LXC unprivileged container: No uid mapping for container root


(Alexander) #1

Dear all,

I try to get unprivileged containers running on OpenWRT. I have privileged LXC containers up and running. I did not find any documentation on how to get unprivileged LXC containers working from scratch. Can you give me some pointers/hints?

This is what I have so far:

Created unpriviledged user
Added kernel.unprivileged_userns_clone=1 to sysctl
Created /etc/subgid und /etc/subuid with root:100000:65536
Added to /etc/lxc/lxc.conf

lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536

However, I get the following error message when I try to create a container with lxc-create -n test -t download as unprivileged user.

alex@OpenWrt:~$ lxc-create -n test -t download
lxc-create: test: conf.c: chown_mapped_root: 2853 No uid mapping for container root
lxc-create: test: lxccontainer.c: do_storage_create: 1193 Error chowning /home/alex/.local/share/lxc/test/rootfs to container root
lxc-create: test: conf.c: suggest_default_idmap: 4148 You do not have subuids or subgids allocated
lxc-create: test: conf.c: suggest_default_idmap: 4149 Unprivileged containers require subuids and subgids
lxc-create: test: lxccontainer.c: do_lxcapi_create: 1695 Error creating backing store type (none) for test
lxc-create: test: tools/lxc_create.c: main: 329 Error creating container test

Here is the output from LXC-checkconfig:

alex@OpenWrt:~$ lxc-checkconfig
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
--- Control groups ---
Cgroups: enabled
Cgroup v1 mount points:
/sys/fs/cgroup
Cgroup v2 mount points:
Cgroup v1 systemd controller: /usr/bin/lxc-checkconfig: line 169: printf \033[1;31m: not found
Cgroup v1 freezer controller: /usr/bin/lxc-checkconfig: line 176: printf \033[1;31m: not found
Cgroup v1 clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled
--- Misc ---
Veth pair device: enabled, loaded
Macvlan: enabled, not loaded
Vlan: enabled, not loaded
Bridges: enabled, not loaded
Advanced netfilter: enabled, not loaded
CONFIG_NF_NAT_IPV4: enabled, loaded
CONFIG_NF_NAT_IPV6: enabled, not loaded
CONFIG_IP_NF_TARGET_MASQUERADE: enabled, loaded
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled, not loadedCONFIG_NETFILTER_XT_MATCH_COMMENT: enabled, loaded
FUSE (for use with lxcfs): enabled, loaded
--- Checkpoint/Restore ---
checkpoint restore: enabled
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: missing
CONFIG_INET_DIAG: missing
CONFIG_PACKET_DIAG: missing
CONFIG_NETLINK_DIAG: missing
File capabilities: enabled

Any idea?

Thank you,
Alex