Unprivileged as root not starting

nidal22 · August 13, 2017, 2:30am

Hello,

Created unprivileged as root map to u/gid 296608

Issue starting lxc: sudo lxc-start -p --logfile=log.txt

  lxc-start 20170813020157.311 ERROR    lxc_conf - conf.c:lxc_mount_auto_mounts:734 - Permission denied - error mounting sysfs on /usr/lib/x86_64-linux-gnu/lxc/sys/devices/virtual/net flags 0
  lxc-start 20170813020157.311 ERROR    lxc_conf - conf.c:lxc_setup:4008 - failed to setup the automatic mounts for 'p1'
  lxc-start 20170813020157.311 ERROR    lxc_start - start.c:do_start:811 - Failed to setup container "p1".
  lxc-start 20170813020157.311 ERROR    lxc_sync - sync.c:__sync_wait:57 - An error occurred in another process (expected sequence number 3)
  lxc-start 20170813020157.335 ERROR    lxc_start - start.c:__lxc_start:1358 - Failed to spawn container "p1".
  lxc-start 20170813020202.882 ERROR    lxc_start_ui - tools/lxc_start.c:main:366 - The container failed to start.
  lxc-start 20170813020202.882 ERROR    lxc_start_ui - tools/lxc_start.c:main:368 - To get more details, run the container in foreground mode.
  lxc-start 20170813020202.882 ERROR    lxc_start_ui - tools/lxc_start.c:main:370 - Additional information can be obtained by setting the --logfile and --logpriority options.

NAME STATE AUTOSTART GROUPS IPV4 IPV6
p1 STOPPED 0

cat /etc/sub* |grep root
root:296608:65536
root:296608:65536

** cat /etc/lxc/default.conf

Subuids and subgids mapping
lxc.id_map = u 0 296608 65536
lxc.id_map = g 0 296608 65536

Network configuration
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:xx:xx:xx

root@ha1:/var/lib/lxc/p1# ls -l
total 12
-rw-r–r-- 1 root root 973 Aug 13 03:34 config
-rw-r–r-- 1 root root 912 Aug 13 03:46 log.txt
drwxr-xr-x 21 296608 296608 4096 Aug 12 05:54 rootfs

total 8
-rw-r–r-- 1 root root 973 Aug 13 03:34 config
drwxr-xr-x 21 296608 296608 4096 Aug 12 05:54 rootfs

** /var/lib/lxc/p1/config

lxc.include = /usr/share/lxc/config/ubuntu.common.conf
lxc.include = /usr/share/lxc/config/ubuntu.userns.conf
lxc.arch = x86_64

lxc.id_map = u 0 296608 65536
lxc.id_map = g 0 296608 65536
lxc.rootfs = /var/lib/lxc/p1/rootfs
lxc.rootfs.backend = dir
lxc.utsname = p1

lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:7a:53:bc

No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.3 LTS
Release: 16.04
Codename: xenial

Kernel and CPU Linux 3.14.32-xxxx-grs-ipv6-64 on x86_64

lxc:
Installed: 2.0.8-0ubuntu1~16.04.2
Candidate: 2.0.8-0ubuntu1~16.04.2

lxc-checkconfig
— Namespaces —
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
Multiple /dev/pts instances: enabled

— Control groups —
Cgroup: enabled
Cgroup clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

— Misc —
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
Bridges: enabled
Advanced netfilter: enabled
CONFIG_NF_NAT_IPV4: enabled
CONFIG_NF_NAT_IPV6: enabled
CONFIG_IP_NF_TARGET_MASQUERADE: enabled
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled
FUSE (for use with lxcfs): enabled

— Checkpoint/Restore —
checkpoint restore: missing
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: missing
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: missing
File capabilities: enabled

brauner · August 13, 2017, 4:47pm

That reminds me of a kernel bug from a while ago. Can you try upgrading your kernel and trying again?

nidal22 · August 14, 2017, 7:59am

This is a hosted server by ovh, not that easy to upgrade the kernel

Kernel and CPU Linux 3.14.32-xxxx-grs-ipv6-64 on x86_64

I got it working by creating the lxc as privileged then changed to unprivileged using the article:

but now getting the following errors when I use the following commands inside the unprivileged container:

#apt-get update:

W: Can’t drop privileges for downloading as file ‘/var/cache/apt/archives/partial/libgdbm3_1.8.3-13.1_amd64.deb’ couldn’t be accessed by user ‘_apt’. - pkgAcquire::Run (13: Permission denied)

#netstat / ifconfig

Error" netstat -tupln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
netstat: no support for `AF INET (tcp)’ on this system.
"

nidal22 · August 15, 2017, 6:08pm

Manged to remove OVH customised kernel and install 4.10.0-32-generic #36~16.04.1-Ubuntu

The user (not in sudo group) still was not able to create unprivileged lxc or start it.

This helped to resolve my issue:

*** PERMISSION ISSUES ***
sudo -sHu lxcusr
lxc-create -t download -n uprivileged_lxc

sudo -sHu lxcusr
lxc-start -n uprivileged_lxc

Ref.
http://lxc-users.linuxcontainers.narkive.com/kmATJh3s/creating-a-container-as-non-root