Unprivileged Container fails to Start in OpenWRT

Strive · April 10, 2020, 3:12pm

Hi,

I am able to create and run privileged containers on OpenWRT 19.07.2 and LXC 2.1.1

I am unable to run unprivileged containers. I am getting the following errors

lxc-start myalpine 20200410140608.707 ERROR    lxc_utils - utils.c:mkdir_p:257 - Permission denied - failed to create directory '/sys/fs/cgroup/lxc/myalpine'
lxc-start myalpine 20200410140608.707 ERROR    lxc_cgfs - cgroups/cgfs.c:lxc_cgroupfs_create:1022 - Permission denied - Could not create cgroup '/lxc/myalpine' in '/sys/fs/cgroup'.
lxc-start myalpine 20200410140608.710 ERROR    lxc_cgfs - cgroups/cgfs.c:cgroup_rmdir:209 - Permission denied - Failed to delete /sys/fs/cgroup//lxc
lxc-start myalpine 20200410140608.711 ERROR    lxc_cgfs - cgroups/cgfs.c:cgroup_rmdir:209 - Permission denied - Failed to delete /sys/fs/cgroup/
lxc-start myalpine 20200410140608.711 ERROR    lxc_start - start.c:lxc_spawn:1221 - Failed creating cgroups.

There is lxc directory under /sys/fs/cgroup and it is owned by root:root

I went through similar posts in this forum and other forums as well. I am trying to provide as much information as possible here:

/proc/self/cgroup

cat /proc/self/cgroup
1:cpuset,cpu,cpuacct,blkio,memory,devices,freezer,net_cls,perf_event,pids,debug:/

Config File

cat /home/strive/.local/share/lxc/myalpine/config
lxc.include = /etc/lxc/default.conf
lxc.include = /usr/share/lxc/config/alpine.common.conf
lxc.include = /usr/share/lxc/config/alpine.userns.conf
lxc.arch = linux64

# find your ids via
# cat  /etc/s*id|grep $USER
lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536

lxc.init.uid = 100000
lxc.init.gid = 100000

lxc.mount.auto = proc:mixed sys:ro cgroup:mixed

# lan interface
lxc.net.0.type = veth
lxc.net.0.link = br-lan
lxc.net.0.flags = up

# wan interface
#lxc.net.1.type = veth
#lxc.net.1.link = br-lan

# adapt <user> and <vm-name>
lxc.rootfs.path = dir:/home/strive/.local/share/lxc/myalpine/rootfs

In one of the posts it was mentioned to include the line session optional pam_cgfs.so -c freezer,memory,name=systemd,cpuset,cpu in /etc/pam.d/common-session and /etc/pam.d/common-session-noninteractive files. However, pam_cgfs.so is not present in my OpenWRT VM.

Am i missing something that is required for proper cgroup hierarchy. Please give me some pointers to solve this issue.

stgraber · April 10, 2020, 3:35pm

You need to make such that the user that’s going to start the unprivileged container is placed in cgroups that they own.

So looking at /proc/self/cgroup from that shell should show you paths other than the root of the cgroup tree and that path under /sys/fs/cgroup should belong to your user.

I believe the only cgroup we strictly need is freezer so make sure that one is correct, the rest you can probably do without unless you intend to set memory/cpu limits.

Strive · April 10, 2020, 3:48pm

I get same output for cat /proc/self/cgroup in both the shells (root and strive).

stgraber · April 10, 2020, 4:19pm

Right, that’s not good and it’s something you need to fix by hand when you don’t have a PAM stack with plugins to do this for you.

Strive · April 10, 2020, 4:22pm

Let me check the PAM stack and try to fix it. Thanks for the lead