[solved] Multiple unprivileged lxc containers at Debian 9


#1

Hello,

I am using Debian 9 and two lxc priviledged containers did a good job for me for years.

Now I want to change that to unpriviledged containers.
I read and followd the instructions of


https://stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/

I also managed to get id mapping to my hostuser for easy data exchange.
See my lxc config of that host:

# Template used to create this container: /usr/share/lxc/templates/lxc-download
# Parameters passed to the template:
# Template script checksum (SHA-1): 740c51206e35463362b735e68b867876048a8baf
# For additional config options, please look at lxc.container.conf(5)

# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)

# Subuids and subgids mapping
# "Secure" mounting
# Unsecure mounting
# Network configuration

# Distribution configuration
lxc.include = /usr/share/lxc/config/debian.common.conf
lxc.include = /usr/share/lxc/config/debian.userns.conf
lxc.arch = linux64

# Container specific configuration
# "Secure" id mapping
# lxc.id_map = u 0 100000 65536  
# lxc.id_map = g 0 100000 65536
# "Unsecure" id mapping - but comfortable
lxc.id_map = u 0 100000 1000
lxc.id_map = g 0 100000 1000
lxc.id_map = u 1000 1000 1
lxc.id_map = g 1000 1000 1
lxc.id_map = u 1001 101001 64535
lxc.id_map = g 1001 101001 64535
lxc.mount.auto = proc:mixed sys:ro cgroup:mixed
lxc.mount.entry = /mnt mnt none bind 0 0
lxc.mount.entry = /home/username_here/sandbox home/dings/share none bind 0 0
lxc.rootfs = /home/username_here/.local/share/lxc/dings/rootfs
lxc.rootfs.backend = dir
lxc.utsname = dings

# Network configuration
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:39:81:87

I couldn’t manage to get another container running the same way, well, until I changed /etc/lxc/lxc-usernet:

# <user>        <link_type>     <bridge>        <#_of_links>
@lxcusers       veth            lxcbr0          10

and adding username_here to that group.

Now it runs both but the second is buggy. In the end, it has almost the same config:

# Template used to create this container: /usr/share/lxc/templates/lxc-download
# Parameters passed to the template:
# Template script checksum (SHA-1): 740c51206e35463362b735e68b867876048a8baf
# For additional config options, please look at lxc.container.conf(5)

# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)

# Subuids and subgids mapping
# "Secure" id mapping
#  "Unsecure" id mapping - but comfortable
# "Secure" mounting
# Unsecure mounting
# Network configuration

# Distribution configuration
lxc.include = /usr/share/lxc/config/debian.common.conf
lxc.include = /usr/share/lxc/config/debian.userns.conf
lxc.arch = linux64

# Container specific configuration
#lxc.id_map = u 0 100000 65536
#lxc.id_map = g 0 100000 65536
lxc.id_map = u 0 100000 1000
lxc.id_map = g 0 100000 1000
lxc.id_map = u 1000 1000 1
lxc.id_map = g 1000 1000 1
lxc.id_map = u 1001 101001 64535
lxc.id_map = g 1001 101001 64535
lxc.mount.auto = proc:mixed sys:ro cgroup:mixed
lxc.mount.entry = /mnt mnt none bind 0 0
#lxc.mount.entry = /home/username_here/sandbox home/dings/share none bind 0 0
lxc.rootfs = /home/username_here/.local/share/lxc/tix/rootfs
lxc.rootfs.backend = dir
lxc.utsname = tix

# Network configuration
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:1b:2b:47

The second, tix container, has issues, e. g.:

Failed to install release agent, ignoring: No such file or directory
Cannot add dependency job for unit display-manager.service, ignoring: Unit display-manager.service failed to load: No such file or directory.
Failed to reset devices.list on /system.slice/dev-hugepages.mount: No such file or directory
Failed to reset devices.list on /system.slice/dev-mqueue.mount: No such file or directory
Failed to reset devices.list on /system.slice/systemd-journald.service: No such file or directory
[FAILED] Failed to mount Huge Pages File System.
[FAILED] Failed to start Login Service.
[FAILED] Failed to start Network Service.

I think that my containers-installation is wrong and that is causing troubles.
I really tried to google how to manage multiple unprivileged containers but no luck.

Do you know?


#2

I solved the problem. It looks like the second container with issues was a broken image.
After getting space to create more containers and destroying the broken one I get no errors.
Now I can run multiple unprivileged lxc-containers as planned. No need for privileged containers anymore and user-mapping works, too.

Thank you for your attention.