[SOLVED] Arch Linux: Containers only run when security.privileged=true?

pgoetz · February 6, 2019, 8:57pm

If I attempt to create and run a container under Arch linux:

# lxc launch ubuntu14 archon

The container builds but refuses to launch, with these error messages:

lxc arc 20190206200354.953 ERROR    conf - conf.c:lxc_map_ids:3052 - newuidmap failed to write mapping "": newuidmap 10475 0 1000000 1000000000
lxc arc 20190206200354.954 ERROR    start - start.c:lxc_spawn:1727 - Failed to set up id mapping.
lxc arc 20190206200354.121 WARN     network - network.c:lxc_delete_network_priv:2613 - Invalid argument - Failed to remove interface "vethEQMOP7" from "lxdbr0"
lxc arc 20190206200354.121 ERROR    start - start.c:__lxc_start:1972 - Failed to spawn container "arc"
lxc arc 20190206200354.124 ERROR    lxccontainer - lxccontainer.c:wait_on_daemonized_start:864 - Received container state "ABORTING" instead of "RUNNING"
lxc arc 20190206200354.127 ERROR    conf - conf.c:lxc_map_ids:3052 - newuidmap failed to write mapping "": newuidmap 10490 0 1000000 1000000000 1000000000 0 1
lxc arc 20190206200354.127 ERROR    conf - conf.c:userns_exec_1:4422 - Error setting up {g,u}id mappings for child process "10490"
lxc arc 20190206200354.128 WARN     cgfsng - cgroups/cgfsng.c:cgfsng_payload_destroy:1122 - Failed to destroy cgroups
lxc 20190206200354.129 WARN     commands - commands.c:lxc_cmd_rsp_recv:132 - Connection reset by peer - Failed to receive response for command "get_state"

I understand that the default Arch linux kernel has User Namespaces enabled only for the root user, but presumably I should still be able to launch containers as root?

stgraber · February 7, 2019, 7:20pm

That suggests that your /etc/subuid and /etc/subgid may be misconfigured.

pgoetz · February 7, 2019, 7:44pm

Thank you. The Arch VM I’m testing lxd in doesn’t currently have a /etc/subuid or /etc/subgid file, so this seems likely. The Arch implementation of lxd comes by way of a user-supported AUR package, and is quite bare bones. I’ve been spinning up an Ubuntu 16.04 VM and mirroring the steps there in order to figure out what is being done for me automagically, but didn’t know to look for these.

I’m in the process of reading through your fantastically well written lxd blog posts (thanks for taking the time to write these) and should probably finish the RTFM process before posting additional questions on this forum.

pgoetz · February 21, 2019, 4:04pm

So I finally had a chance to revisit this. Here are my subuid/subgid files:

[pgoetz@erap-atx ~]$ cat /etc/subuid 
"root:1000000:65536"
[pgoetz@erap-atx ~]$ cat /etc/subgid 
"root:1000000:65536"

Here’s what happens when I try and launch a new container:

[pgoetz@erap-atx ~]$ lxc launch images:ubuntu/16.04 u16
Creating u16
Starting u16                                
Error: Failed to run: /usr/bin/lxd forkstart u16 /var/lib/lxd/containers /var/log/lxd/u16/lxc.conf: 
Try `lxc info --show-log local:u16` for more info

[pgoetz@erap-atx ~]$ lxc info --show-log local:u16
Name: u16
Location: none
Remote: unix://
Architecture: x86_64
Created: 2019/02/21 15:54 UTC
Status: Stopped
Type: persistent
Profiles: default

Log:

lxc u16 20190221155412.927 ERROR    conf - conf.c:lxc_map_ids:3052 - newuidmap failed to write mapping "newuidmap: uid range [0-1000000000) -> [1000000-1001000000) not allowed": newuidmap 10489 0 1000000 1000000000
lxc u16 20190221155412.927 ERROR    start - start.c:lxc_spawn:1727 - Failed to set up id mapping. 
lxc u16 20190221155412.179 WARN     network - network.c:lxc_delete_network_priv:2613 - Invalid argument - Failed to remove interface "vethPX1QE0" from "lxdbr0"
lxc u16 20190221155412.179 ERROR    lxccontainer - lxccontainer.c:wait_on_daemonized_start:864 - Received container state "ABORTING" instead of "RUNNING"
lxc u16 20190221155412.179 ERROR    start - start.c:__lxc_start:1972 - Failed to spawn container "u16"
lxc u16 20190221155412.186 ERROR    conf - conf.c:lxc_map_ids:3052 - newuidmap failed to write mapping "newuidmap: uid range [0-1000000000) -> [1000000-1001000000) not allowed": newuidmap 10501 0 1000000 1000000000 1000000000 0 1
lxc u16 20190221155412.186 ERROR    conf - conf.c:userns_exec_1:4422 - Error setting up {g,u}id mappings for child process "10501"
lxc u16 20190221155412.186 WARN     cgfsng - cgroups/cgfsng.c:cgfsng_payload_destroy:1122 - Failed to destroy cgroups
lxc 20190221155412.188 WARN     commands - commands.c:lxc_cmd_rsp_recv:132 - Connection reset by peer - Failed to receive response for command "get_state"

Is the syntax in my /etc/subuid and /etc/subgid incorrect? I just lifted this from the Arch AUR package post installation instructions.

pgoetz · February 21, 2019, 4:26pm

Never mind. I forgot to restart the LXD daemon after creating these files. It’s working now as advertised, so marking this ticket as solved. For the benefit of someone scanning this ticket:

OS: Arch linux
LXD version 3.10

[pgoetz@erap-atx ~]$ cat /etc/subuid
root:1000000:65536
[pgoetz@erap-atx ~]$ cat /etc/subgid
root:1000000:65536

The Arch Linux Containers Wiki page suggests that to run unprivileged containers you also need to add these lines to /etc/default/lxc:

lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536

I did not need to do this, nor did I add the PAM cgroups module, pam_cgfs.so, to /etc/pam.d/system-login

ingobaab · June 3, 2022, 6:15pm

Dear pgoetz, I had to add this entries into /etc/default/lxc in my desktop-linux Manjaro:

Before I did this, I got this error-log:

lxc host 20220603181050.592 ERROR    conf - conf.c:lxc_map_ids:3668 - newuidmap failed to write mapping "newuidmap: uid range [0-1000000000) -> [1000000-1001000000) not allowed": newuidmap 12177 0 1000000 1000000000
lxc host 20220603181050.592 ERROR    start - start.c:lxc_spawn:1791 - Failed to set up id mapping.
lxc host 20220603181050.593 ERROR    lxccontainer - lxccontainer.c:wait_on_daemonized_start:877 - Received container state "ABORTING" instead of "RUNNING"
lxc host 20220603181050.593 ERROR    start - start.c:__lxc_start:2074 - Failed to spawn container "host"
lxc host 20220603181050.593 WARN     start - start.c:lxc_abort:1039 - Kein passender Prozess gefunden - Failed to send SIGKILL via pidfd 17 for process 12177
lxc 20220603181055.616 ERROR    af_unix - af_unix.c:lxc_abstract_unix_recv_fds_iov:218 - Die Verbindung wurde vom Kommunikationspartner zurückgesetzt - Failed to receive response
lxc 20220603181055.618 ERROR    commands - commands.c:lxc_cmd_rsp_recv_fds:127 - Failed to receive file descriptors for command "get_state"

After that I could launch and start ubuntu:20.04 - worked: