Priviliged container behaves like unprivileged one

I have LXD 3.0.0 running on Arch Linux. I use ZFS as storage backend. I’ve created an privileged container but I get some errors that look like the container is unprivileged in fact.

Signs, that the container is a privileged one:

  • config:
    architecture: x86_64
    boot.autostart: "1"
    security.privileged: "true"
    volatile.eth10.hwaddr: 00:16:3e:71:8a:5f
    volatile.idmap.base: “0”
  • owner of /proc etc
    drwxr-xr-x 2 1000000 1000000 2 Jan 5 19:17 opt
    dr-xr-xr-x 240 root root 0 Apr 29 20:47 proc
    drwxr-x— 4 1000000 1000000 5 Apr 30 07:41 root
    drwxr-xr-x 10 root root 300 Apr 29 20:47 run
    lrwxrwxrwx 1 1000000 1000000 7 Apr 29 12:02 sbin -> usr/bin

Nevertheless some service fail on bootup, e.g. tmp.mount:
mount: only root can use “–options” option (effective UID is 1000000)

I use a some similar setup on an other server and it just works (main differences: storage is btrfs, conainer were created before LXD 3.0.0)

Any ideas?

Thank you very much!

Looks like that container got partially shifted or something… that’s not particularly good.
Does creating a new container cause the same problem?

Hi @stgraber

thanks for the quick reply! I create my containers doing some steps with ansible (commands not module) and somehow didn’t get the idea to test manually :frowning_face:

I did now a simple call to “lxc init” and it worked afterwards. I’ll check my other steps and came back if there is some unexpected behaviour (from my point of view) :slight_smile:


Quick question: is it ok to set “security.privileged” to “true” after the container was started once while it was not set?

It seemed to work but I want to be sure that there are no side effects.

Yep, it’s fine to set it, the filesystem gets remapped on the next container start. So it’s usually best to do that early and then restart the container as adding more stuff to the container before the restart will just make it slower.

You can also do it at create time with lxc init ubuntu:16.04 blah -c security.privileged=true which then saves you even more time.

Thanks for clarification.

Unfortunately I was not able to reproduce my issue anymore so I did not find any root cause. However setting security.privileged at the beginning is good idea, thank you!