Hello,
I am using Debian 9 and two lxc priviledged containers did a good job for me for years.
Now I want to change that to unpriviledged containers.
I read and followd the instructions of
https://stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/
I also managed to get id mapping to my hostuser for easy data exchange.
See my lxc config of that host:
# Template used to create this container: /usr/share/lxc/templates/lxc-download
# Parameters passed to the template:
# Template script checksum (SHA-1): 740c51206e35463362b735e68b867876048a8baf
# For additional config options, please look at lxc.container.conf(5)
# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)
# Subuids and subgids mapping
# "Secure" mounting
# Unsecure mounting
# Network configuration
# Distribution configuration
lxc.include = /usr/share/lxc/config/debian.common.conf
lxc.include = /usr/share/lxc/config/debian.userns.conf
lxc.arch = linux64
# Container specific configuration
# "Secure" id mapping
# lxc.id_map = u 0 100000 65536
# lxc.id_map = g 0 100000 65536
# "Unsecure" id mapping - but comfortable
lxc.id_map = u 0 100000 1000
lxc.id_map = g 0 100000 1000
lxc.id_map = u 1000 1000 1
lxc.id_map = g 1000 1000 1
lxc.id_map = u 1001 101001 64535
lxc.id_map = g 1001 101001 64535
lxc.mount.auto = proc:mixed sys:ro cgroup:mixed
lxc.mount.entry = /mnt mnt none bind 0 0
lxc.mount.entry = /home/username_here/sandbox home/dings/share none bind 0 0
lxc.rootfs = /home/username_here/.local/share/lxc/dings/rootfs
lxc.rootfs.backend = dir
lxc.utsname = dings
# Network configuration
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:39:81:87
I couldn’t manage to get another container running the same way, well, until I changed /etc/lxc/lxc-usernet:
# <user> <link_type> <bridge> <#_of_links>
@lxcusers veth lxcbr0 10
and adding username_here to that group.
Now it runs both but the second is buggy. In the end, it has almost the same config:
# Template used to create this container: /usr/share/lxc/templates/lxc-download
# Parameters passed to the template:
# Template script checksum (SHA-1): 740c51206e35463362b735e68b867876048a8baf
# For additional config options, please look at lxc.container.conf(5)
# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)
# Subuids and subgids mapping
# "Secure" id mapping
# "Unsecure" id mapping - but comfortable
# "Secure" mounting
# Unsecure mounting
# Network configuration
# Distribution configuration
lxc.include = /usr/share/lxc/config/debian.common.conf
lxc.include = /usr/share/lxc/config/debian.userns.conf
lxc.arch = linux64
# Container specific configuration
#lxc.id_map = u 0 100000 65536
#lxc.id_map = g 0 100000 65536
lxc.id_map = u 0 100000 1000
lxc.id_map = g 0 100000 1000
lxc.id_map = u 1000 1000 1
lxc.id_map = g 1000 1000 1
lxc.id_map = u 1001 101001 64535
lxc.id_map = g 1001 101001 64535
lxc.mount.auto = proc:mixed sys:ro cgroup:mixed
lxc.mount.entry = /mnt mnt none bind 0 0
#lxc.mount.entry = /home/username_here/sandbox home/dings/share none bind 0 0
lxc.rootfs = /home/username_here/.local/share/lxc/tix/rootfs
lxc.rootfs.backend = dir
lxc.utsname = tix
# Network configuration
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:1b:2b:47
The second, tix container, has issues, e. g.:
Failed to install release agent, ignoring: No such file or directory
Cannot add dependency job for unit display-manager.service, ignoring: Unit display-manager.service failed to load: No such file or directory.
Failed to reset devices.list on /system.slice/dev-hugepages.mount: No such file or directory
Failed to reset devices.list on /system.slice/dev-mqueue.mount: No such file or directory
Failed to reset devices.list on /system.slice/systemd-journald.service: No such file or directory
[FAILED] Failed to mount Huge Pages File System.
[FAILED] Failed to start Login Service.
[FAILED] Failed to start Network Service.
I think that my containers-installation is wrong and that is causing troubles.
I really tried to google how to manage multiple unprivileged containers but no luck.
Do you know?