[SOLVED] Arch Linux: Containers only run when security.privileged=true?


(Patrick Goetz) #1

If I attempt to create and run a container under Arch linux:

# lxc launch ubuntu14 archon

The container builds but refuses to launch, with these error messages:

lxc arc 20190206200354.953 ERROR    conf - conf.c:lxc_map_ids:3052 - newuidmap failed to write mapping "": newuidmap 10475 0 1000000 1000000000
lxc arc 20190206200354.954 ERROR    start - start.c:lxc_spawn:1727 - Failed to set up id mapping.
lxc arc 20190206200354.121 WARN     network - network.c:lxc_delete_network_priv:2613 - Invalid argument - Failed to remove interface "vethEQMOP7" from "lxdbr0"
lxc arc 20190206200354.121 ERROR    start - start.c:__lxc_start:1972 - Failed to spawn container "arc"
lxc arc 20190206200354.124 ERROR    lxccontainer - lxccontainer.c:wait_on_daemonized_start:864 - Received container state "ABORTING" instead of "RUNNING"
lxc arc 20190206200354.127 ERROR    conf - conf.c:lxc_map_ids:3052 - newuidmap failed to write mapping "": newuidmap 10490 0 1000000 1000000000 1000000000 0 1
lxc arc 20190206200354.127 ERROR    conf - conf.c:userns_exec_1:4422 - Error setting up {g,u}id mappings for child process "10490"
lxc arc 20190206200354.128 WARN     cgfsng - cgroups/cgfsng.c:cgfsng_payload_destroy:1122 - Failed to destroy cgroups
lxc 20190206200354.129 WARN     commands - commands.c:lxc_cmd_rsp_recv:132 - Connection reset by peer - Failed to receive response for command "get_state"

I understand that the default Arch linux kernel has User Namespaces enabled only for the root user, but presumably I should still be able to launch containers as root?


(Stéphane Graber) #2

That suggests that your /etc/subuid and /etc/subgid may be misconfigured.


(Patrick Goetz) #3

Thank you. The Arch VM I’m testing lxd in doesn’t currently have a /etc/subuid or /etc/subgid file, so this seems likely. The Arch implementation of lxd comes by way of a user-supported AUR package, and is quite bare bones. I’ve been spinning up an Ubuntu 16.04 VM and mirroring the steps there in order to figure out what is being done for me automagically, but didn’t know to look for these.

I’m in the process of reading through your fantastically well written lxd blog posts (thanks for taking the time to write these) and should probably finish the RTFM process before posting additional questions on this forum.


(Patrick Goetz) #4

So I finally had a chance to revisit this. Here are my subuid/subgid files:

[pgoetz@erap-atx ~]$ cat /etc/subuid 
"root:1000000:65536"
[pgoetz@erap-atx ~]$ cat /etc/subgid 
"root:1000000:65536"

Here’s what happens when I try and launch a new container:

[pgoetz@erap-atx ~]$ lxc launch images:ubuntu/16.04 u16
Creating u16
Starting u16                                
Error: Failed to run: /usr/bin/lxd forkstart u16 /var/lib/lxd/containers /var/log/lxd/u16/lxc.conf: 
Try `lxc info --show-log local:u16` for more info

[pgoetz@erap-atx ~]$ lxc info --show-log local:u16
Name: u16
Location: none
Remote: unix://
Architecture: x86_64
Created: 2019/02/21 15:54 UTC
Status: Stopped
Type: persistent
Profiles: default

Log:

lxc u16 20190221155412.927 ERROR    conf - conf.c:lxc_map_ids:3052 - newuidmap failed to write mapping "newuidmap: uid range [0-1000000000) -> [1000000-1001000000) not allowed": newuidmap 10489 0 1000000 1000000000
lxc u16 20190221155412.927 ERROR    start - start.c:lxc_spawn:1727 - Failed to set up id mapping. 
lxc u16 20190221155412.179 WARN     network - network.c:lxc_delete_network_priv:2613 - Invalid argument - Failed to remove interface "vethPX1QE0" from "lxdbr0"
lxc u16 20190221155412.179 ERROR    lxccontainer - lxccontainer.c:wait_on_daemonized_start:864 - Received container state "ABORTING" instead of "RUNNING"
lxc u16 20190221155412.179 ERROR    start - start.c:__lxc_start:1972 - Failed to spawn container "u16"
lxc u16 20190221155412.186 ERROR    conf - conf.c:lxc_map_ids:3052 - newuidmap failed to write mapping "newuidmap: uid range [0-1000000000) -> [1000000-1001000000) not allowed": newuidmap 10501 0 1000000 1000000000 1000000000 0 1
lxc u16 20190221155412.186 ERROR    conf - conf.c:userns_exec_1:4422 - Error setting up {g,u}id mappings for child process "10501"
lxc u16 20190221155412.186 WARN     cgfsng - cgroups/cgfsng.c:cgfsng_payload_destroy:1122 - Failed to destroy cgroups
lxc 20190221155412.188 WARN     commands - commands.c:lxc_cmd_rsp_recv:132 - Connection reset by peer - Failed to receive response for command "get_state"

Is the syntax in my /etc/subuid and /etc/subgid incorrect? I just lifted this from the Arch AUR package post installation instructions.


(Patrick Goetz) #5

Never mind. I forgot to restart the LXD daemon after creating these files. It’s working now as advertised, so marking this ticket as solved. For the benefit of someone scanning this ticket:

OS: Arch linux
LXD version 3.10

[pgoetz@erap-atx ~]$ cat /etc/subuid
root:1000000:65536
[pgoetz@erap-atx ~]$ cat /etc/subgid
root:1000000:65536

The Arch Linux Containers Wiki page suggests that to run unprivileged containers you also need to add these lines to /etc/default/lxc:

lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536

I did not need to do this, nor did I add the PAM cgroups module, pam_cgfs.so, to /etc/pam.d/system-login