Query on lxc-execute functionality

MTL · August 17, 2021, 7:29pm

Can lxc-execute be run on the already created container?

uname -a is
Linux topas-dev 4.15.0-153-generic #160-Ubuntu SMP Thu Jul 29 06:54:29 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Configuration file used:
lxc.log.level = 1
lxc.log.file = applog.txt
lxc.idmap = u 0 231072 1002
lxc.idmap = g 0 231072 1003
lxc.idmap = u 1002 1002 1
lxc.idmap = g 1003 1003 1
lxc idmap = u 1004 232075 64533
lxc.idmap = g 1005 232076 64532
lxc.console.path = none

/var/lib/lxc/demo$ lxc-execute -n demo -l trace -f config -o /tmp/z.txt – ls -lh /home
lxc-execute: demo: start.c: lxc_spawn: 1716 Operation not permitted - Failed to allocate new network namespace id
lxc-execute: demo: conf.c: lxc_setup: 3574 No such file or directory - Unable to open lxc.init.static
lxc-execute: demo: start.c: do_start: 1234 Failed to setup container “demo”
lxc-execute: demo: sync.c: __sync_wait: 59 An error occurred in another process (expected sequence number 5)
lxc-execute: demo: start.c: __lxc_start: 1910 Failed to spawn container “demo”
lxc-execute: demo: tools/lxc_execute.c: main: 240 Failed run an application inside container

Why is lxc-execute failing? with same config file lxc-start command works without errors

MTL · September 1, 2021, 10:53am

Any update on this would help.

I am not able to run lxc-execute for my unprivilaged users

ajinkyabawaskar · September 1, 2021, 11:14am

Hey, I also had a similar error a few days back. Here’s what I tried:

Updated the lxc.idmap configuration
Executed the query after attaching to the container using lxc-attach

You can try and see if it is any helpful.

stgraber · September 1, 2021, 7:28pm

@brauner

MTL · September 2, 2021, 6:13am

Thank you for the input.
lxc-execute -n childapp2 -f config -l trace -o l.txt – /var/lib/lxc/childapp2/media/lxc_app_binaries/app_a
lxc-execute: childapp2: cgroups/cgfsng.c: create_path_for_hierarchy: 1198 The cgroup “/sys/fs/cgroup/systemd//lxc/childapp2” already existed
lxc-execute: childapp2: cgroups/cgfsng.c: cgfsng_create: 1287 Failed to create cgroup “/sys/fs/cgroup/systemd//lxc/childapp2”
lxc-execute: childapp2: conf.c: lxc_map_ids: 2999 newuidmap failed to write mapping “newuidmap: uid range [0-1002) → [231072-232074) not allowed”: newuidmap 50 0 231072 1002 1002 1002 1
lxc-execute: childapp2: start.c: lxc_spawn: 1677 Failed to set up id mapping.
lxc-execute: childapp2: start.c: __lxc_start: 1910 Failed to spawn container “childapp2”
lxc-execute: childapp2: conf.c: lxc_map_ids: 2999 newuidmap failed to write mapping “newuidmap: uid range [0-1002) → [231072-232074) not allowed”: newuidmap 53 0 231072 1002 1003 0 1
lxc-execute: childapp2: conf.c: userns_exec_1: 4358 Error setting up {g,u}id mappings for child process “53”
lxc-execute: childapp2: tools/lxc_execute.c: main: 240 Failed run an application inside container

Above is the error i get by attaching to the container and executing the command.

But it should not be like that right? because. same idmap works for lxc-start,lxc-attach so same should work for lxc-execute

MTL · September 2, 2021, 6:14am

And also lxc-execute --help says

"lxc-execute --help
Usage: lxc-execute --name=NAME – COMMAND

lxc-execute creates a container with the identifier NAME
and execs COMMAND into this container"

is this command to work with already created conainer or to create a new one?

ajinkyabawaskar · September 4, 2021, 7:29pm

To answer your question:
Yes, it works by creating a new container using lxc-init in the process. From your error logs, I can see that multiple idmap entries might be causing those errors. You can read more about the command here: Linux Containers - LXC - Manpages - lxc-execute.1

Did you try with simple idmap config with 2 entries, i.e. the output from sudo grep YOUR_USERNAME /etc/sub{uid,gid}

MTL · September 15, 2021, 5:55pm

Yes tried. But im getting the same error still