it without getting help. however give me some minutes, will run it again and report back.


(skies) #4

I just installed LXC, and i got same result:
I do not want to sound jumping into conclusions, but i think LXC will not work well, unless i use UBUNTU as host OS.

   sudo cat /etc/sub*
    lxcuser:1258512:65536
    lxcuser:1258512:65536
     cat .config/lxc/default.conf 
    lxc.id_map = u 0 1258512 65536
    lxc.id_map = g 0 1258512 65536
    lxc.network.type = macvlan
    lxc.network.macvlan.mode = bridge
    lxc.network.flags = up
    lxc.network.link = eth0

 lxc-start --name test --f
lxc-start: cgroups/cgfs.c: lxc_cgroupfs_create: 909 Could not set clone_children to 1 for cpuset hierarchy in parent cgroup.
                                                                                                                            lxc-start: cgroups/cgfs.c: cgroup_rmdir: 209 Read-only file system - Failed to delete /sys/fs/cgroup/cpuset/
                                          lxc-start: cgroups/cgfs.c: cgroup_rmdir: 209 Permission denied - Failed to delete /sys/fs/cgroup/blkio/user.slice
                                                                                                                                                           lxc-start: cgroups/cgfs.c: cgroup_rmdir: 209 Read-only file system - Failed to delete /sys/fs/cgroup/hugetlb/
                                                                          lxc-start: cgroups/cgfs.c: cgroup_rmdir: 209 Permission denied - Failed to delete /sys/fs/cgroup/pids/user.slice/user-1000.slice/session-1.scope
                            lxc-start: cgroups/cgfs.c: cgroup_rmdir: 209 Read-only file system - Failed to delete /sys/fs/cgroup/freezer/
                                                                                                                                         lxc-start: cgroups/cgfs.c: cgroup_rmdir: 209 Read-only file system - Failed to delete /sys/fs/cgroup/rdma/
                                                     lxc-start: cgroups/cgfs.c: cgroup_rmdir: 209 Read-only file system - Failed to delete /sys/fs/cgroup/net_cls,net_prio/
                                                                                                                                                                           lxc-start: cgroups/cgfs.c: cgroup_rmdir: 209 Permission denied - Failed to delete /sys/fs/cgroup/memory/user.slice
                                                                                               lxc-start: cgroups/cgfs.c: cgroup_rmdir: 209 Permission denied - Failed to delete /sys/fs/cgroup/cpu,cpuacct/user.slice
                        lxc-start: cgroups/cgfs.c: cgroup_rmdir: 209 Permission denied - Failed to delete /sys/fs/cgroup/devices/user.slice
                                                                                                                                           lxc-start: cgroups/cgfs.c: cgroup_rmdir: 209 Read-only file system - Failed to delete /sys/fs/cgroup/perf_event/
                                                             lxc-start: cgroups/cgfs.c: cgroup_rmdir: 209 Permission denied - Failed to delete /sys/fs/cgroup/systemd/user.slice/user-1000.slice/session-1.scope
                  lxc-start: start.c: lxc_spawn: 1286 Failed creating cgroups.
                                                                              lxc-start: start.c: __lxc_start: 1530 Failed to spawn container "test".
                                                                                                                                                     lxc-start: tools/lxc_start.c: main: 368 The container failed to start.

(Jihyun Yoon) #5

As you see logs, I think this problem is related to accessing cgroup.
Regardless of whether OS is Ubuntu or not, unprivileged container could work.
But in order to make it work well, there are some prerequisite.

First, you need to use PAM with pam_cgfs.so
==> https://brauner.github.io/2018/02/28/lxc-includes-cgroup-pam-module.html

from https://github.com/lxc/lxc/issues/1998

issue on creating unprivileged containers

  • The root cause of the problem is that unprivileged users on most systems will not be placed into writable cgroups at login time.
    • lxc requires only the freezer hierarchy currently.
    • But creating writable cgroups for unprivileged users at login time is not lxc’s job.
    • In fact, it’s not even possible for lxc to do it since it requires (root) privileges an unprivileged user doesn’t have.
    • So if you want to run unprivileged containers as an unprivileged user

Did you check the next ?

cat /proc/self/cgroup
grep cgfs /etc/pam.d/*


(Jihyun Yoon) #6

Additionally, as I know, macvlan cannot be supported on unprivileged container.
It might be a limitation of the user namespace itself, since the low device you’re attaching to is still on host.


(skies) #7

I do not think the pam_cfgs.so dose exist anywhere.

su - lxcuser;
 cat /proc/self/cgroup
12:devices:/user.slice
11:rdma:/
10:hugetlb:/
9:blkio:/user.slice
8:pids:/user.slice/user-1000.slice/session-1.scope
7:perf_event:/
6:cpuset:/
5:net_cls,net_prio:/
4:cpu,cpuacct:/user.slice
3:memory:/user.slice
2:freezer:/
1:name=systemd:/user.slice/user-1000.slice/session-1.scope
0::/user.slice/user-1000.slice/session-1.scope

grep cgfs /etc/pam.d/*
/etc/pam.d/common-session:session	optional	pam_cgfs.so -c all
/etc/pam.d/common-session-pc:session	optional	pam_cgfs.so -c all
/etc/pam.d/su:session	optional	pam_cgfs.so -c all

(skies) #8

That wont be and issue, as long as i can use veth and a bridge for public ips. (I think).


(Jihyun Yoon) #9

Are you using systemd ?
PAM doesn’t seem to be enabled.

“/etc/pam.d/common-session:session optional pam_cgfs.so -c all” is supposed to make cgroup handler work on user account like the next.

journalctl | grep PAM
...systemd 230 running in system mode. (+PAM ...
...
root@arm:~# su - lxc-u0
lxc-u0@arm:~$ cat /proc/self/cgroup
9:freezer:/user/lxc-u0/0
8:devices:/user/lxc-u0/0
7:cpu,cpuacct:/user/lxc-u0/0
6:memory:/user/lxc-u0/0
5:blkio:/user/lxc-u0/0
4:pids:/user/lxc-u0/0
3:cpuset:/user/lxc-u0/0
2:perf_event:/user/lxc-u0/0
1:name=systemd:/user/lxc-u0/0
lxc-u0@arm:~$

If PAM works well, you can see the next with “strace su - lxcuser”.

# strace  su - lxc-u0
...
open("/lib/libpam.so.0", O_RDONLY|O_CLOEXEC) = 3
...
open("/etc/pam.d/common-session", O_RDONLY|O_LARGEFILE) = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=36, ...}) = 0
read(4, "session optional pam_cgfs.so -c "..., 4096) = 36
open("/lib/security/pam_cgfs.so", O_RDONLY|O_CLOEXEC) = 5
...

(skies) #10

Hi, is it possible that

is not available on my system, i am runing opensuse 15.0 , systemd yes.
i did strace i could not find it, maybe opensuse handle pam differently?

systemd 234 running in system mode.


(Jihyun Yoon) #11

It doesn’t matter how to use PAM.
But I think the below part is important.
Through “/etc/pam.d/*”, pam_cgfs.so should work.

# strace  su - lxc-user
...
open("/etc/pam.d/common-session", O_RDONLY|O_LARGEFILE) = 4
...
read(4, "session optional pam_cgfs.so -c "..., 4096) = 36                //<=======================
open("/lib/security/pam_cgfs.so", O_RDONLY|O_CLOEXEC) = 5  //<================
...

Seeing https://brauner.github.io/2018/02/28/lxc-includes-cgroup-pam-module.html, you could get why pam_cgfs.so is necessary for an unprivileged linux container.

In essence, the pam_cgfs.so pam module takes care of placing unprivileged users into writable cgroups at login.


(skies) #12

Yea, i do not see that part. I think my system is missing the file pam_cgfs.so , tried to search for it could not find it.
may i ask what is your OS/destro?


(Jihyun Yoon) #13

My test is based on the embedded system.

If you use stable 3.0 branch (https://github.com/lxc/lxc/tree/stable-3.0), pam_cgfs.so could be added on build-time after configuring “–enable-pam”.

According to “https://brauner.github.io/2018/02/28/lxc-includes-cgroup-pam-module.html”, if your lxc version is lower than it, you could use https://github.com/lxc/lxcfs in order to use pam_cgfs.so.

Additionally, “https://opensuse.pkgs.org/15.0/opensuse-oss/pam_cgfs-2.0.8-lp150.1.9.x86_64.rpm.html” shows pam_cgfs.so is available on opensuse Leap 15.0

Install Howto

Install pam_cgfs rpm package:

# zypper install pam_cgfs

Files

Path
/lib64/security/pam_cgfs.so


(skies) #14

Perfect, i have the pakcage loaded now, here is teh current error.

lxc-start --name ubuntu --logfile $HOME/lxc_ubuntu.log --logpriority DEBUG
lxc-start: lxccontainer.c: wait_on_daemonized_start: 754 Received container state "ABORTING" instead of "RUNNING"
lxc-start: tools/lxc_start.c: main: 368 The container failed to start.
lxc-start: tools/lxc_start.c: main: 370 To get more details, run the container in foreground mode.
lxc-start: tools/lxc_start.c: main: 372 Additional information can be obtained by setting the --logfile and --logpriority options.

cat lxc_ubuntu.log 
      lxc-start 20190104124145.834 INFO     lxc_start_ui - tools/lxc_start.c:main:277 - using rcfile /home/lxcuser/.local/share/lxc/ubuntu/config
      lxc-start 20190104124145.834 INFO     lxc_utils - utils.c:get_rundir:284 - XDG_RUNTIME_DIR isn't set in the environment.
      lxc-start 20190104124145.835 WARN     lxc_confile - confile.c:set_config_pivotdir:2262 - lxc.pivotdir is ignored.  It will soon become an error.
      lxc-start 20190104124145.835 INFO     lxc_confile - confile.c:set_config_idmaps:1861 - read uid map: type u nsid 0 hostid 1258512 range 65536
      lxc-start 20190104124145.835 INFO     lxc_confile - confile.c:set_config_idmaps:1861 - read uid map: type g nsid 0 hostid 1258512 range 65536
      lxc-start 20190104124145.835 INFO     lxc_container - lxccontainer.c:do_lxcapi_start:877 - Attempting to set proc title to [lxc monitor] /home/lxcuser/.local/share/lxc ubuntu
      lxc-start 20190104124145.836 INFO     lxc_lsm - lsm/lsm.c:lsm_init:48 - LSM security driver AppArmor
      lxc-start 20190104124145.836 INFO     lxc_seccomp - seccomp.c:parse_config_v2:435 - processing: .reject_force_umount  # comment this to allow umount -f;  not recommended.
      lxc-start 20190104124145.836 INFO     lxc_seccomp - seccomp.c:parse_config_v2:610 - Adding native rule for reject_force_umount action 0(kill).
      lxc-start 20190104124145.836 INFO     lxc_seccomp - seccomp.c:do_resolve_add_rule:276 - Setting Seccomp rule to reject force umounts.
      lxc-start 20190104124145.836 INFO     lxc_seccomp - seccomp.c:parse_config_v2:614 - Adding compat rule for reject_force_umount action 0(kill).
      lxc-start 20190104124145.836 INFO     lxc_seccomp - seccomp.c:do_resolve_add_rule:276 - Setting Seccomp rule to reject force umounts.
      lxc-start 20190104124145.836 INFO     lxc_seccomp - seccomp.c:do_resolve_add_rule:276 - Setting Seccomp rule to reject force umounts.
      lxc-start 20190104124145.836 INFO     lxc_seccomp - seccomp.c:parse_config_v2:435 - processing: .[all].
      lxc-start 20190104124145.836 INFO     lxc_seccomp - seccomp.c:parse_config_v2:435 - processing: .kexec_load errno 1.
      lxc-start 20190104124145.836 INFO     lxc_seccomp - seccomp.c:parse_config_v2:610 - Adding native rule for kexec_load action 327681(errno).
      lxc-start 20190104124145.836 INFO     lxc_seccomp - seccomp.c:parse_config_v2:614 - Adding compat rule for kexec_load action 327681(errno).
      lxc-start 20190104124145.836 INFO     lxc_seccomp - seccomp.c:parse_config_v2:435 - processing: .open_by_handle_at errno 1.
      lxc-start 20190104124145.836 INFO     lxc_seccomp - seccomp.c:parse_config_v2:610 - Adding native rule for open_by_handle_at action 327681(errno).
      lxc-start 20190104124145.836 INFO     lxc_seccomp - seccomp.c:parse_config_v2:614 - Adding compat rule for open_by_handle_at action 327681(errno).
      lxc-start 20190104124145.836 INFO     lxc_seccomp - seccomp.c:parse_config_v2:435 - processing: .init_module errno 1.
      lxc-start 20190104124145.836 INFO     lxc_seccomp - seccomp.c:parse_config_v2:610 - Adding native rule for init_module action 327681(errno).
      lxc-start 20190104124145.836 INFO     lxc_seccomp - seccomp.c:parse_config_v2:614 - Adding compat rule for init_module action 327681(errno).
      lxc-start 20190104124145.836 INFO     lxc_seccomp - seccomp.c:parse_config_v2:435 - processing: .finit_module errno 1.
      lxc-start 20190104124145.836 INFO     lxc_seccomp - seccomp.c:parse_config_v2:610 - Adding native rule for finit_module action 327681(errno).
      lxc-start 20190104124145.836 INFO     lxc_seccomp - seccomp.c:parse_config_v2:614 - Adding compat rule for finit_module action 327681(errno).
      lxc-start 20190104124145.836 INFO     lxc_seccomp - seccomp.c:parse_config_v2:435 - processing: .delete_module errno 1.
      lxc-start 20190104124145.836 INFO     lxc_seccomp - seccomp.c:parse_config_v2:610 - Adding native rule for delete_module action 327681(errno).
      lxc-start 20190104124145.836 INFO     lxc_seccomp - seccomp.c:parse_config_v2:614 - Adding compat rule for delete_module action 327681(errno).
      lxc-start 20190104124145.836 INFO     lxc_seccomp - seccomp.c:parse_config_v2:624 - Merging in the compat Seccomp ctx into the main one.
      lxc-start 20190104124145.836 INFO     lxc_utils - utils.c:get_rundir:284 - XDG_RUNTIME_DIR isn't set in the environment.
      lxc-start 20190104124145.836 WARN     lxc_monitor - monitor.c:lxc_monitor_fifo_send:111 - Failed to open fifo to send message: No such file or directory.
      lxc-start 20190104124145.836 INFO     lxc_utils - utils.c:get_rundir:284 - XDG_RUNTIME_DIR isn't set in the environment.
      lxc-start 20190104124145.836 WARN     lxc_monitor - monitor.c:lxc_monitor_fifo_send:111 - Failed to open fifo to send message: No such file or directory.
      lxc-start 20190104124145.836 DEBUG    lxc_start - start.c:setup_signal_fd:288 - Set SIGCHLD handler with file descriptor: 7.
      lxc-start 20190104124145.836 DEBUG    console - console.c:lxc_console_peer_default:450 - process does not have a controlling terminal
      lxc-start 20190104124145.836 DEBUG    lxc_conf - conf.c:chown_mapped_root:2830 - trying to chown "/dev/pts/2" to 100
      lxc-start 20190104124145.843 INFO     lxc_start - start.c:lxc_init:677 - container "ubuntu" is initialized
      lxc-start 20190104124145.844 DEBUG    lxc_start - start.c:__lxc_start:1501 - Not dropping CAP_SYS_BOOT or watching utmp.
      lxc-start 20190104124145.844 INFO     lxc_cgroup - cgroups/cgroup.c:cgroup_init:67 - cgroup driver cgroupfs-ng initing for ubuntu
      lxc-start 20190104124145.844 DEBUG    lxc_cgfsng - cgroups/cgfsng.c:filter_and_set_cpus:456 - No isolated cpus detected.
      lxc-start 20190104124145.844 DEBUG    lxc_cgfsng - cgroups/cgfsng.c:handle_cpuset_hierarchy:627 - "cgroup.clone_children" was already set to "1".
      lxc-start 20190104124145.844 INFO     lxc_start - start.c:lxc_spawn:1324 - Cloned CLONE_NEWUSER.
      lxc-start 20190104124145.844 INFO     lxc_start - start.c:lxc_spawn:1324 - Cloned CLONE_NEWNS.
      lxc-start 20190104124145.844 INFO     lxc_start - start.c:lxc_spawn:1324 - Cloned CLONE_NEWPID.
      lxc-start 20190104124145.844 INFO     lxc_start - start.c:lxc_spawn:1324 - Cloned CLONE_NEWUTS.
      lxc-start 20190104124145.844 INFO     lxc_start - start.c:lxc_spawn:1324 - Cloned CLONE_NEWIPC.
      lxc-start 20190104124145.845 DEBUG    lxc_conf - conf.c:idmaptool_on_path_and_privileged:2516 - The binary "/usr/bin/newuidmap" does have the setuid bit set.
      lxc-start 20190104124145.845 DEBUG    lxc_conf - conf.c:idmaptool_on_path_and_privileged:2516 - The binary "/usr/bin/newgidmap" does have the setuid bit set.
      lxc-start 20190104124145.845 DEBUG    lxc_conf - conf.c:lxc_map_ids:2604 - Functional newuidmap and newgidmap binary found.
      lxc-start 20190104124145.849 INFO     lxc_start - start.c:do_start:914 - Unshared CLONE_NEWNET.
      lxc-start 20190104124145.850 DEBUG    lxc_conf - conf.c:idmaptool_on_path_and_privileged:2516 - The binary "/usr/bin/newuidmap" does have the setuid bit set.
      lxc-start 20190104124145.850 DEBUG    lxc_conf - conf.c:idmaptool_on_path_and_privileged:2516 - The binary "/usr/bin/newgidmap" does have the setuid bit set.
      lxc-start 20190104124145.850 DEBUG    lxc_conf - conf.c:lxc_map_ids:2604 - Functional newuidmap and newgidmap binary found.
      lxc-start 20190104124145.855 WARN     lxc_cgfsng - cgroups/cgfsng.c:chown_cgroup_wrapper:1465 - Error chmoding /sys/fs/cgroup/unified/user.slice/user-1000.slice/session-1.scope/user/lxcuser/0/lxc/ubuntu: No such file or directory
      lxc-start 20190104124145.856 INFO     lxc_network - network.c:lxc_create_network_unpriv_exec:2081 - Execing lxc-user-nic create /home/lxcuser/.local/share/lxc ubuntu 8102 veth br0 (null)
      lxc-start 20190104124145.857 ERROR    lxc_network - network.c:lxc_create_network_unpriv_exec:2109 - lxc-user-nic failed to configure requested network: lxc_user_nic.c: 804: create_db_dir: Failed to create /run/lxc: Permission denied
      lxc-start 20190104124145.857 ERROR    lxc_start - start.c:lxc_spawn:1385 - Failed to create the configured network.
      lxc-start 20190104124145.857 DEBUG    lxc_network - network.c:lxc_delete_network:3096 - Deleted network devices
      lxc-start 20190104124145.858 INFO     lxc_utils - utils.c:get_rundir:284 - XDG_RUNTIME_DIR isn't set in the environment.
      lxc-start 20190104124145.858 WARN     lxc_monitor - monitor.c:lxc_monitor_fifo_send:111 - Failed to open fifo to send message: No such file or directory.
      lxc-start 20190104124145.858 INFO     lxc_utils - utils.c:get_rundir:284 - XDG_RUNTIME_DIR isn't set in the environment.
      lxc-start 20190104124145.858 WARN     lxc_monitor - monitor.c:lxc_monitor_fifo_send:111 - Failed to open fifo to send message: No such file or directory.
      lxc-start 20190104124145.858 ERROR    lxc_container - lxccontainer.c:wait_on_daemonized_start:754 - Received container state "ABORTING" instead of "RUNNING"
      lxc-start 20190104124145.858 ERROR    lxc_start_ui - tools/lxc_start.c:main:368 - The container failed to start.
      lxc-start 20190104124145.858 ERROR    lxc_start_ui - tools/lxc_start.c:main:370 - To get more details, run the container in foreground mode.
      lxc-start 20190104124145.858 ERROR    lxc_start_ui - tools/lxc_start.c:main:372 - Additional information can be obtained by setting the --logfile and --logpriority options.
      lxc-start 20190104124145.858 ERROR    lxc_start - start.c:__lxc_start:1530 - Failed to spawn container "ubuntu".
      lxc-start 20190104124145.858 INFO     lxc_utils - utils.c:get_rundir:284 - XDG_RUNTIME_DIR isn't set in the environment.
      lxc-start 20190104124145.858 WARN     lxc_monitor - monitor.c:lxc_monitor_fifo_send:111 - Failed to open fifo to send message: No such file or directory.
      lxc-start 20190104124145.858 INFO     lxc_utils - utils.c:get_rundir:284 - XDG_RUNTIME_DIR isn't set in the environment.
      lxc-start 20190104124145.858 WARN     lxc_monitor - monitor.c:lxc_monitor_fifo_send:111 - Failed to open fifo to send message: No such file or directory.
      lxc-start 20190104124145.885 DEBUG    lxc_conf - conf.c:idmaptool_on_path_and_privileged:2516 - The binary "/usr/bin/newuidmap" does have the setuid bit set.
      lxc-start 20190104124145.885 DEBUG    lxc_conf - conf.c:idmaptool_on_path_and_privileged:2516 - The binary "/usr/bin/newgidmap" does have the setuid bit set.
      lxc-start 20190104124145.885 DEBUG    lxc_conf - conf.c:lxc_map_ids:2604 - Functional newuidmap and newgidmap binary found.
      lxc-start 20190104124145.902 DEBUG    lxc_conf - conf.c:idmaptool_on_path_and_privileged:2516 - The binary "/usr/bin/newuidmap" does have the setuid bit set.
      lxc-start 20190104124145.902 DEBUG    lxc_conf - conf.c:idmaptool_on_path_and_privileged:2516 - The binary "/usr/bin/newgidmap" does have the setuid bit set.
      lxc-start 20190104124145.902 DEBUG    lxc_conf - conf.c:lxc_map_ids:2604 - Functional newuidmap and newgidmap binary found.
      lxc-start 20190104124145.921 DEBUG    lxc_conf - conf.c:idmaptool_on_path_and_privileged:2516 - The binary "/usr/bin/newuidmap" does have the setuid bit set.
      lxc-start 20190104124145.921 DEBUG    lxc_conf - conf.c:idmaptool_on_path_and_privileged:2516 - The binary "/usr/bin/newgidmap" does have the setuid bit set.
      lxc-start 20190104124145.921 DEBUG    lxc_conf - conf.c:lxc_map_ids:2604 - Functional newuidmap and newgidmap binary found.
      lxc-start 20190104124145.941 DEBUG    lxc_conf - conf.c:idmaptool_on_path_and_privileged:2516 - The binary "/usr/bin/newuidmap" does have the setuid bit set.
      lxc-start 20190104124145.941 DEBUG    lxc_conf - conf.c:idmaptool_on_path_and_privileged:2516 - The binary "/usr/bin/newgidmap" does have the setuid bit set.
      lxc-start 20190104124145.941 DEBUG    lxc_conf - conf.c:lxc_map_ids:2604 - Functional newuidmap and newgidmap binary found.
      lxc-start 20190104124145.954 DEBUG    lxc_conf - conf.c:idmaptool_on_path_and_privileged:2516 - The binary "/usr/bin/newuidmap" does have the setuid bit set.
      lxc-start 20190104124145.954 DEBUG    lxc_conf - conf.c:idmaptool_on_path_and_privileged:2516 - The binary "/usr/bin/newgidmap" does have the setuid bit set.
      lxc-start 20190104124145.954 DEBUG    lxc_conf - conf.c:lxc_map_ids:2604 - Functional newuidmap and newgidmap binary found.
      lxc-start 20190104124145.963 DEBUG    lxc_conf - conf.c:idmaptool_on_path_and_privileged:2516 - The binary "/usr/bin/newuidmap" does have the setuid bit set.
      lxc-start 20190104124145.963 DEBUG    lxc_conf - conf.c:idmaptool_on_path_and_privileged:2516 - The binary "/usr/bin/newgidmap" does have the setuid bit set.
      lxc-start 20190104124145.963 DEBUG    lxc_conf - conf.c:lxc_map_ids:2604 - Functional newuidmap and newgidmap binary found.
      lxc-start 20190104124145.970 DEBUG    lxc_conf - conf.c:idmaptool_on_path_and_privileged:2516 - The binary "/usr/bin/newuidmap" does have the setuid bit set.
      lxc-start 20190104124145.970 DEBUG    lxc_conf - conf.c:idmaptool_on_path_and_privileged:2516 - The binary "/usr/bin/newgidmap" does have the setuid bit set.
      lxc-start 20190104124145.970 DEBUG    lxc_conf - conf.c:lxc_map_ids:2604 - Functional newuidmap and newgidmap binary found.
      lxc-start 20190104124145.975 DEBUG    lxc_conf - conf.c:idmaptool_on_path_and_privileged:2516 - The binary "/usr/bin/newuidmap" does have the setuid bit set.
      lxc-start 20190104124145.975 DEBUG    lxc_conf - conf.c:idmaptool_on_path_and_privileged:2516 - The binary "/usr/bin/newgidmap" does have the setuid bit set.
      lxc-start 20190104124145.975 DEBUG    lxc_conf - conf.c:lxc_map_ids:2604 - Functional newuidmap and newgidmap binary found.
      lxc-start 20190104124145.980 DEBUG    lxc_conf - conf.c:idmaptool_on_path_and_privileged:2516 - The binary "/usr/bin/newuidmap" does have the setuid bit set.
      lxc-start 20190104124145.980 DEBUG    lxc_conf - conf.c:idmaptool_on_path_and_privileged:2516 - The binary "/usr/bin/newgidmap" does have the setuid bit set.
      lxc-start 20190104124145.980 DEBUG    lxc_conf - conf.c:lxc_map_ids:2604 - Functional newuidmap and newgidmap binary found.
      lxc-start 20190104124145.984 DEBUG    lxc_conf - conf.c:idmaptool_on_path_and_privileged:2516 - The binary "/usr/bin/newuidmap" does have the setuid bit set.
      lxc-start 20190104124145.984 DEBUG    lxc_conf - conf.c:idmaptool_on_path_and_privileged:2516 - The binary "/usr/bin/newgidmap" does have the setuid bit set.
      lxc-start 20190104124145.984 DEBUG    lxc_conf - conf.c:lxc_map_ids:2604 - Functional newuidmap and newgidmap binary found.
      lxc-start 20190104124145.988 DEBUG    lxc_conf - conf.c:idmaptool_on_path_and_privileged:2516 - The binary "/usr/bin/newuidmap" does have the setuid bit set.
      lxc-start 20190104124145.988 DEBUG    lxc_conf - conf.c:idmaptool_on_path_and_privileged:2516 - The binary "/usr/bin/newgidmap" does have the setuid bit set.
      lxc-start 20190104124145.988 DEBUG    lxc_conf - conf.c:lxc_map_ids:2604 - Functional newuidmap and newgidmap binary found.
      lxc-start 20190104124145.993 DEBUG    lxc_conf - conf.c:idmaptool_on_path_and_privileged:2516 - The binary "/usr/bin/newuidmap" does have the setuid bit set.
      lxc-start 20190104124145.993 DEBUG    lxc_conf - conf.c:idmaptool_on_path_and_privileged:2516 - The binary "/usr/bin/newgidmap" does have the setuid bit set.
      lxc-start 20190104124145.993 DEBUG    lxc_conf - conf.c:lxc_map_ids:2604 - Functional newuidmap and newgidmap binary found.
      lxc-start 20190104124145.996 DEBUG    lxc_conf - conf.c:idmaptool_on_path_and_privileged:2516 - The binary "/usr/bin/newuidmap" does have the setuid bit set.
      lxc-start 20190104124145.996 DEBUG    lxc_conf - conf.c:idmaptool_on_path_and_privileged:2516 - The binary "/usr/bin/newgidmap" does have the setuid bit set.
      lxc-start 20190104124145.996 DEBUG    lxc_conf - conf.c:lxc_map_ids:2604 - Functional newuidmap and newgidmap binary found.
      lxc-start 20190104124146.100 INFO     lxc_utils - utils.c:get_rundir:284 - XDG_RUNTIME_DIR isn't set in the environment.
      lxc-start 20190104124146.101 WARN     lxc_monitor - monitor.c:lxc_monitor_fifo_send:111 - Failed to open fifo to send message: No such file or directory.
      lxc-start 20190104124146.102 INFO     lxc_utils - utils.c:get_rundir:284 - XDG_RUNTIME_DIR isn't set in the environment.
      lxc-start 20190104124146.103 WARN     lxc_monitor - monitor.c:lxc_monitor_fifo_send:111 - Failed to open fifo to send message: No such file or directory.
      lxc-start 20190104124146.104 INFO     lxc_conf - conf.c:run_script_argv:398 - Executing script "/usr/share/lxcfs/lxc.reboot.hook" for container "ubuntu", config section "lxc".

(Jihyun Yoon) #15

It seems to be a network configuration problem.

  lxc-start 20190104124145.857 ERROR    lxc_network - network.c:lxc_create_network_unpriv_exec:2109 - lxc-user-nic failed to configure requested network: lxc_user_nic.c: 804: create_db_dir: Failed to create /run/lxc: Permission denied
  lxc-start 20190104124145.857 ERROR    lxc_start - start.c:lxc_spawn:1385 - Failed to create the configured network.

Read the next documents.

If you had already configured /etc/lxc/lxc-usernet and the problem happened , you could do “chown :lxc-user /run/lxc”.


(Stéphane Graber) #16

Sounds like lxc-user-nic isn’t setuid?


(Jihyun Yoon) #17

When it comes to my system, lxc-user-nic is setuid like the next.

root@arm:~# ls -al /usr/libexec/lxc/lxc-*
-rwxr-xr-x    1 root     root           521 Jan  4 01:24 /usr/libexec/lxc/lxc-apparmor-load
-rwxr-xr-x    1 root     root          3090 Jan  4 01:24 /usr/libexec/lxc/lxc-containers
-rwxr-xr-x    1 root     root         73612 Jan  4 01:24 /usr/libexec/lxc/lxc-monitord
-rwxr-xr-x    1 root     root          6532 Jan  4 01:24 /usr/libexec/lxc/lxc-net
-rwsr-xr-x    1 root     root         92476 Jan  4 01:24 /usr/libexec/lxc/lxc-user-nic