Troubles with unprivileged user

cgb · September 27, 2017, 3:30pm

Hello all,

currently I’m trying to do some first steps with LXC.
I created a dedicated user (lxcusr) on my system (Ubuntu trusty amd64) and successfully created a container of the same Ubuntu flavour.
lxc-check-config doesn’t report any problem.
Unfortunately I fail to start the container:

lxc-start test-container-amd64 20170927151711.518 ERROR    dir - storage/dir.c:dir_mount:179 - Permission denied - Failed to mount "/home/lxcusr/.local/share/lxc/test-container-amd64/rootfs" on "/home/lxcusr/lxc_mnt"
lxc-start test-container-amd64 20170927151711.518 ERROR    lxc_conf - conf.c:lxc_setup_rootfs:1313 - Failed to mount rootfs "dir:/home/lxcusr/.local/share/lxc/test-container-amd64/rootfs" onto "/home/lxcusr/lxc_mnt" with options "(null)".
lxc-start test-container-amd64 20170927151711.518 ERROR    lxc_conf - conf.c:do_rootfs_setup:3103 - failed to setup rootfs for 'test-container-amd64'
lxc-start test-container-amd64 20170927151711.518 ERROR    lxc_conf - conf.c:lxc_setup:3144 - Error setting up rootfs mount after spawn
lxc-start test-container-amd64 20170927151711.518 ERROR    lxc_start - start.c:do_start:921 - Failed to setup container "test-container-amd64".
lxc-start test-container-amd64 20170927151711.519 ERROR    lxc_sync - sync.c:__sync_wait:57 - An error occurred in another process (expected sequence number 5)
lxc-start test-container-amd64 20170927151711.519 ERROR    lxc_start - start.c:__lxc_start:1451 - Failed to spawn container "test-container-amd64".
lxc-start test-container-amd64 20170927151712.138 ERROR    lxc_start_ui - tools/lxc_start.c:main:368 - The container failed to start.
lxc-start test-container-amd64 20170927151712.139 ERROR    lxc_start_ui - tools/lxc_start.c:main:372 - Additional information can be obtained by setting the --logfile and --logpriority options.

What could possibly be the problem here? The mount point lies within the home directory of lxcusr.

Thanks,
Christoph

stgraber · September 27, 2017, 4:16pm

Why did you set the container’s temporary mountpoint to something other than the default value?

My guess is that the error you’re getting is because the security profile for lxc-start, prevents it from mounting the container’s rootfs anywhere but at /usr/lib/*/lxc/…

There’s really no point in setting this to /home/lxcusr/lxc_mnt since you won’t be able to see that mount anyway (it’s going to be in a mount namespace).

cgb · September 28, 2017, 6:16am

I did this because using the default location gave the same error:
dir - storage/dir.c:dir_mount:179 - Permission denied - Failed to mount "/home/lxcusr/.local/share/lxc/test-container-amd64/rootfs" on "/usr/lib/x86_64-linux-gnu/lxc"

stgraber · September 28, 2017, 12:44pm

Do you have any “DENIED” entry in “dmesg” output?

It may also be a path traversal issue, the easiest way to fix that if that’s the issue is:

chmod +x /home /home/lxcusr /home/lxcusr/.local /home/lxcusr/.local/share /home/lxcusr/.local/share/lxc

cgb · September 28, 2017, 1:21pm

dmesg doesn’t show any DENIED entries.
Also /home/lxcusr and anything below are accessible by lxcusr.

cgb · September 28, 2017, 1:37pm

And which access rights should apply to /usr/lib/x86_64-linux-gnu/lxc?

Costa_Basil · December 17, 2019, 11:14pm

Hi, I have the same issue. If you don’t mind what did you end up doing?
Thanks

Update: the command written by stgraber worked.