Running unprivileged Buster container on Buster host


(aluis) #1

Hello guys,

i tried the last several days to run a unprivileged Buster container on Buster host. I’m at the end with my wisdom.

I set up a brand new Buster host. Privileged Buster container with root ran like a charm. To create a unprivileged container seems to me impossible.

I created the user franziska. I set the subuid in the /etc/subuid
franziska:100000:65536

i copy the file /etc/lxc/default.conf to /home/franziska/.config/lxc/ and add
lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536

i added to the /etc/sysctl.conf
kernel.unprivileged_userns_clone=1

then i log into useraccount franziska.

Here some infos arround:

franziska@brunhilde:~$ lxc-start --version
3.0.3

franziska@brunhilde:~$ uname -a
Linux brunhilde 4.19.0-5-amd64 #1 SMP Debian 4.19.37-3 (2019-05-15) x86_64 GNU/Linux

franziska@brunhilde:~$ lxc-checkconfig
Kernel configuration not found at /proc/config.gz; searching…
Kernel configuration found at /boot/config-4.19.0-5-amd64
— Namespaces —
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled

--- Control groups ---
Cgroups: enabled

Cgroup v1 mount points:
/sys/fs/cgroup/systemd
/sys/fs/cgroup/devices
/sys/fs/cgroup/net_cls,net_prio
/sys/fs/cgroup/memory
/sys/fs/cgroup/freezer
/sys/fs/cgroup/rdma
/sys/fs/cgroup/cpuset
/sys/fs/cgroup/perf_event
/sys/fs/cgroup/blkio
/sys/fs/cgroup/cpu,cpuacct
/sys/fs/cgroup/pids

Cgroup v2 mount points:
/sys/fs/cgroup/unified

Cgroup v1 clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled


--- Misc ---
Veth pair device: enabled, not loaded
Macvlan: enabled, not loaded
Vlan: enabled, not loaded
Bridges: enabled, loaded
Advanced netfilter: enabled, loaded
CONFIG_NF_NAT_IPV4: enabled, not loaded
CONFIG_NF_NAT_IPV6: enabled, not loaded
CONFIG_IP_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled, not loaded
CONFIG_NETFILTER_XT_MATCH_COMMENT: enabled, not loaded
FUSE (for use with lxcfs): enabled, loaded

--- Checkpoint/Restore ---
checkpoint restore: enabled
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: enabled
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: enabled
File capabilities:

Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig

Here is an error? I see in the internet, everyone who run this on buster has has “File capabilities:” nothing?

franziska@brunhilde:~$ cat /proc/self/cgroup
11:pids:/user.slice/user-0.slice/session-3.scope
10:cpu,cpuacct:/user.slice
9:blkio:/user.slice
8:perf_event:/
7:cpuset:/
6:rdma:/
5:freezer:/user/franziska/0
4:memory:/user/franziska/0
3:net_cls,net_prio:/
2:devices:/user.slice
1:name=systemd:/user/franziska/0
0::/user.slice/user-0.slice/session-3.scope

franziska@brunhilde:~$ findmnt
TARGET SOURCE FSTYPE OPTIONS
/ /dev/mapper/vg-root ext4 rw,relatime,errors=remount-ro
├─/sys sysfs sysfs rw,nosuid,nodev,noexec,relatime
│ ├─/sys/kernel/security securityfs securityfs rw,nosuid,nodev,noexec,relatime
│ ├─/sys/fs/cgroup tmpfs tmpfs ro,nosuid,nodev,noexec,mode=755
│ │ ├─/sys/fs/cgroup/unified cgroup2 cgroup2 rw,nosuid,nodev,noexec,relatime
│ │ ├─/sys/fs/cgroup/systemd cgroup cgroup rw,nosuid,nodev,noexec,relatime,xattr,name=systemd
│ │ ├─/sys/fs/cgroup/devices cgroup cgroup rw,nosuid,nodev,noexec,relatime,devices
│ │ ├─/sys/fs/cgroup/net_cls,net_prio cgroup cgroup rw,nosuid,nodev,noexec,relatime,net_cls,net_prio
│ │ ├─/sys/fs/cgroup/memory cgroup cgroup rw,nosuid,nodev,noexec,relatime,memory
│ │ ├─/sys/fs/cgroup/freezer cgroup cgroup rw,nosuid,nodev,noexec,relatime,freezer
│ │ ├─/sys/fs/cgroup/rdma cgroup cgroup rw,nosuid,nodev,noexec,relatime,rdma
│ │ ├─/sys/fs/cgroup/cpuset cgroup cgroup rw,nosuid,nodev,noexec,relatime,cpuset,clone_children
│ │ ├─/sys/fs/cgroup/perf_event cgroup cgroup rw,nosuid,nodev,noexec,relatime,perf_event
│ │ ├─/sys/fs/cgroup/blkio cgroup cgroup rw,nosuid,nodev,noexec,relatime,blkio
│ │ ├─/sys/fs/cgroup/cpu,cpuacct cgroup cgroup rw,nosuid,nodev,noexec,relatime,cpu,cpuacct
│ │ └─/sys/fs/cgroup/pids cgroup cgroup rw,nosuid,nodev,noexec,relatime,pids
│ ├─/sys/fs/pstore pstore pstore rw,nosuid,nodev,noexec,relatime
│ ├─/sys/firmware/efi/efivars efivarfs efivarfs rw,nosuid,nodev,noexec,relatime
│ ├─/sys/fs/bpf bpf bpf rw,nosuid,nodev,noexec,relatime,mode=700
│ ├─/sys/kernel/debug debugfs debugfs rw,relatime
│ └─/sys/fs/fuse/connections fusectl fusectl rw,relatime
├─/proc proc proc rw,nosuid,nodev,noexec,relatime
│ └─/proc/sys/fs/binfmt_misc systemd-1 autofs rw,relatime,fd=37,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=13460
├─/dev udev devtmpfs rw,nosuid,relatime,size=3888484k,nr_inodes=972121,mode=755
│ ├─/dev/pts devpts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000
│ ├─/dev/shm tmpfs tmpfs rw,nosuid,nodev
│ ├─/dev/mqueue mqueue mqueue rw,relatime
│ └─/dev/hugepages hugetlbfs hugetlbfs rw,relatime,pagesize=2M
├─/run tmpfs tmpfs rw,nosuid,noexec,relatime,size=781092k,mode=755
│ ├─/run/lock tmpfs tmpfs rw,nosuid,nodev,noexec,relatime,size=5120k
│ └─/run/user/0 tmpfs tmpfs rw,nosuid,nodev,relatime,size=781088k,mode=700
├─/boot /dev/md0 ext4 rw,relatime
│ └─/boot/efi /dev/sda2 vfat rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro
└─/var/lib/lxcfs lxcfs fuse.lxcfs rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other

franziska@brunhilde:~$ cat /proc/1/mounts
sysfs /sys sysfs rw,nosuid,nodev,noexec,relatime 0 0
proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
udev /dev devtmpfs rw,nosuid,relatime,size=3888484k,nr_inodes=972121,mode=755 0 0
devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
tmpfs /run tmpfs rw,nosuid,noexec,relatime,size=781092k,mode=755 0 0
/dev/mapper/vg-root / ext4 rw,relatime,errors=remount-ro 0 0
securityfs /sys/kernel/security securityfs rw,nosuid,nodev,noexec,relatime 0 0
tmpfs /dev/shm tmpfs rw,nosuid,nodev 0 0
tmpfs /run/lock tmpfs rw,nosuid,nodev,noexec,relatime,size=5120k 0 0
tmpfs /sys/fs/cgroup tmpfs ro,nosuid,nodev,noexec,mode=755 0 0
cgroup2 /sys/fs/cgroup/unified cgroup2 rw,nosuid,nodev,noexec,relatime 0 0
cgroup /sys/fs/cgroup/systemd cgroup rw,nosuid,nodev,noexec,relatime,xattr,name=systemd 0 0
pstore /sys/fs/pstore pstore rw,nosuid,nodev,noexec,relatime 0 0
efivarfs /sys/firmware/efi/efivars efivarfs rw,nosuid,nodev,noexec,relatime 0 0
bpf /sys/fs/bpf bpf rw,nosuid,nodev,noexec,relatime,mode=700 0 0
cgroup /sys/fs/cgroup/devices cgroup rw,nosuid,nodev,noexec,relatime,devices 0 0
cgroup /sys/fs/cgroup/net_cls,net_prio cgroup rw,nosuid,nodev,noexec,relatime,net_cls,net_prio 0 0
cgroup /sys/fs/cgroup/memory cgroup rw,nosuid,nodev,noexec,relatime,memory 0 0
cgroup /sys/fs/cgroup/freezer cgroup rw,nosuid,nodev,noexec,relatime,freezer 0 0
cgroup /sys/fs/cgroup/rdma cgroup rw,nosuid,nodev,noexec,relatime,rdma 0 0
cgroup /sys/fs/cgroup/cpuset cgroup rw,nosuid,nodev,noexec,relatime,cpuset,clone_children 0 0
cgroup /sys/fs/cgroup/perf_event cgroup rw,nosuid,nodev,noexec,relatime,perf_event 0 0
cgroup /sys/fs/cgroup/blkio cgroup rw,nosuid,nodev,noexec,relatime,blkio 0 0
cgroup /sys/fs/cgroup/cpu,cpuacct cgroup rw,nosuid,nodev,noexec,relatime,cpu,cpuacct 0 0
cgroup /sys/fs/cgroup/pids cgroup rw,nosuid,nodev,noexec,relatime,pids 0 0
debugfs /sys/kernel/debug debugfs rw,relatime 0 0
mqueue /dev/mqueue mqueue rw,relatime 0 0
systemd-1 /proc/sys/fs/binfmt_misc autofs rw,relatime,fd=37,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=13460 0 0
hugetlbfs /dev/hugepages hugetlbfs rw,relatime,pagesize=2M 0 0
/dev/md0 /boot ext4 rw,relatime 0 0
/dev/sda2 /boot/efi vfat rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro 0 0
lxcfs /var/lib/lxcfs fuse.lxcfs rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other 0 0
fusectl /sys/fs/fuse/connections fusectl rw,relatime 0 0
tmpfs /run/user/0 tmpfs rw,nosuid,nodev,relatime,size=781088k,mode=700 0 0

Ok. Lets start from user account franziska:
lxc-create -t download -n franziska -B lvm --vgname=vg --lvname=franziska --fstype ext4 --fssize 8G --logfile output1.out --logpriority DEBUG

INFO     utils - utils.c:get_rundir:275 - XDG_RUNTIME_DIR isn't set in the environment
INFO     confile - confile.c:set_config_idmaps:1605 - Read uid map: type u nsid 0 hostid 100000 range 65536
INFO     confile - confile.c:set_config_idmaps:1605 - Read uid map: type g nsid 0 hostid 100000 range 65536
DEBUG    conf - conf.c:chown_mapped_root:3190 - trying to chown "/home/franziska/.local/share/lxc/franziska" to 1000
ERROR    utils - utils.c:run_command:1615 - Failed to exec command
ERROR    lvm - storage/lvm.c:do_lvm_create:185 - Failed to create logical volume "franziska": lxc-create: franziska: utils.c: run_command: 1615 Failed to exec command
ERROR    lvm - storage/lvm.c:lvm_create:657 - Error creating new logical volume "lvm:/dev/vg/franziska" of size "8589934592 bytes"
ERROR    lxccontainer - lxccontainer.c:do_storage_create:1272 - Failed to create "lvm" storage
ERROR    lxccontainer - lxccontainer.c:do_lxcapi_create:1869 - Failed to create lvm storage for franziska
ERROR    lxc_create - tools/lxc_create.c:main:327 - Failed to create container franziska

No problem, i think. I can solve the problem later. So i tried with -B dir:
lxc-create -t download -n franziska -B dir --logfile output2.out --logpriority DEBUG

i get some warnings:
Permission denied - Failed to open tty
Permission denied - Failed to open tty
Permission denied - Failed to open tty
Setting up the GPG keyring

but it installed debian buster amd64. In the logfile, no errors will be shown:
INFO utils - utils.c:get_rundir:275 - XDG_RUNTIME_DIR isn’t set in the environment
INFO confile - confile.c:set_config_idmaps:1605 - Read uid map: type u nsid 0 hostid 100000 range 65536
INFO confile - confile.c:set_config_idmaps:1605 - Read uid map: type g nsid 0 hostid 100000 range 65536
DEBUG conf - conf.c:chown_mapped_root:3190 - trying to chown “/home/franziska/.local/share/lxc/franziska” to 1000
DEBUG conf - conf.c:chown_mapped_root:3190 - trying to chown “/home/franziska/.local/share/lxc/franziska/rootfs” to 1000
DEBUG conf - conf.c:chown_mapped_root:3190 - trying to chown “/home/franziska/.local/share/lxc/franziska” to 1000
INFO confile - confile.c:set_config_idmaps:1605 - Read uid map: type u nsid 0 hostid 100000 range 65536
INFO confile - confile.c:set_config_idmaps:1605 - Read uid map: type g nsid 0 hostid 100000 range 65536
DEBUG storage - storage/storage.c:get_storage_by_name:231 - Detected rootfs type “dir”
INFO confile - confile.c:set_config_idmaps:1605 - Read uid map: type u nsid 0 hostid 100000 range 65536
INFO confile - confile.c:set_config_idmaps:1605 - Read uid map: type g nsid 0 hostid 100000 range 65536

OK. Lets start the container :slight_smile:

lxc-start -n franziska -F --logfile output3.out --logpriority DEBUG

INFO     utils - utils.c:get_rundir:275 - XDG_RUNTIME_DIR isn't set in the environment
INFO     confile - confile.c:set_config_idmaps:1605 - Read uid map: type u nsid 0 hostid 100000 range 65536
INFO     confile - confile.c:set_config_idmaps:1605 - Read uid map: type g nsid 0 hostid 100000 range 65536
INFO     lsm - lsm/lsm.c:lsm_init:50 - LSM security driver AppArmor
INFO     seccomp - seccomp.c:parse_config_v2:759 - Processing "reject_force_umount  # comment this to allow umount -f;  not recommended"
INFO     seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts
INFO     seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for reject_force_umount action 0(kill)
INFO     seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts
INFO     seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for reject_force_umount action 0(kill)
INFO     seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts
INFO     seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for reject_force_umount action 0(kill)
INFO     seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts
INFO     seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for reject_force_umount action 0(kill)
INFO     seccomp - seccomp.c:parse_config_v2:759 - Processing "[all]"
INFO     seccomp - seccomp.c:parse_config_v2:759 - Processing "kexec_load errno 1"
INFO     seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for kexec_load action 327681(errno)
INFO     seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for kexec_load action 327681(errno)
INFO     seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for kexec_load action 327681(errno)
INFO     seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for kexec_load action 327681(errno)
INFO     seccomp - seccomp.c:parse_config_v2:759 - Processing "open_by_handle_at errno 1"
INFO     seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for open_by_handle_at action 327681(errno)
INFO     seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for open_by_handle_at action 327681(errno)
INFO     seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for open_by_handle_at action 327681(errno)
INFO     seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for open_by_handle_at action 327681(errno)
INFO     seccomp - seccomp.c:parse_config_v2:759 - Processing "init_module errno 1"
INFO     seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for init_module action 327681(errno)
INFO     seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for init_module action 327681(errno)
INFO     seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for init_module action 327681(errno)
INFO     seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for init_module action 327681(errno)
INFO     seccomp - seccomp.c:parse_config_v2:759 - Processing "finit_module errno 1"
INFO     seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for finit_module action 327681(errno)
INFO     seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for finit_module action 327681(errno)
INFO     seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for finit_module action 327681(errno)
INFO     seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for finit_module action 327681(errno)
INFO     seccomp - seccomp.c:parse_config_v2:759 - Processing "delete_module errno 1"
INFO     seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for delete_module action 327681(errno)
INFO     seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for delete_module action 327681(errno)
INFO     seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for delete_module action 327681(errno)
INFO     seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for delete_module action 327681(errno)
INFO     seccomp - seccomp.c:parse_config_v2:970 - Merging compat seccomp contexts into main context
INFO     utils - utils.c:get_rundir:275 - XDG_RUNTIME_DIR isn't set in the environment
DEBUG    terminal - terminal.c:lxc_terminal_peer_default:714 - Using terminal "/dev/tty" as proxy
DEBUG    terminal - terminal.c:lxc_terminal_signal_init:192 - Created signal fd 9
DEBUG    terminal - terminal.c:lxc_terminal_winsz:90 - Set window size to 172 columns and 48 rows
DEBUG    conf - conf.c:chown_mapped_root:3190 - trying to chown "/dev/pts/1" to 1000
ERROR    apparmor - lsm/apparmor.c:apparmor_prepare:974 - Cannot use generated profile: apparmor_parser not available
ERROR    start - start.c:lxc_init:899 - Failed to initialize LSM
DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2860 - The binary "/usr/bin/newuidmap" does have the setuid bit set
DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2860 - The binary "/usr/bin/newgidmap" does have the setuid bit set
DEBUG    conf - conf.c:lxc_map_ids:2952 - Functional newuidmap and newgidmap binary found
INFO     utils - utils.c:get_rundir:275 - XDG_RUNTIME_DIR isn't set in the environment
ERROR    start - start.c:__lxc_start:1917 - Failed to initialize container "franziska"
ERROR    lxc_start - tools/lxc_start.c:main:330 - The container failed to start
ERROR    lxc_start - tools/lxc_start.c:main:336 - Additional information can be obtained by setting the --logfile and --logpriority options

OK, here is something wrong. It seems, that lxc-create did not recognize my true config in /home/franziska/.config/lxc/default.conf No problem, i think. I can solve the problem later. Lets deactivate apparmor in franziskas config

#lxc.apparmor.profile = generated
lxc.apparmor.profile = unconfined

lxc-start -n franziska -F --logfile output4.out --logpriority DEBUG

then i get the same output like above. What? output3.out and output4.out are the same. Im very confused, here is somthing very wrong. Lets add the config parameter!

lxc-start -n franziska --rcfile /home/franziska/.config/lxc/default.conf -F --logfile output5.out --logpriority DEBUG

INFO     utils - utils.c:get_rundir:275 - XDG_RUNTIME_DIR isn't set in the environment
INFO     confile - confile.c:set_config_idmaps:1605 - Read uid map: type u nsid 0 hostid 100000 range 65536
INFO     confile - confile.c:set_config_idmaps:1605 - Read uid map: type g nsid 0 hostid 100000 range 65536
INFO     confile - confile.c:set_config_idmaps:1605 - Read uid map: type u nsid 0 hostid 100000 range 65536
INFO     confile - confile.c:set_config_idmaps:1605 - Read uid map: type g nsid 0 hostid 100000 range 65536
INFO     lsm - lsm/lsm.c:lsm_init:50 - LSM security driver AppArmor
INFO     utils - utils.c:get_rundir:275 - XDG_RUNTIME_DIR isn't set in the environment
DEBUG    terminal - terminal.c:lxc_terminal_peer_default:714 - Using terminal "/dev/tty" as proxy
DEBUG    terminal - terminal.c:lxc_terminal_signal_init:192 - Created signal fd 9
DEBUG    terminal - terminal.c:lxc_terminal_winsz:90 - Set window size to 172 columns and 48 rows
DEBUG    conf - conf.c:chown_mapped_root:3190 - trying to chown "/dev/pts/1" to 1000
INFO     start - start.c:lxc_init:904 - Container "franziska" is initialized
INFO     start - start.c:lxc_spawn:1700 - Cloned CLONE_NEWUSER
INFO     start - start.c:lxc_spawn:1700 - Cloned CLONE_NEWNS
INFO     start - start.c:lxc_spawn:1700 - Cloned CLONE_NEWPID
INFO     start - start.c:lxc_spawn:1700 - Cloned CLONE_NEWUTS
INFO     start - start.c:lxc_spawn:1700 - Cloned CLONE_NEWIPC
DEBUG    start - start.c:lxc_try_preserve_namespaces:196 - Preserved user namespace via fd 14
DEBUG    start - start.c:lxc_try_preserve_namespaces:196 - Preserved mnt namespace via fd 15
DEBUG    start - start.c:lxc_try_preserve_namespaces:196 - Preserved pid namespace via fd 16
DEBUG    start - start.c:lxc_try_preserve_namespaces:196 - Preserved uts namespace via fd 17
DEBUG    start - start.c:lxc_try_preserve_namespaces:196 - Preserved ipc namespace via fd 18
DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2860 - The binary "/usr/bin/newuidmap" does have the setuid bit set
DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2860 - The binary "/usr/bin/newgidmap" does have the setuid bit set
DEBUG    conf - conf.c:lxc_map_ids:2952 - Functional newuidmap and newgidmap binary found
INFO     start - start.c:do_start:1148 - Unshared CLONE_NEWNET
DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2860 - The binary "/usr/bin/newuidmap" does have the setuid bit set
DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2860 - The binary "/usr/bin/newgidmap" does have the setuid bit set
DEBUG    conf - conf.c:lxc_map_ids:2952 - Functional newuidmap and newgidmap binary found
DEBUG    start - start.c:lxc_spawn:1754 - Preserved net namespace via fd 10
WARN     start - start.c:lxc_spawn:1758 - Operation not permitted - Failed to allocate new network namespace id
NOTICE   utils - utils.c:lxc_switch_uid_gid:1378 - Switched to gid 0
NOTICE   utils - utils.c:lxc_switch_uid_gid:1387 - Switched to uid 0
NOTICE   utils - utils.c:lxc_setgroups:1400 - Dropped additional groups
INFO     start - start.c:do_start:1254 - Unshared CLONE_NEWCGROUP
INFO     conf - conf.c:mount_autodev:1118 - Preparing "/dev"
INFO     conf - conf.c:mount_autodev:1165 - Prepared "/dev"
INFO     conf - conf.c:lxc_fill_autodev:1209 - Populating "/dev"
ERROR    utils - utils.c:safe_mount:1179 - Permission denied - Failed to mount "/dev/full" onto "/dev/full"
ERROR    conf - conf.c:lxc_fill_autodev:1278 - Permission denied - Failed to bind mount host device node "/dev/full" onto "/dev/full"
ERROR    conf - conf.c:lxc_setup:3626 - Failed to populate "/dev"
ERROR    start - start.c:do_start:1275 - Failed to setup container "franziska"
ERROR    sync - sync.c:__sync_wait:62 - An error occurred in another process (expected sequence number 5)
DEBUG    network - network.c:lxc_delete_network:3180 - Deleted network devices
INFO     utils - utils.c:get_rundir:275 - XDG_RUNTIME_DIR isn't set in the environment
ERROR    start - start.c:__lxc_start:1951 - Failed to spawn container "franziska"
INFO     utils - utils.c:get_rundir:275 - XDG_RUNTIME_DIR isn't set in the environment
DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2860 - The binary "/usr/bin/newuidmap" does have the setuid bit set
DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2860 - The binary "/usr/bin/newgidmap" does have the setuid bit set
DEBUG    conf - conf.c:lxc_map_ids:2952 - Functional newuidmap and newgidmap binary found
INFO     utils - utils.c:get_rundir:275 - XDG_RUNTIME_DIR isn't set in the environment
ERROR    lxc_start - tools/lxc_start.c:main:330 - The container failed to start
ERROR    lxc_start - tools/lxc_start.c:main:336 - Additional information can be obtained by setting the --logfile and --logpriority options

Mmm. Permission denied - Failed to mount “/dev/full” onto “/dev/full”. Ok, i add two lines to franziskas config:
lxc.include = /usr/share/lxc/config/debian.common.conf
lxc.include = /usr/share/lxc/config/debian.userns.conf

lxc-start -n franziska --rcfile /home/franziska/.config/lxc/default.conf -F --logfile output6.out --logpriority DEBUG
INFO utils - utils.c:get_rundir:275 - XDG_RUNTIME_DIR isn’t set in the environment
INFO confile - confile.c:set_config_idmaps:1605 - Read uid map: type u nsid 0 hostid 100000 range 65536
INFO confile - confile.c:set_config_idmaps:1605 - Read uid map: type g nsid 0 hostid 100000 range 65536
INFO confile - confile.c:set_config_idmaps:1605 - Read uid map: type u nsid 0 hostid 100000 range 65536
INFO confile - confile.c:set_config_idmaps:1605 - Read uid map: type g nsid 0 hostid 100000 range 65536
INFO lsm - lsm/lsm.c:lsm_init:50 - LSM security driver AppArmor
INFO seccomp - seccomp.c:parse_config_v2:759 - Processing “reject_force_umount # comment this to allow umount -f; not recommended”
INFO seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts
INFO seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for reject_force_umount action 0(kill)
INFO seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts
INFO seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for reject_force_umount action 0(kill)
INFO seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts
INFO seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for reject_force_umount action 0(kill)
INFO seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts
INFO seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for reject_force_umount action 0(kill)
INFO seccomp - seccomp.c:parse_config_v2:759 - Processing “[all]”
INFO seccomp - seccomp.c:parse_config_v2:759 - Processing “kexec_load errno 1”
INFO seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for kexec_load action 327681(errno)
INFO seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for kexec_load action 327681(errno)
INFO seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for kexec_load action 327681(errno)
INFO seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for kexec_load action 327681(errno)
INFO seccomp - seccomp.c:parse_config_v2:759 - Processing “open_by_handle_at errno 1”
INFO seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for open_by_handle_at action 327681(errno)
INFO seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for open_by_handle_at action 327681(errno)
INFO seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for open_by_handle_at action 327681(errno)
INFO seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for open_by_handle_at action 327681(errno)
INFO seccomp - seccomp.c:parse_config_v2:759 - Processing “init_module errno 1”
INFO seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for init_module action 327681(errno)
INFO seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for init_module action 327681(errno)
INFO seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for init_module action 327681(errno)
INFO seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for init_module action 327681(errno)
INFO seccomp - seccomp.c:parse_config_v2:759 - Processing “finit_module errno 1”
INFO seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for finit_module action 327681(errno)
INFO seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for finit_module action 327681(errno)
INFO seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for finit_module action 327681(errno)
INFO seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for finit_module action 327681(errno)
INFO seccomp - seccomp.c:parse_config_v2:759 - Processing “delete_module errno 1”
INFO seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for delete_module action 327681(errno)
INFO seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for delete_module action 327681(errno)
INFO seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for delete_module action 327681(errno)
INFO seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for delete_module action 327681(errno)
INFO seccomp - seccomp.c:parse_config_v2:970 - Merging compat seccomp contexts into main context
INFO utils - utils.c:get_rundir:275 - XDG_RUNTIME_DIR isn’t set in the environment
INFO start - start.c:lxc_init:904 - Container “franziska” is initialized
INFO start - start.c:lxc_spawn:1700 - Cloned CLONE_NEWUSER
INFO start - start.c:lxc_spawn:1700 - Cloned CLONE_NEWNS
INFO start - start.c:lxc_spawn:1700 - Cloned CLONE_NEWPID
INFO start - start.c:lxc_spawn:1700 - Cloned CLONE_NEWUTS
INFO start - start.c:lxc_spawn:1700 - Cloned CLONE_NEWIPC
DEBUG start - start.c:lxc_try_preserve_namespaces:196 - Preserved user namespace via fd 14
DEBUG start - start.c:lxc_try_preserve_namespaces:196 - Preserved mnt namespace via fd 15
DEBUG start - start.c:lxc_try_preserve_namespaces:196 - Preserved pid namespace via fd 16
DEBUG start - start.c:lxc_try_preserve_namespaces:196 - Preserved uts namespace via fd 17
DEBUG start - start.c:lxc_try_preserve_namespaces:196 - Preserved ipc namespace via fd 18
DEBUG conf - conf.c:idmaptool_on_path_and_privileged:2860 - The binary “/usr/bin/newuidmap” does have the setuid bit set
DEBUG conf - conf.c:idmaptool_on_path_and_privileged:2860 - The binary “/usr/bin/newgidmap” does have the setuid bit set
DEBUG conf - conf.c:lxc_map_ids:2952 - Functional newuidmap and newgidmap binary found
INFO start - start.c:do_start:1148 - Unshared CLONE_NEWNET
DEBUG conf - conf.c:idmaptool_on_path_and_privileged:2860 - The binary “/usr/bin/newuidmap” does have the setuid bit set
DEBUG conf - conf.c:idmaptool_on_path_and_privileged:2860 - The binary “/usr/bin/newgidmap” does have the setuid bit set
DEBUG conf - conf.c:lxc_map_ids:2952 - Functional newuidmap and newgidmap binary found
DEBUG start - start.c:lxc_spawn:1754 - Preserved net namespace via fd 10
WARN start - start.c:lxc_spawn:1758 - Operation not permitted - Failed to allocate new network namespace id
NOTICE utils - utils.c:lxc_switch_uid_gid:1378 - Switched to gid 0
NOTICE utils - utils.c:lxc_switch_uid_gid:1387 - Switched to uid 0
NOTICE utils - utils.c:lxc_setgroups:1400 - Dropped additional groups
INFO start - start.c:do_start:1254 - Unshared CLONE_NEWCGROUP
INFO conf - conf.c:mount_autodev:1118 - Preparing “/dev”
INFO conf - conf.c:mount_autodev:1165 - Prepared “/dev”
ERROR utils - utils.c:safe_mount:1179 - Permission denied - Failed to mount “proc” onto “/proc”
ERROR conf - conf.c:lxc_mount_auto_mounts:724 - Permission denied - Failed to mount “proc” on “/proc” with flags 14
ERROR conf - conf.c:lxc_setup:3563 - Failed to setup first automatic mounts
ERROR start - start.c:do_start:1275 - Failed to setup container “franziska”
ERROR sync - sync.c:__sync_wait:62 - An error occurred in another process (expected sequence number 5)
DEBUG network - network.c:lxc_delete_network:3180 - Deleted network devices
INFO utils - utils.c:get_rundir:275 - XDG_RUNTIME_DIR isn’t set in the environment
ERROR start - start.c:__lxc_start:1951 - Failed to spawn container “franziska”
INFO utils - utils.c:get_rundir:275 - XDG_RUNTIME_DIR isn’t set in the environment
DEBUG conf - conf.c:idmaptool_on_path_and_privileged:2860 - The binary “/usr/bin/newuidmap” does have the setuid bit set
DEBUG conf - conf.c:idmaptool_on_path_and_privileged:2860 - The binary “/usr/bin/newgidmap” does have the setuid bit set
DEBUG conf - conf.c:lxc_map_ids:2952 - Functional newuidmap and newgidmap binary found
INFO utils - utils.c:get_rundir:275 - XDG_RUNTIME_DIR isn’t set in the environment
INFO conf - conf.c:run_script_argv:356 - Executing script “/usr/share/lxcfs/lxc.reboot.hook” for container “franziska”, config section “lxc”
ERROR lxc_start - tools/lxc_start.c:main:330 - The container failed to start
ERROR lxc_start - tools/lxc_start.c:main:336 - Additional information can be obtained by setting the --logfile and --logpriority options

Ok. Permission denied - Failed to mount “proc” onto “/proc”. Lets add somthing to franziskas config, that i not understand clearly:
lxc.mount.auto = proc:rw sys:rw cgroup:rw
lxc.mount.entry = proc proc proc
lxc.cgroup.devices.deny = none
lxc.cgroup.devices.allow = all

But the output will not change. I give up, you guys are my last chance :slight_smile: I memorized all manuals and tutorials and bugreports. I don’t now what i do wrong. Did anyone here run a unprivileged Buster container on a brand new Buster host? Is that possible? With LVM, too?

Thanks for help and time!

aluis