LXC unprivileged container: No uid mapping for container root

LXC
1

Dear all,

I try to get unprivileged containers running on OpenWRT. I have privileged LXC containers up and running. I did not find any documentation on how to get unprivileged LXC containers working from scratch. Can you give me some pointers/hints?

This is what I have so far:

Created unpriviledged user
Added kernel.unprivileged_userns_clone=1 to sysctl
Created /etc/subgid und /etc/subuid with root:100000:65536
Added to /etc/lxc/lxc.conf

lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536

However, I get the following error message when I try to create a container with lxc-create -n test -t download as unprivileged user.

alex@OpenWrt:~$ lxc-create -n test -t download
lxc-create: test: conf.c: chown_mapped_root: 2853 No uid mapping for container root
lxc-create: test: lxccontainer.c: do_storage_create: 1193 Error chowning /home/alex/.local/share/lxc/test/rootfs to container root
lxc-create: test: conf.c: suggest_default_idmap: 4148 You do not have subuids or subgids allocated
lxc-create: test: conf.c: suggest_default_idmap: 4149 Unprivileged containers require subuids and subgids
lxc-create: test: lxccontainer.c: do_lxcapi_create: 1695 Error creating backing store type (none) for test
lxc-create: test: tools/lxc_create.c: main: 329 Error creating container test

Here is the output from LXC-checkconfig:

alex@OpenWrt:~$ lxc-checkconfig
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
--- Control groups ---
Cgroups: enabled
Cgroup v1 mount points:
/sys/fs/cgroup
Cgroup v2 mount points:
Cgroup v1 systemd controller: /usr/bin/lxc-checkconfig: line 169: printf \033[1;31m: not found
Cgroup v1 freezer controller: /usr/bin/lxc-checkconfig: line 176: printf \033[1;31m: not found
Cgroup v1 clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled
--- Misc ---
Veth pair device: enabled, loaded
Macvlan: enabled, not loaded
Vlan: enabled, not loaded
Bridges: enabled, not loaded
Advanced netfilter: enabled, not loaded
CONFIG_NF_NAT_IPV4: enabled, loaded
CONFIG_NF_NAT_IPV6: enabled, not loaded
CONFIG_IP_NF_TARGET_MASQUERADE: enabled, loaded
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled, not loadedCONFIG_NETFILTER_XT_MATCH_COMMENT: enabled, loaded
FUSE (for use with lxcfs): enabled, loaded
--- Checkpoint/Restore ---
checkpoint restore: enabled
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: missing
CONFIG_INET_DIAG: missing
CONFIG_PACKET_DIAG: missing
CONFIG_NETLINK_DIAG: missing
File capabilities: enabled

Any idea?

Thank you,
Alex

2

I am still struggeling with this. I have compiled OpenWrt 18.06.4 with support for unprevileged containers but I am unable to get it to run. I get the following message when I try to create a container

lxc-create -n test -t download
The configuration file contains legacy configuration keys.
Please update your configuration file!
lxc-create: test: conf.c: chown_mapped_root: 2951 lxc-usernsexec failed: WARN: could not reopen tty: No such file or directory
lxc-create: test: lxccontainer.c: do_create_container_dir: 1121 Failed to chown container dir
lxc-create: test: tools/lxc_create.c: main: 329 Error creating container test

Based on the solution from Solved: Unable to start LXC container (Operation not permitted - failed to allocate a pty), i tried the following:

sudo mount /dev/pts -o remount,gid=5,mode=620

However, I still get the same error message. Please help!

Here is my system configuration:

cat ~/.config/lxc/default.conf
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536
lxc.net.0.type = veth
lxc.net.0.link = br-lan
lxc.net.0.flags = up
lxc.net.0.hwaddr = 00:11:22:33:44:xx

lxc-checkconfig
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
--- Control groups ---
Cgroups: enabled
Cgroup v1 mount points:
/sys/fs/cgroup
Cgroup v2 mount points:
Cgroup v1 systemd controller: /usr/bin/lxc-checkconfig: line 169: printf \033[1;31m: not found
Cgroup v1 freezer controller: /usr/bin/lxc-checkconfig: line 176: printf \033[1;31m: not found
Cgroup v1 clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled
--- Misc ---
Veth pair device: enabled, loaded
Macvlan: enabled, loaded
Vlan: enabled, not loaded
Bridges: enabled, not loaded
Advanced netfilter: enabled, not loaded
CONFIG_NF_NAT_IPV4: enabled, loaded
CONFIG_NF_NAT_IPV6: enabled, not loaded
CONFIG_IP_NF_TARGET_MASQUERADE: enabled, loaded
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled, not loadedCONFIG_NETFILTER_XT_MATCH_COMMENT: enabled, loaded
FUSE (for use with lxcfs): enabled, loaded
--- Checkpoint/Restore ---
checkpoint restore: enabled
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: enabled
CONFIG_INET_DIAG: missing
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: missing
File capabilities: enabled

 cat /proc/self/cgroup
1:cpuset,cpu,cpuacct,blkio,memory,devices,freezer,net_cls,perf_event,pids,rdma:/

cat /proc/1/mounts
/dev/root / ext4 rw,noatime 0 0
proc /proc proc rw,nosuid,nodev,noexec,noatime 0 0
sysfs /sys sysfs rw,nosuid,nodev,noexec,noatime 0 0
cgroup /sys/fs/cgroup cgroup rw,nosuid,nodev,noexec,relatime,cpuset,cpu,cpuacct,blkio,memory,devices,freezer,net_cls,perf_event,pids,rdma,clone_children 0 0
tmpfs /tmp tmpfs rw,nosuid,nodev,noatime 0 0
/dev/sda1 /boot ext4 rw,noatime 0 0
/dev/sda1 /boot ext4 rw,noatime 0 0
tmpfs /dev tmpfs rw,nosuid,relatime,size=512k,mode=755 0 0
devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
debugfs /sys/kernel/debug debugfs rw,noatime 0 0
/dev/sda5 /mnt/container ext4 rw,noatime,nodiratime,discard 0 0
/dev/sda6 /mnt/storage ext4 rw,noatime,nodiratime,discard 0 0
/dev/sdb1 /mnt/data ext4 rw,noatime,nodiratime,stripe=8191,data=ordered 0 0

ls -al /usr/bin/newuidmap
-rwsr-xr-x    1 root     root         22723 Jun 27 12:18 /usr/bin/newuidmap

ls -al /usr/bin/newgidmap
-rwsr-xr-x    1 root     root         22723 Jun 27 12:18 /usr/bin/newgidmap

cat /etc/subuid
cat: can't open '/etc/subuid': No such file or directory

cat /etc/subgid
cat: can't open '/etc/subgid': No such file or directory

ls -al /dev
drwxr-xr-x    9 root     root          2960 Jul 27 04:54 .
drwxr-xr-x   21 root     root          4096 Jul 26 13:14 ..
crw-------    1 root     root       14,   4 Jul 27 04:54 audio
crw-------    1 root     root       14,  20 Jul 27 04:54 audio1
drwxr-xr-x    2 root     root            80 Jul 27 04:54 bsg
drwxr-xr-x    3 root     root            60 Jul 27 04:54 bus
crw-------    1 root     root        5,   1 Jul 27 04:54 console
drwxr-xr-x    6 root     root           140 Jul 27 04:54 cpu
crw-------    1 root     root       10,  60 Jul 27 04:54 cpu_dma_latency
crw-------    1 root     root       10,  56 Jul 27 04:54 crypto
crw-------    1 root     root       14,   3 Jul 27 04:54 dsp
crw-------    1 root     root       14,  19 Jul 27 04:54 dsp1
crw-rw-rw-    1 root     root        1,   7 Jul 27 04:54 full
crw-------    1 root     root       10, 229 Jul 27 04:54 fuse
crw-------    1 root     root      254,   0 Jul 27 04:54 gpiochip0
crw-------    1 root     root       10, 228 Jul 27 04:54 hpet
crw-------    1 root     root       10, 183 Jul 27 04:54 hwrng
drwxr-xr-x    2 root     root           140 Jul 27 04:54 input
crw-------    1 root     root        1,   2 Jul 27 04:54 kmem
crw-------    1 root     root        1,  11 Jul 27 04:54 kmsg
crw-------    1 root     root       10, 232 Jul 27 04:54 kvm
srw-rw-rw-    1 root     root             0 Jul 27 04:54 log
crw-------    1 root     root       10, 237 Jul 27 04:54 loop-control
brw-------    1 root     root        7,   0 Jul 27 04:54 loop0
brw-------    1 root     root        7,   1 Jul 27 04:54 loop1
brw-------    1 root     root        7,   2 Jul 27 04:54 loop2
brw-------    1 root     root        7,   3 Jul 27 04:54 loop3
brw-------    1 root     root        7,   4 Jul 27 04:54 loop4
brw-------    1 root     root        7,   5 Jul 27 04:54 loop5
brw-------    1 root     root        7,   6 Jul 27 04:54 loop6
brw-------    1 root     root        7,   7 Jul 27 04:54 loop7
drwxr-xr-x    2 root     root            60 Jul 27 04:54 mapper
crw-------    1 root     root        1,   1 Jul 27 04:54 mem
crw-------    1 root     root       10,  57 Jul 27 04:54 memory_bandwidth
crw-------    1 root     root       14,   0 Jul 27 04:54 mixer
crw-------    1 root     root       14,  16 Jul 27 04:54 mixer1
crw-------    1 root     root       10,  59 Jul 27 04:54 network_latency
crw-------    1 root     root       10,  58 Jul 27 04:54 network_throughput
crw-rw-rw-    1 root     root        1,   3 Jul 27 04:54 null
crw-------    1 root     root       10, 144 Jul 27 04:54 nvram
crw-------    1 root     root        1,   4 Jul 27 04:54 port
crw-------    1 root     root      108,   0 Jul 27 04:54 ppp
crw-rw-rw-    1 root     root        5,   2 Jul 27 06:30 ptmx
drwxr-xr-x    2 root     root             0 Jul 27 04:54 pts
crw-rw-rw-    1 root     root        1,   8 Jul 27 04:54 random
crw-------    1 root     root      251,   0 Jul 27 04:54 rtc0
brw-------    1 root     root        8,   0 Jul 27 04:54 sda
brw-------    1 root     root        8,   1 Jul 27 04:54 sda1
brw-------    1 root     root        8,   2 Jul 27 04:54 sda2
brw-------    1 root     root        8,   3 Jul 27 04:54 sda3
brw-------    1 root     root        8,   5 Jul 27 04:55 sda5
brw-------    1 root     root        8,   6 Jul 27 04:54 sda6
brw-------    1 root     root        8,  16 Jul 27 04:54 sdb
brw-------    1 root     root        8,  17 Jul 27 04:55 sdb1
lrwxrwxrwx    1 root     root             8 Jul 27 04:54 shm -> /tmp/shm
crw-------    1 root     root       10, 231 Jul 27 04:54 snapshot
drwxr-xr-x    2 root     root           240 Jul 27 04:54 snd
crw-rw-rw-    1 root     root        5,   0 Jul 27 06:30 tty
crw-------    1 root     root        4,   0 Jul 27 04:54 tty0
crw-------    1 root     root        4,   1 Jul 27 04:54 tty1
crw-------    1 root     root        4,  10 Jul 27 04:54 tty10
crw-------    1 root     root        4,  11 Jul 27 04:54 tty11
crw-------    1 root     root        4,  12 Jul 27 04:54 tty12
crw-------    1 root     root        4,  13 Jul 27 04:54 tty13
crw-------    1 root     root        4,  14 Jul 27 04:54 tty14
crw-------    1 root     root        4,  15 Jul 27 04:54 tty15
crw-------    1 root     root        4,  16 Jul 27 04:54 tty16
crw-------    1 root     root        4,  17 Jul 27 04:54 tty17
crw-------    1 root     root        4,  18 Jul 27 04:54 tty18
crw-------    1 root     root        4,  19 Jul 27 04:54 tty19
crw-------    1 root     root        4,   2 Jul 27 04:54 tty2
crw-------    1 root     root        4,  20 Jul 27 04:54 tty20
crw-------    1 root     root        4,  21 Jul 27 04:54 tty21
crw-------    1 root     root        4,  22 Jul 27 04:54 tty22
crw-------    1 root     root        4,  23 Jul 27 04:54 tty23
crw-------    1 root     root        4,  24 Jul 27 04:54 tty24
crw-------    1 root     root        4,  25 Jul 27 04:54 tty25
crw-------    1 root     root        4,  26 Jul 27 04:54 tty26
crw-------    1 root     root        4,  27 Jul 27 04:54 tty27
crw-------    1 root     root        4,  28 Jul 27 04:54 tty28
crw-------    1 root     root        4,  29 Jul 27 04:54 tty29
crw-------    1 root     root        4,   3 Jul 27 04:54 tty3
crw-------    1 root     root        4,  30 Jul 27 04:54 tty30
crw-------    1 root     root        4,  31 Jul 27 04:54 tty31
crw-------    1 root     root        4,  32 Jul 27 04:54 tty32
crw-------    1 root     root        4,  33 Jul 27 04:54 tty33
crw-------    1 root     root        4,  34 Jul 27 04:54 tty34
crw-------    1 root     root        4,  35 Jul 27 04:54 tty35
crw-------    1 root     root        4,  36 Jul 27 04:54 tty36
crw-------    1 root     root        4,  37 Jul 27 04:54 tty37
crw-------    1 root     root        4,  38 Jul 27 04:54 tty38
crw-------    1 root     root        4,  39 Jul 27 04:54 tty39
crw-------    1 root     root        4,   4 Jul 27 04:54 tty4
crw-------    1 root     root        4,  40 Jul 27 04:54 tty40
crw-------    1 root     root        4,  41 Jul 27 04:54 tty41
crw-------    1 root     root        4,  42 Jul 27 04:54 tty42
crw-------    1 root     root        4,  43 Jul 27 04:54 tty43
crw-------    1 root     root        4,  44 Jul 27 04:54 tty44
crw-------    1 root     root        4,  45 Jul 27 04:54 tty45
crw-------    1 root     root        4,  46 Jul 27 04:54 tty46
crw-------    1 root     root        4,  47 Jul 27 04:54 tty47
crw-------    1 root     root        4,  48 Jul 27 04:54 tty48
crw-------    1 root     root        4,  49 Jul 27 04:54 tty49
crw-------    1 root     root        4,   5 Jul 27 04:54 tty5
crw-------    1 root     root        4,  50 Jul 27 04:54 tty50
crw-------    1 root     root        4,  51 Jul 27 04:54 tty51
crw-------    1 root     root        4,  52 Jul 27 04:54 tty52
crw-------    1 root     root        4,  53 Jul 27 04:54 tty53
crw-------    1 root     root        4,  54 Jul 27 04:54 tty54
crw-------    1 root     root        4,  55 Jul 27 04:54 tty55
crw-------    1 root     root        4,  56 Jul 27 04:54 tty56
crw-------    1 root     root        4,  57 Jul 27 04:54 tty57
crw-------    1 root     root        4,  58 Jul 27 04:54 tty58
crw-------    1 root     root        4,  59 Jul 27 04:54 tty59
crw-------    1 root     root        4,   6 Jul 27 04:54 tty6
crw-------    1 root     root        4,  60 Jul 27 04:54 tty60
crw-------    1 root     root        4,  61 Jul 27 04:54 tty61
crw-------    1 root     root        4,  62 Jul 27 04:54 tty62
crw-------    1 root     root        4,  63 Jul 27 04:54 tty63
crw-------    1 root     root        4,   7 Jul 27 04:54 tty7
crw-------    1 root     root        4,   8 Jul 27 04:54 tty8
crw-------    1 root     root        4,   9 Jul 27 04:54 tty9
crw-------    1 root     root        4,  64 Jul 27 04:54 ttyS0
crw-------    1 root     root        4,  65 Jul 27 04:54 ttyS1
crw-------    1 root     root        4,  74 Jul 27 04:54 ttyS10
crw-------    1 root     root        4,  75 Jul 27 04:54 ttyS11
crw-------    1 root     root        4,  76 Jul 27 04:54 ttyS12
crw-------    1 root     root        4,  77 Jul 27 04:54 ttyS13
crw-------    1 root     root        4,  78 Jul 27 04:54 ttyS14
crw-------    1 root     root        4,  79 Jul 27 04:54 ttyS15
crw-------    1 root     root        4,  66 Jul 27 04:54 ttyS2
crw-------    1 root     root        4,  67 Jul 27 04:54 ttyS3
crw-------    1 root     root        4,  68 Jul 27 04:54 ttyS4
crw-------    1 root     root        4,  69 Jul 27 04:54 ttyS5
crw-------    1 root     root        4,  70 Jul 27 04:54 ttyS6
crw-------    1 root     root        4,  71 Jul 27 04:54 ttyS7
crw-------    1 root     root        4,  72 Jul 27 04:54 ttyS8
crw-------    1 root     root        4,  73 Jul 27 04:54 ttyS9
crw-rw-rw-    1 root     root        1,   9 Jul 27 04:54 urandom
crw-------    1 root     root        7,   0 Jul 27 04:54 vcs
crw-------    1 root     root        7,   1 Jul 27 04:54 vcs1
crw-------    1 root     root        7, 128 Jul 27 04:54 vcsa
crw-------    1 root     root        7, 129 Jul 27 04:54 vcsa1
crw-------    1 root     root       10,  63 Jul 27 04:54 vga_arbiter
crw-------    1 root     root       10,  62 Jul 27 04:54 vmci
crw-------    1 root     root       10,  61 Jul 27 04:54 vsock
crw-rw-rw-    1 root     root        1,   5 Jul 27 04:54 zero
brw-------    1 root     root      253,   0 Jul 27 04:54 zram0