Unpriviliged container wont start

LXC
1

I have big problems creating unprivileged containers.

I’m using Arch with kernel 5.2 and LXC 3.2. I followed this wiki.

https://wiki.archlinux.org/index.php/Linux_Containers#An_example_to_illustrate_unprivileged_containers

this is my config

#sysctl kernel.unprivileged_userns_clone
1

$ grep username /etc/sub* 2>/dev/null
/etc/subgid:username:100000:65536
/etc/subuid:username:100000:65536

$ cat ~/.config/lxc/lxc-usernet
username veth lxcbr0 10

$ cat ~/.config/lxc/default.conf
lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536

lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up
lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx

$ lxc-checkconfig
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled

--- Control groups ---
Cgroups: enabled

Cgroup v1 mount points: 
/sys/fs/cgroup/systemd
/sys/fs/cgroup/memory
/sys/fs/cgroup/cpu,cpuacct
/sys/fs/cgroup/net_cls,net_prio
/sys/fs/cgroup/rdma
/sys/fs/cgroup/cpuset
/sys/fs/cgroup/blkio
/sys/fs/cgroup/freezer
/sys/fs/cgroup/perf_event
/sys/fs/cgroup/pids
/sys/fs/cgroup/devices
/sys/fs/cgroup/hugetlb

Cgroup v2 mount points: 
/sys/fs/cgroup/unified

Cgroup v1 clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled, loaded
Macvlan: enabled, not loaded
Vlan: enabled, not loaded
Bridges: enabled, loaded
Advanced netfilter: enabled, not loaded
CONFIG_NF_NAT_IPV4: missing
CONFIG_NF_NAT_IPV6: missing
CONFIG_IP_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled, loaded
CONFIG_NETFILTER_XT_MATCH_COMMENT: enabled, not loaded
FUSE (for use with lxcfs): enabled, loaded

--- Checkpoint/Restore ---
checkpoint restore: enabled
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: enabled
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: enabled
File capabilities: 

Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig

This issue comes at the start.

lxc-start -n playtime -F --logfile=debug.log --logpriority=DEBUG
systemd 242.84-1-arch running in system mode. (+PAM +AUDIT -SELINUX -IMA -APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid)
Detected virtualization lxc.
Detected architecture x86-64.

Welcome to Arch Linux!

Failed to create /init.scope control group: Permission denied
Failed to allocate manager object: Permission denied
[!!!!!!] Failed to allocate manager object.
Exiting PID 1...

Here is the debug log.

lxc-start playtime 20190807201805.662 INFO     confile - confile.c:set_config_idmaps:1987 - Read uid map: type u nsid 0 hostid 100000 range 65536
lxc-start playtime 20190807201805.662 INFO     confile - confile.c:set_config_idmaps:1987 - Read uid map: type g nsid 0 hostid 100000 range 65536
lxc-start playtime 20190807201805.662 INFO     lsm - lsm/lsm.c:lsm_init:50 - LSM security driver nop
lxc-start playtime 20190807201805.662 INFO     seccomp - seccomp.c:parse_config_v2:789 - Processing "reject_force_umount  # comment this to allow umount -f;  not recommended"
lxc-start playtime 20190807201805.662 INFO     seccomp - seccomp.c:do_resolve_add_rule:535 - Set seccomp rule to reject force umounts
lxc-start playtime 20190807201805.662 INFO     seccomp - seccomp.c:parse_config_v2:973 - Added native rule for arch 0 for reject_force_umount action 0(kill)
lxc-start playtime 20190807201805.662 INFO     seccomp - seccomp.c:do_resolve_add_rule:535 - Set seccomp rule to reject force umounts
lxc-start playtime 20190807201805.662 INFO     seccomp - seccomp.c:parse_config_v2:982 - Added compat rule for arch 1073741827 for reject_force_umount action 0(kill)
lxc-start playtime 20190807201805.662 INFO     seccomp - seccomp.c:do_resolve_add_rule:535 - Set seccomp rule to reject force umounts
lxc-start playtime 20190807201805.662 INFO     seccomp - seccomp.c:parse_config_v2:992 - Added compat rule for arch 1073741886 for reject_force_umount action 0(kill)
lxc-start playtime 20190807201805.662 INFO     seccomp - seccomp.c:do_resolve_add_rule:535 - Set seccomp rule to reject force umounts
lxc-start playtime 20190807201805.662 INFO     seccomp - seccomp.c:parse_config_v2:1002 - Added native rule for arch -1073741762 for reject_force_umount action 0(kill)
lxc-start playtime 20190807201805.662 INFO     seccomp - seccomp.c:parse_config_v2:789 - Processing "[all]"
lxc-start playtime 20190807201805.662 INFO     seccomp - seccomp.c:parse_config_v2:789 - Processing "kexec_load errno 1"
lxc-start playtime 20190807201805.662 INFO     seccomp - seccomp.c:parse_config_v2:973 - Added native rule for arch 0 for kexec_load action 327681(errno)
lxc-start playtime 20190807201805.662 INFO     seccomp - seccomp.c:parse_config_v2:982 - Added compat rule for arch 1073741827 for kexec_load action 327681(errno)
lxc-start playtime 20190807201805.662 INFO     seccomp - seccomp.c:parse_config_v2:992 - Added compat rule for arch 1073741886 for kexec_load action 327681(errno)
lxc-start playtime 20190807201805.662 INFO     seccomp - seccomp.c:parse_config_v2:1002 - Added native rule for arch -1073741762 for kexec_load action 327681(errno)
lxc-start playtime 20190807201805.662 INFO     seccomp - seccomp.c:parse_config_v2:789 - Processing "open_by_handle_at errno 1"
lxc-start playtime 20190807201805.662 INFO     seccomp - seccomp.c:parse_config_v2:973 - Added native rule for arch 0 for open_by_handle_at action 327681(errno)
lxc-start playtime 20190807201805.662 INFO     seccomp - seccomp.c:parse_config_v2:982 - Added compat rule for arch 1073741827 for open_by_handle_at action 327681(errno)
lxc-start playtime 20190807201805.662 INFO     seccomp - seccomp.c:parse_config_v2:992 - Added compat rule for arch 1073741886 for open_by_handle_at action 327681(errno)
lxc-start playtime 20190807201805.662 INFO     seccomp - seccomp.c:parse_config_v2:1002 - Added native rule for arch -1073741762 for open_by_handle_at action 327681(errno)
lxc-start playtime 20190807201805.662 INFO     seccomp - seccomp.c:parse_config_v2:789 - Processing "init_module errno 1"
lxc-start playtime 20190807201805.662 INFO     seccomp - seccomp.c:parse_config_v2:973 - Added native rule for arch 0 for init_module action 327681(errno)
lxc-start playtime 20190807201805.662 INFO     seccomp - seccomp.c:parse_config_v2:982 - Added compat rule for arch 1073741827 for init_module action 327681(errno)
lxc-start playtime 20190807201805.662 INFO     seccomp - seccomp.c:parse_config_v2:992 - Added compat rule for arch 1073741886 for init_module action 327681(errno)
lxc-start playtime 20190807201805.662 INFO     seccomp - seccomp.c:parse_config_v2:1002 - Added native rule for arch -1073741762 for init_module action 327681(errno)
lxc-start playtime 20190807201805.662 INFO     seccomp - seccomp.c:parse_config_v2:789 - Processing "finit_module errno 1"
lxc-start playtime 20190807201805.662 INFO     seccomp - seccomp.c:parse_config_v2:973 - Added native rule for arch 0 for finit_module action 327681(errno)
lxc-start playtime 20190807201805.662 INFO     seccomp - seccomp.c:parse_config_v2:982 - Added compat rule for arch 1073741827 for finit_module action 327681(errno)
lxc-start playtime 20190807201805.662 INFO     seccomp - seccomp.c:parse_config_v2:992 - Added compat rule for arch 1073741886 for finit_module action 327681(errno)
lxc-start playtime 20190807201805.662 INFO     seccomp - seccomp.c:parse_config_v2:1002 - Added native rule for arch -1073741762 for finit_module action 327681(errno)
lxc-start playtime 20190807201805.662 INFO     seccomp - seccomp.c:parse_config_v2:789 - Processing "delete_module errno 1"
lxc-start playtime 20190807201805.662 INFO     seccomp - seccomp.c:parse_config_v2:973 - Added native rule for arch 0 for delete_module action 327681(errno)
lxc-start playtime 20190807201805.662 INFO     seccomp - seccomp.c:parse_config_v2:982 - Added compat rule for arch 1073741827 for delete_module action 327681(errno)
lxc-start playtime 20190807201805.662 INFO     seccomp - seccomp.c:parse_config_v2:992 - Added compat rule for arch 1073741886 for delete_module action 327681(errno)
lxc-start playtime 20190807201805.662 INFO     seccomp - seccomp.c:parse_config_v2:1002 - Added native rule for arch -1073741762 for delete_module action 327681(errno)
lxc-start playtime 20190807201805.662 INFO     seccomp - seccomp.c:parse_config_v2:1008 - Merging compat seccomp contexts into main context
lxc-start playtime 20190807201805.662 DEBUG    terminal - terminal.c:lxc_terminal_peer_default:683 - Using terminal "/dev/tty" as proxy
lxc-start playtime 20190807201805.662 DEBUG    terminal - terminal.c:lxc_terminal_signal_init:167 - Created signal fd 9
lxc-start playtime 20190807201805.662 DEBUG    terminal - terminal.c:lxc_terminal_winsz:81 - Set window size to 211 columns and 54 rows
lxc-start playtime 20190807201805.662 DEBUG    conf - conf.c:chown_mapped_root:3176 - trying to chown "/dev/pts/3" to 1000
lxc-start playtime 20190807201805.674 INFO     start - start.c:lxc_init:932 - Container "playtime" is initialized
lxc-start playtime 20190807201805.674 INFO     cgfsng - cgroups/cgfsng.c:cgfsng_monitor_create:1405 - The monitor process uses "lxc.monitor/playtime" as cgroup
lxc-start playtime 20190807201805.675 INFO     cgfsng - cgroups/cgfsng.c:cgfsng_payload_create:1470 - The container process uses "lxc.payload/playtime" as cgroup
lxc-start playtime 20190807201805.675 INFO     start - start.c:lxc_spawn:1778 - Cloned CLONE_NEWUSER
lxc-start playtime 20190807201805.675 INFO     start - start.c:lxc_spawn:1778 - Cloned CLONE_NEWNS
lxc-start playtime 20190807201805.675 INFO     start - start.c:lxc_spawn:1778 - Cloned CLONE_NEWPID
lxc-start playtime 20190807201805.675 INFO     start - start.c:lxc_spawn:1778 - Cloned CLONE_NEWUTS
lxc-start playtime 20190807201805.675 INFO     start - start.c:lxc_spawn:1778 - Cloned CLONE_NEWIPC
lxc-start playtime 20190807201805.675 DEBUG    start - start.c:lxc_try_preserve_namespaces:192 - Preserved user namespace via fd 15
lxc-start playtime 20190807201805.675 DEBUG    start - start.c:lxc_try_preserve_namespaces:192 - Preserved mnt namespace via fd 16
lxc-start playtime 20190807201805.675 DEBUG    start - start.c:lxc_try_preserve_namespaces:192 - Preserved pid namespace via fd 17
lxc-start playtime 20190807201805.675 DEBUG    start - start.c:lxc_try_preserve_namespaces:192 - Preserved uts namespace via fd 18
lxc-start playtime 20190807201805.675 DEBUG    start - start.c:lxc_try_preserve_namespaces:192 - Preserved ipc namespace via fd 19
lxc-start playtime 20190807201805.675 DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2852 - The binary "/usr/bin/newuidmap" does have the setuid bit set
lxc-start playtime 20190807201805.675 DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2852 - The binary "/usr/bin/newgidmap" does have the setuid bit set
lxc-start playtime 20190807201805.675 DEBUG    conf - conf.c:lxc_map_ids:2938 - Functional newuidmap and newgidmap binary found
lxc-start playtime 20190807201805.681 INFO     start - start.c:do_start:1186 - Unshared CLONE_NEWNET
lxc-start playtime 20190807201805.681 DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2852 - The binary "/usr/bin/newuidmap" does have the setuid bit set
lxc-start playtime 20190807201805.681 DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2852 - The binary "/usr/bin/newgidmap" does have the setuid bit set
lxc-start playtime 20190807201805.681 DEBUG    conf - conf.c:lxc_map_ids:2938 - Functional newuidmap and newgidmap binary found
lxc-start playtime 20190807201805.687 DEBUG    start - start.c:lxc_spawn:1833 - Preserved net namespace via fd 10
lxc-start playtime 20190807201805.687 WARN     start - start.c:lxc_spawn:1838 - Operation not permitted - Failed to allocate new network namespace id
lxc-start playtime 20190807201805.687 NOTICE   utils - utils.c:lxc_switch_uid_gid:1411 - Switched to gid 0
lxc-start playtime 20190807201805.687 NOTICE   utils - utils.c:lxc_switch_uid_gid:1420 - Switched to uid 0
lxc-start playtime 20190807201805.687 NOTICE   utils - utils.c:lxc_setgroups:1433 - Dropped additional groups
lxc-start playtime 20190807201805.687 INFO     start - start.c:do_start:1301 - Unshared CLONE_NEWCGROUP
lxc-start playtime 20190807201805.687 DEBUG    storage - storage/storage.c:get_storage_by_name:232 - Detected rootfs type "dir"
lxc-start playtime 20190807201805.687 DEBUG    conf - conf.c:lxc_mount_rootfs:1357 - Mounted rootfs "/home/andre/.local/share/lxc/playtime/rootfs" onto "/usr/lib/lxc/rootfs" with options "(null)"
lxc-start playtime 20190807201805.687 INFO     conf - conf.c:setup_utsname:818 - Set hostname to "playtime"
lxc-start playtime 20190807201805.687 INFO     conf - conf.c:mount_autodev:1145 - Preparing "/dev"
lxc-start playtime 20190807201805.688 INFO     conf - conf.c:mount_autodev:1192 - Prepared "/dev"
lxc-start playtime 20190807201805.688 DEBUG    conf - conf.c:mount_entry:2026 - Remounting "/sys/fs/fuse/connections" on "/usr/lib/lxc/rootfs/sys/fs/fuse/connections" to respect bind or remount options
lxc-start playtime 20190807201805.688 DEBUG    conf - conf.c:mount_entry:2047 - Flags for "/sys/fs/fuse/connections" were 4110, required extra flags are 14
lxc-start playtime 20190807201805.688 DEBUG    conf - conf.c:mount_entry:2100 - Mounted "/sys/fs/fuse/connections" on "/usr/lib/lxc/rootfs/sys/fs/fuse/connections" with filesystem type "none"
lxc-start playtime 20190807201805.688 INFO     conf - conf.c:run_script_argv:371 - Executing script "/usr/share/lxcfs/lxc.mount.hook" for container "playtime", config section "lxc"
lxc-start playtime 20190807201805.693 INFO     conf - conf.c:lxc_fill_autodev:1236 - Populating "/dev"
lxc-start playtime 20190807201805.693 DEBUG    conf - conf.c:lxc_fill_autodev:1308 - Bind mounted host device node "/dev/full" onto "/usr/lib/lxc/rootfs/dev/full"
lxc-start playtime 20190807201805.693 DEBUG    conf - conf.c:lxc_fill_autodev:1308 - Bind mounted host device node "/dev/null" onto "/usr/lib/lxc/rootfs/dev/null"
lxc-start playtime 20190807201805.693 DEBUG    conf - conf.c:lxc_fill_autodev:1308 - Bind mounted host device node "/dev/random" onto "/usr/lib/lxc/rootfs/dev/random"
lxc-start playtime 20190807201805.693 DEBUG    conf - conf.c:lxc_fill_autodev:1308 - Bind mounted host device node "/dev/tty" onto "/usr/lib/lxc/rootfs/dev/tty"
lxc-start playtime 20190807201805.694 DEBUG    conf - conf.c:lxc_fill_autodev:1308 - Bind mounted host device node "/dev/urandom" onto "/usr/lib/lxc/rootfs/dev/urandom"
lxc-start playtime 20190807201805.694 DEBUG    conf - conf.c:lxc_fill_autodev:1308 - Bind mounted host device node "/dev/zero" onto "/usr/lib/lxc/rootfs/dev/zero"
lxc-start playtime 20190807201805.694 INFO     conf - conf.c:lxc_fill_autodev:1313 - Populated "/dev"
lxc-start playtime 20190807201805.694 DEBUG    conf - conf.c:lxc_setup_dev_console:1775 - Mounted pts device "/dev/pts/3" onto "/usr/lib/lxc/rootfs/dev/console"
lxc-start playtime 20190807201805.694 INFO     utils - utils.c:lxc_mount_proc_if_needed:1264 - I am 1, /proc/self points to "1"
lxc-start playtime 20190807201805.694 DEBUG    conf - conf.c:lxc_setup_devpts:1657 - Mount new devpts instance with options "gid=5,newinstance,ptmxmode=0666,mode=0620,max=1024"
lxc-start playtime 20190807201805.694 DEBUG    conf - conf.c:lxc_setup_devpts:1676 - Created dummy "/dev/ptmx" file as bind mount target
lxc-start playtime 20190807201805.694 DEBUG    conf - conf.c:lxc_setup_devpts:1681 - Bind mounted "/dev/pts/ptmx" to "/dev/ptmx"
lxc-start playtime 20190807201805.694 DEBUG    conf - conf.c:lxc_allocate_ttys:1015 - Created tty "/dev/pts/0" with master fd 14 and slave fd 15
lxc-start playtime 20190807201805.694 DEBUG    conf - conf.c:lxc_allocate_ttys:1015 - Created tty "/dev/pts/1" with master fd 16 and slave fd 17
lxc-start playtime 20190807201805.694 DEBUG    conf - conf.c:lxc_allocate_ttys:1015 - Created tty "/dev/pts/2" with master fd 18 and slave fd 19
lxc-start playtime 20190807201805.694 DEBUG    conf - conf.c:lxc_allocate_ttys:1015 - Created tty "/dev/pts/3" with master fd 20 and slave fd 21
lxc-start playtime 20190807201805.694 INFO     conf - conf.c:lxc_allocate_ttys:1032 - Finished creating 4 tty devices
lxc-start playtime 20190807201805.694 DEBUG    conf - conf.c:lxc_setup_ttys:967 - Bind mounted "/dev/pts/0" onto "/dev/tty1"
lxc-start playtime 20190807201805.694 DEBUG    conf - conf.c:lxc_setup_ttys:967 - Bind mounted "/dev/pts/1" onto "/dev/tty2"
lxc-start playtime 20190807201805.694 DEBUG    conf - conf.c:lxc_setup_ttys:967 - Bind mounted "/dev/pts/2" onto "/dev/tty3"
lxc-start playtime 20190807201805.694 DEBUG    conf - conf.c:lxc_setup_ttys:967 - Bind mounted "/dev/pts/3" onto "/dev/tty4"
lxc-start playtime 20190807201805.694 INFO     conf - conf.c:lxc_setup_ttys:976 - Finished setting up 4 /dev/tty<N> device(s)
lxc-start playtime 20190807201805.694 INFO     conf - conf.c:setup_personality:1720 - Set personality to "0x0"
lxc-start playtime 20190807201805.694 DEBUG    conf - conf.c:setup_caps:2521 - Capabilities have been setup
lxc-start playtime 20190807201805.694 NOTICE   conf - conf.c:lxc_setup:3751 - The container "playtime" is set up
lxc-start playtime 20190807201805.695 DEBUG    start - start.c:lxc_spawn:1898 - Preserved cgroup namespace via fd 20
lxc-start playtime 20190807201805.695 NOTICE   start - start.c:start:2118 - Exec'ing "/sbin/init"
lxc-start playtime 20190807201805.695 NOTICE   start - start.c:post_start:2129 - Started "/sbin/init" with pid "6159"
lxc-start playtime 20190807201805.695 NOTICE   start - start.c:signal_handler:438 - Received 17 from pid 6155 instead of container init 6159
lxc-start playtime 20190807201805.705 DEBUG    start - start.c:signal_handler:456 - Container init process 6159 exited
lxc-start playtime 20190807201805.705 INFO     error - error.c:lxc_error_set_and_log:49 - Child <6159> ended on error (255)
lxc-start playtime 20190807201805.705 DEBUG    network - network.c:lxc_delete_network:4027 - Deleted network devices
lxc-start playtime 20190807201805.705 DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2852 - The binary "/usr/bin/newuidmap" does have the setuid bit set
lxc-start playtime 20190807201805.705 DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2852 - The binary "/usr/bin/newgidmap" does have the setuid bit set
lxc-start playtime 20190807201805.705 DEBUG    conf - conf.c:lxc_map_ids:2938 - Functional newuidmap and newgidmap binary found
lxc-start playtime 20190807201805.726 INFO     conf - conf.c:run_script_argv:371 - Executing script "/usr/share/lxcfs/lxc.reboot.hook" for container "playtime", config section "lxc"

Only one container with Ubuntu 14.04 starts. Following the debug log

lxc-start playtime 20190807202350.501 INFO     confile - confile.c:set_config_idmaps:1987 - Read uid map: type u nsid 0 hostid 100000 range 65536
lxc-start playtime 20190807202350.501 INFO     confile - confile.c:set_config_idmaps:1987 - Read uid map: type g nsid 0 hostid 100000 range 65536
lxc-start playtime 20190807202350.503 INFO     lsm - lsm/lsm.c:lsm_init:50 - LSM security driver nop
lxc-start playtime 20190807202350.503 INFO     seccomp - seccomp.c:parse_config_v2:789 - Processing "reject_force_umount  # comment this to allow umount -f;  not recommended"
lxc-start playtime 20190807202350.503 INFO     seccomp - seccomp.c:do_resolve_add_rule:535 - Set seccomp rule to reject force umounts
lxc-start playtime 20190807202350.503 INFO     seccomp - seccomp.c:parse_config_v2:973 - Added native rule for arch 0 for reject_force_umount action 0(kill)
lxc-start playtime 20190807202350.504 INFO     seccomp - seccomp.c:do_resolve_add_rule:535 - Set seccomp rule to reject force umounts
lxc-start playtime 20190807202350.504 INFO     seccomp - seccomp.c:parse_config_v2:982 - Added compat rule for arch 1073741827 for reject_force_umount action 0(kill)
lxc-start playtime 20190807202350.504 INFO     seccomp - seccomp.c:do_resolve_add_rule:535 - Set seccomp rule to reject force umounts
lxc-start playtime 20190807202350.504 INFO     seccomp - seccomp.c:parse_config_v2:992 - Added compat rule for arch 1073741886 for reject_force_umount action 0(kill)
lxc-start playtime 20190807202350.504 INFO     seccomp - seccomp.c:do_resolve_add_rule:535 - Set seccomp rule to reject force umounts
lxc-start playtime 20190807202350.504 INFO     seccomp - seccomp.c:parse_config_v2:1002 - Added native rule for arch -1073741762 for reject_force_umount action 0(kill)
lxc-start playtime 20190807202350.504 INFO     seccomp - seccomp.c:parse_config_v2:789 - Processing "[all]"
lxc-start playtime 20190807202350.504 INFO     seccomp - seccomp.c:parse_config_v2:789 - Processing "kexec_load errno 1"
lxc-start playtime 20190807202350.504 INFO     seccomp - seccomp.c:parse_config_v2:973 - Added native rule for arch 0 for kexec_load action 327681(errno)
lxc-start playtime 20190807202350.504 INFO     seccomp - seccomp.c:parse_config_v2:982 - Added compat rule for arch 1073741827 for kexec_load action 327681(errno)
lxc-start playtime 20190807202350.504 INFO     seccomp - seccomp.c:parse_config_v2:992 - Added compat rule for arch 1073741886 for kexec_load action 327681(errno)
lxc-start playtime 20190807202350.505 INFO     seccomp - seccomp.c:parse_config_v2:1002 - Added native rule for arch -1073741762 for kexec_load action 327681(errno)
lxc-start playtime 20190807202350.505 INFO     seccomp - seccomp.c:parse_config_v2:789 - Processing "open_by_handle_at errno 1"
lxc-start playtime 20190807202350.505 INFO     seccomp - seccomp.c:parse_config_v2:973 - Added native rule for arch 0 for open_by_handle_at action 327681(errno)
lxc-start playtime 20190807202350.505 INFO     seccomp - seccomp.c:parse_config_v2:982 - Added compat rule for arch 1073741827 for open_by_handle_at action 327681(errno)
lxc-start playtime 20190807202350.505 INFO     seccomp - seccomp.c:parse_config_v2:992 - Added compat rule for arch 1073741886 for open_by_handle_at action 327681(errno)
lxc-start playtime 20190807202350.505 INFO     seccomp - seccomp.c:parse_config_v2:1002 - Added native rule for arch -1073741762 for open_by_handle_at action 327681(errno)
lxc-start playtime 20190807202350.505 INFO     seccomp - seccomp.c:parse_config_v2:789 - Processing "init_module errno 1"
lxc-start playtime 20190807202350.505 INFO     seccomp - seccomp.c:parse_config_v2:973 - Added native rule for arch 0 for init_module action 327681(errno)
lxc-start playtime 20190807202350.505 INFO     seccomp - seccomp.c:parse_config_v2:982 - Added compat rule for arch 1073741827 for init_module action 327681(errno)
lxc-start playtime 20190807202350.506 INFO     seccomp - seccomp.c:parse_config_v2:992 - Added compat rule for arch 1073741886 for init_module action 327681(errno)
lxc-start playtime 20190807202350.506 INFO     seccomp - seccomp.c:parse_config_v2:1002 - Added native rule for arch -1073741762 for init_module action 327681(errno)
lxc-start playtime 20190807202350.506 INFO     seccomp - seccomp.c:parse_config_v2:789 - Processing "finit_module errno 1"
lxc-start playtime 20190807202350.506 INFO     seccomp - seccomp.c:parse_config_v2:973 - Added native rule for arch 0 for finit_module action 327681(errno)
lxc-start playtime 20190807202350.506 INFO     seccomp - seccomp.c:parse_config_v2:982 - Added compat rule for arch 1073741827 for finit_module action 327681(errno)
lxc-start playtime 20190807202350.506 INFO     seccomp - seccomp.c:parse_config_v2:992 - Added compat rule for arch 1073741886 for finit_module action 327681(errno)
lxc-start playtime 20190807202350.507 INFO     seccomp - seccomp.c:parse_config_v2:1002 - Added native rule for arch -1073741762 for finit_module action 327681(errno)
lxc-start playtime 20190807202350.507 INFO     seccomp - seccomp.c:parse_config_v2:789 - Processing "delete_module errno 1"
lxc-start playtime 20190807202350.507 INFO     seccomp - seccomp.c:parse_config_v2:973 - Added native rule for arch 0 for delete_module action 327681(errno)
lxc-start playtime 20190807202350.507 INFO     seccomp - seccomp.c:parse_config_v2:982 - Added compat rule for arch 1073741827 for delete_module action 327681(errno)
lxc-start playtime 20190807202350.507 INFO     seccomp - seccomp.c:parse_config_v2:992 - Added compat rule for arch 1073741886 for delete_module action 327681(errno)
lxc-start playtime 20190807202350.507 INFO     seccomp - seccomp.c:parse_config_v2:1002 - Added native rule for arch -1073741762 for delete_module action 327681(errno)
lxc-start playtime 20190807202350.507 INFO     seccomp - seccomp.c:parse_config_v2:1008 - Merging compat seccomp contexts into main context
lxc-start playtime 20190807202350.510 DEBUG    terminal - terminal.c:lxc_terminal_peer_default:683 - Using terminal "/dev/tty" as proxy
lxc-start playtime 20190807202350.511 DEBUG    terminal - terminal.c:lxc_terminal_signal_init:167 - Created signal fd 9
lxc-start playtime 20190807202350.511 DEBUG    terminal - terminal.c:lxc_terminal_winsz:81 - Set window size to 211 columns and 54 rows
lxc-start playtime 20190807202350.511 DEBUG    conf - conf.c:chown_mapped_root:3176 - trying to chown "/dev/pts/5" to 1000
lxc-start playtime 20190807202350.645 INFO     start - start.c:lxc_init:932 - Container "playtime" is initialized
lxc-start playtime 20190807202350.646 INFO     cgfsng - cgroups/cgfsng.c:cgfsng_monitor_create:1405 - The monitor process uses "lxc.monitor/playtime" as cgroup
lxc-start playtime 20190807202350.647 INFO     cgfsng - cgroups/cgfsng.c:cgfsng_payload_create:1470 - The container process uses "lxc.payload/playtime" as cgroup
lxc-start playtime 20190807202350.651 INFO     start - start.c:lxc_spawn:1778 - Cloned CLONE_NEWUSER
lxc-start playtime 20190807202350.651 INFO     start - start.c:lxc_spawn:1778 - Cloned CLONE_NEWNS
lxc-start playtime 20190807202350.651 INFO     start - start.c:lxc_spawn:1778 - Cloned CLONE_NEWPID
lxc-start playtime 20190807202350.651 INFO     start - start.c:lxc_spawn:1778 - Cloned CLONE_NEWUTS
lxc-start playtime 20190807202350.651 INFO     start - start.c:lxc_spawn:1778 - Cloned CLONE_NEWIPC
lxc-start playtime 20190807202350.651 DEBUG    start - start.c:lxc_try_preserve_namespaces:192 - Preserved user namespace via fd 15
lxc-start playtime 20190807202350.651 DEBUG    start - start.c:lxc_try_preserve_namespaces:192 - Preserved mnt namespace via fd 16
lxc-start playtime 20190807202350.651 DEBUG    start - start.c:lxc_try_preserve_namespaces:192 - Preserved pid namespace via fd 17
lxc-start playtime 20190807202350.651 DEBUG    start - start.c:lxc_try_preserve_namespaces:192 - Preserved uts namespace via fd 18
lxc-start playtime 20190807202350.651 DEBUG    start - start.c:lxc_try_preserve_namespaces:192 - Preserved ipc namespace via fd 19
lxc-start playtime 20190807202350.652 DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2852 - The binary "/usr/bin/newuidmap" does have the setuid bit set
lxc-start playtime 20190807202350.652 DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2852 - The binary "/usr/bin/newgidmap" does have the setuid bit set
lxc-start playtime 20190807202350.652 DEBUG    conf - conf.c:lxc_map_ids:2938 - Functional newuidmap and newgidmap binary found
lxc-start playtime 20190807202350.712 INFO     start - start.c:do_start:1186 - Unshared CLONE_NEWNET
lxc-start playtime 20190807202350.715 DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2852 - The binary "/usr/bin/newuidmap" does have the setuid bit set
lxc-start playtime 20190807202350.715 DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2852 - The binary "/usr/bin/newgidmap" does have the setuid bit set
lxc-start playtime 20190807202350.715 DEBUG    conf - conf.c:lxc_map_ids:2938 - Functional newuidmap and newgidmap binary found
lxc-start playtime 20190807202350.774 DEBUG    start - start.c:lxc_spawn:1833 - Preserved net namespace via fd 10
lxc-start playtime 20190807202350.774 WARN     start - start.c:lxc_spawn:1838 - Operation not permitted - Failed to allocate new network namespace id
lxc-start playtime 20190807202350.775 NOTICE   utils - utils.c:lxc_switch_uid_gid:1411 - Switched to gid 0
lxc-start playtime 20190807202350.775 NOTICE   utils - utils.c:lxc_switch_uid_gid:1420 - Switched to uid 0
lxc-start playtime 20190807202350.775 NOTICE   utils - utils.c:lxc_setgroups:1433 - Dropped additional groups
lxc-start playtime 20190807202350.776 INFO     start - start.c:do_start:1301 - Unshared CLONE_NEWCGROUP
lxc-start playtime 20190807202350.778 DEBUG    storage - storage/storage.c:get_storage_by_name:232 - Detected rootfs type "dir"
lxc-start playtime 20190807202350.778 DEBUG    conf - conf.c:lxc_mount_rootfs:1357 - Mounted rootfs "/home/andre/.local/share/lxc/playtime/rootfs" onto "/usr/lib/lxc/rootfs" with options "(null)"
lxc-start playtime 20190807202350.778 INFO     conf - conf.c:setup_utsname:818 - Set hostname to "playtime"
lxc-start playtime 20190807202350.778 INFO     conf - conf.c:mount_autodev:1145 - Preparing "/dev"
lxc-start playtime 20190807202350.779 INFO     conf - conf.c:mount_autodev:1192 - Prepared "/dev"
lxc-start playtime 20190807202350.781 DEBUG    conf - conf.c:mount_entry:2026 - Remounting "/sys/fs/fuse/connections" on "/usr/lib/lxc/rootfs/sys/fs/fuse/connections" to respect bind or remount options
lxc-start playtime 20190807202350.781 DEBUG    conf - conf.c:mount_entry:2047 - Flags for "/sys/fs/fuse/connections" were 4110, required extra flags are 14
lxc-start playtime 20190807202350.781 DEBUG    conf - conf.c:mount_entry:2100 - Mounted "/sys/fs/fuse/connections" on "/usr/lib/lxc/rootfs/sys/fs/fuse/connections" with filesystem type "none"
lxc-start playtime 20190807202350.781 DEBUG    conf - conf.c:mount_entry:2026 - Remounting "/sys/kernel/debug" on "/usr/lib/lxc/rootfs/sys/kernel/debug" to respect bind or remount options
lxc-start playtime 20190807202350.782 DEBUG    conf - conf.c:mount_entry:2047 - Flags for "/sys/kernel/debug" were 4110, required extra flags are 14
lxc-start playtime 20190807202350.782 DEBUG    conf - conf.c:mount_entry:2100 - Mounted "/sys/kernel/debug" on "/usr/lib/lxc/rootfs/sys/kernel/debug" with filesystem type "none"
lxc-start playtime 20190807202350.782 DEBUG    conf - conf.c:mount_entry:2026 - Remounting "/sys/kernel/security" on "/usr/lib/lxc/rootfs/sys/kernel/security" to respect bind or remount options
lxc-start playtime 20190807202350.782 DEBUG    conf - conf.c:mount_entry:2047 - Flags for "/sys/kernel/security" were 4110, required extra flags are 14
lxc-start playtime 20190807202350.782 DEBUG    conf - conf.c:mount_entry:2100 - Mounted "/sys/kernel/security" on "/usr/lib/lxc/rootfs/sys/kernel/security" with filesystem type "none"
lxc-start playtime 20190807202350.782 DEBUG    conf - conf.c:mount_entry:2026 - Remounting "/sys/fs/pstore" on "/usr/lib/lxc/rootfs/sys/fs/pstore" to respect bind or remount options
lxc-start playtime 20190807202350.782 DEBUG    conf - conf.c:mount_entry:2047 - Flags for "/sys/fs/pstore" were 4110, required extra flags are 14
lxc-start playtime 20190807202350.782 DEBUG    conf - conf.c:mount_entry:2100 - Mounted "/sys/fs/pstore" on "/usr/lib/lxc/rootfs/sys/fs/pstore" with filesystem type "none"
lxc-start playtime 20190807202350.783 DEBUG    conf - conf.c:mount_entry:2100 - Mounted "mqueue" on "/usr/lib/lxc/rootfs/dev/mqueue" with filesystem type "mqueue"
lxc-start playtime 20190807202350.783 DEBUG    conf - conf.c:mount_entry:2026 - Remounting "/sys/firmware/efi/efivars" on "/usr/lib/lxc/rootfs/sys/firmware/efi/efivars" to respect bind or remount options
lxc-start playtime 20190807202350.783 DEBUG    conf - conf.c:mount_entry:2047 - Flags for "/sys/firmware/efi/efivars" were 4110, required extra flags are 14
lxc-start playtime 20190807202350.783 DEBUG    conf - conf.c:mount_entry:2100 - Mounted "/sys/firmware/efi/efivars" on "/usr/lib/lxc/rootfs/sys/firmware/efi/efivars" with filesystem type "none"
lxc-start playtime 20190807202350.784 DEBUG    conf - conf.c:mount_entry:2026 - Remounting "/proc/sys/fs/binfmt_misc" on "/usr/lib/lxc/rootfs/proc/sys/fs/binfmt_misc" to respect bind or remount options
lxc-start playtime 20190807202350.784 DEBUG    conf - conf.c:mount_entry:2047 - Flags for "/proc/sys/fs/binfmt_misc" were 4110, required extra flags are 14
lxc-start playtime 20190807202350.784 DEBUG    conf - conf.c:mount_entry:2100 - Mounted "/proc/sys/fs/binfmt_misc" on "/usr/lib/lxc/rootfs/proc/sys/fs/binfmt_misc" with filesystem type "none"
lxc-start playtime 20190807202350.784 INFO     conf - conf.c:run_script_argv:371 - Executing script "/usr/share/lxcfs/lxc.mount.hook" for container "playtime", config section "lxc"
lxc-start playtime 20190807202350.837 INFO     conf - conf.c:lxc_fill_autodev:1236 - Populating "/dev"
lxc-start playtime 20190807202350.837 DEBUG    conf - conf.c:lxc_fill_autodev:1308 - Bind mounted host device node "/dev/full" onto "/usr/lib/lxc/rootfs/dev/full"
lxc-start playtime 20190807202350.837 DEBUG    conf - conf.c:lxc_fill_autodev:1308 - Bind mounted host device node "/dev/null" onto "/usr/lib/lxc/rootfs/dev/null"
lxc-start playtime 20190807202350.838 DEBUG    conf - conf.c:lxc_fill_autodev:1308 - Bind mounted host device node "/dev/random" onto "/usr/lib/lxc/rootfs/dev/random"
lxc-start playtime 20190807202350.838 DEBUG    conf - conf.c:lxc_fill_autodev:1308 - Bind mounted host device node "/dev/tty" onto "/usr/lib/lxc/rootfs/dev/tty"
lxc-start playtime 20190807202350.838 DEBUG    conf - conf.c:lxc_fill_autodev:1308 - Bind mounted host device node "/dev/urandom" onto "/usr/lib/lxc/rootfs/dev/urandom"
lxc-start playtime 20190807202350.838 DEBUG    conf - conf.c:lxc_fill_autodev:1308 - Bind mounted host device node "/dev/zero" onto "/usr/lib/lxc/rootfs/dev/zero"
lxc-start playtime 20190807202350.838 INFO     conf - conf.c:lxc_fill_autodev:1313 - Populated "/dev"
lxc-start playtime 20190807202350.839 DEBUG    conf - conf.c:lxc_setup_dev_console:1775 - Mounted pts device "/dev/pts/5" onto "/usr/lib/lxc/rootfs/dev/console"
lxc-start playtime 20190807202350.839 INFO     utils - utils.c:lxc_mount_proc_if_needed:1264 - I am 1, /proc/self points to "1"
lxc-start playtime 20190807202350.844 DEBUG    conf - conf.c:lxc_setup_devpts:1657 - Mount new devpts instance with options "gid=5,newinstance,ptmxmode=0666,mode=0620,max=1024"
lxc-start playtime 20190807202350.844 DEBUG    conf - conf.c:lxc_setup_devpts:1676 - Created dummy "/dev/ptmx" file as bind mount target
lxc-start playtime 20190807202350.844 DEBUG    conf - conf.c:lxc_setup_devpts:1681 - Bind mounted "/dev/pts/ptmx" to "/dev/ptmx"
lxc-start playtime 20190807202350.845 DEBUG    conf - conf.c:lxc_allocate_ttys:1015 - Created tty "/dev/pts/0" with master fd 14 and slave fd 15
lxc-start playtime 20190807202350.845 DEBUG    conf - conf.c:lxc_allocate_ttys:1015 - Created tty "/dev/pts/1" with master fd 16 and slave fd 17
lxc-start playtime 20190807202350.846 DEBUG    conf - conf.c:lxc_allocate_ttys:1015 - Created tty "/dev/pts/2" with master fd 18 and slave fd 19
lxc-start playtime 20190807202350.846 DEBUG    conf - conf.c:lxc_allocate_ttys:1015 - Created tty "/dev/pts/3" with master fd 20 and slave fd 21
lxc-start playtime 20190807202350.846 INFO     conf - conf.c:lxc_allocate_ttys:1032 - Finished creating 4 tty devices
lxc-start playtime 20190807202350.847 DEBUG    conf - conf.c:lxc_setup_ttys:967 - Bind mounted "/dev/pts/0" onto "/dev/tty1"
lxc-start playtime 20190807202350.847 DEBUG    conf - conf.c:lxc_setup_ttys:967 - Bind mounted "/dev/pts/1" onto "/dev/tty2"
lxc-start playtime 20190807202350.847 DEBUG    conf - conf.c:lxc_setup_ttys:967 - Bind mounted "/dev/pts/2" onto "/dev/tty3"
lxc-start playtime 20190807202350.847 DEBUG    conf - conf.c:lxc_setup_ttys:967 - Bind mounted "/dev/pts/3" onto "/dev/tty4"
lxc-start playtime 20190807202350.847 INFO     conf - conf.c:lxc_setup_ttys:976 - Finished setting up 4 /dev/tty<N> device(s)
lxc-start playtime 20190807202350.847 INFO     conf - conf.c:setup_personality:1720 - Set personality to "0x0"
lxc-start playtime 20190807202350.847 DEBUG    conf - conf.c:setup_caps:2521 - Capabilities have been setup
lxc-start playtime 20190807202350.847 NOTICE   conf - conf.c:lxc_setup:3751 - The container "playtime" is set up
lxc-start playtime 20190807202350.859 DEBUG    start - start.c:lxc_spawn:1898 - Preserved cgroup namespace via fd 20
lxc-start playtime 20190807202350.859 NOTICE   start - start.c:start:2118 - Exec'ing "/sbin/init"
lxc-start playtime 20190807202350.861 NOTICE   start - start.c:post_start:2129 - Started "/sbin/init" with pid "19738"
lxc-start playtime 20190807202350.862 NOTICE   start - start.c:signal_handler:438 - Received 17 from pid 19734 instead of container init 19738

Any Idea?

2

Same here with Debian, but works with 5.2 and lxc 3.0.3.

3

possibly try to run lxc-start with sudo
That’s from this github thread that I have not tried to follow too closely I admit but seems to imply that there could be loads of reason for systemd to refuse to start - so if your ubuntu 14 is happy maybe it’s because init is NOT systemd for this OS.

4

@brauner

5

I don’t want unprivileged containers for no reason. It must not be possible to include or manipulate the root file system in the container. Sudo start would be exactly the wrong way. Then I can do everything about Sudo.

6

here is what happens when launching an unprivileged container under snap lxd last version (snap lxd since the beginning in fact)

root     19935  0.0  0.1 292872 13016 ?        Ss   06:52   0:00 [lxc monitor] /var/snap/lxd/common/lxd/containers test
1000000  19970  0.3  0.1 225020  9024 ?        Ss   06:52   0:00  \_ /sbin/init
1000000  20116  0.1  0.1  78448  9776 ?        Ss   06:52   0:00      \_ /lib/systemd/systemd-journald

LXD maintainers will be devastated to learn they are doing things exactly the wrong way. They could argue it’s the bad influence of the LXC maintainer that has made them do this abomination.

Seriously, when someone asks you to try something, it means exactly that. Try to see if it changes the result.

7

Now start with Sudo the unprivilged Arch-Container.

Command:

sudo lxc-start -n arch -F --lxcpath=/home/andre/.local/share/lxc --logfile=/home/andre/debug.log --logpriority=DEBUG

Answer:

lxc-start: arch: cgroups/cgfsng.c: mkdir_eexist_on_last: 1279 File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc.payload/arch"
                                                                                                                                                 lxc-start: arch: cgroups/cgfsng.c: container_create_path_for_hierarchy: 1319 Failed to create cgroup "/sys/fs/cgroup/unified//lxc.payload/arch"
                                                                             lxc-start: arch: cgroups/cgfsng.c: cgfsng_payload_create: 1455 Failed to create cgroup "/sys/fs/cgroup/unified//lxc.payload/arch"
                                                                                                                                                                                                              lxc-start: arch: cgroups/cgfsng.c: mkdir_eexist_on_last: 1279 File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc.payload/arch-1"
                                                                                                                                              lxc-start: arch: cgroups/cgfsng.c: container_create_path_for_hierarchy: 1319 Failed to create cgroup "/sys/fs/cgroup/unified//lxc.payload/arch-1"
                                                                            lxc-start: arch: cgroups/cgfsng.c: cgfsng_payload_create: 1455 Failed to create cgroup "/sys/fs/cgroup/unified//lxc.payload/arch-1"
                                                                                                                                                                                                               lxc-start: arch: conf.c: lxc_map_ids: 3008 newuidmap failed to write mapping "newuidmap: uid range [0-65536) -> [100000-165536) not allowed": newuidmap 20909 0 100000 65536
                                                                                                                                                                        lxc-start: arch: start.c: lxc_spawn: 1798 Failed to set up id mapping.
                           lxc-start: arch: start.c: __lxc_start: 2036 Failed to spawn container "arch"
                                                                                                       lxc-start: arch: conf.c: lxc_map_ids: 3008 newuidmap failed to write mapping "newuidmap: uid range [0-65536) -> [100000-165536) not allowed": newuidmap 20911 0 100000 65536 65536 0 1
                                                                          lxc-start: arch: conf.c: userns_exec_1: 4410 Error setting up {g,u}id mappings for child process "20911"
                                                                                                                                                                                  lxc-start: arch: tools/lxc_start.c: main: 329 The container failed to start
lxc-start: arch: tools/lxc_start.c: main: 334 Additional information can be obtained by setting the --logfile and --logpriority options

DEBUG-OUTPUT.

lxc-start arch 20190809112955.549 INFO     confile - confile.c:set_config_idmaps:1987 - Read uid map: type u nsid 0 hostid 100000 range 65536
lxc-start arch 20190809112955.549 INFO     confile - confile.c:set_config_idmaps:1987 - Read uid map: type g nsid 0 hostid 100000 range 65536
lxc-start arch 20190809112955.549 INFO     lsm - lsm/lsm.c:lsm_init:50 - LSM security driver nop
lxc-start arch 20190809112955.549 INFO     seccomp - seccomp.c:parse_config_v2:789 - Processing "reject_force_umount  # comment this to allow umount -f;  not recommended"
lxc-start arch 20190809112955.549 INFO     seccomp - seccomp.c:do_resolve_add_rule:535 - Set seccomp rule to reject force umounts
lxc-start arch 20190809112955.549 INFO     seccomp - seccomp.c:parse_config_v2:973 - Added native rule for arch 0 for reject_force_umount action 0(kill)
lxc-start arch 20190809112955.549 INFO     seccomp - seccomp.c:do_resolve_add_rule:535 - Set seccomp rule to reject force umounts
lxc-start arch 20190809112955.549 INFO     seccomp - seccomp.c:parse_config_v2:982 - Added compat rule for arch 1073741827 for reject_force_umount action 0(kill)
lxc-start arch 20190809112955.549 INFO     seccomp - seccomp.c:do_resolve_add_rule:535 - Set seccomp rule to reject force umounts
lxc-start arch 20190809112955.549 INFO     seccomp - seccomp.c:parse_config_v2:992 - Added compat rule for arch 1073741886 for reject_force_umount action 0(kill)
lxc-start arch 20190809112955.549 INFO     seccomp - seccomp.c:do_resolve_add_rule:535 - Set seccomp rule to reject force umounts
lxc-start arch 20190809112955.549 INFO     seccomp - seccomp.c:parse_config_v2:1002 - Added native rule for arch -1073741762 for reject_force_umount action 0(kill)
lxc-start arch 20190809112955.549 INFO     seccomp - seccomp.c:parse_config_v2:789 - Processing "[all]"
lxc-start arch 20190809112955.549 INFO     seccomp - seccomp.c:parse_config_v2:789 - Processing "kexec_load errno 1"
lxc-start arch 20190809112955.549 INFO     seccomp - seccomp.c:parse_config_v2:973 - Added native rule for arch 0 for kexec_load action 327681(errno)
lxc-start arch 20190809112955.549 INFO     seccomp - seccomp.c:parse_config_v2:982 - Added compat rule for arch 1073741827 for kexec_load action 327681(errno)
lxc-start arch 20190809112955.549 INFO     seccomp - seccomp.c:parse_config_v2:992 - Added compat rule for arch 1073741886 for kexec_load action 327681(errno)
lxc-start arch 20190809112955.549 INFO     seccomp - seccomp.c:parse_config_v2:1002 - Added native rule for arch -1073741762 for kexec_load action 327681(errno)
lxc-start arch 20190809112955.549 INFO     seccomp - seccomp.c:parse_config_v2:789 - Processing "open_by_handle_at errno 1"
lxc-start arch 20190809112955.549 INFO     seccomp - seccomp.c:parse_config_v2:973 - Added native rule for arch 0 for open_by_handle_at action 327681(errno)
lxc-start arch 20190809112955.549 INFO     seccomp - seccomp.c:parse_config_v2:982 - Added compat rule for arch 1073741827 for open_by_handle_at action 327681(errno)
lxc-start arch 20190809112955.549 INFO     seccomp - seccomp.c:parse_config_v2:992 - Added compat rule for arch 1073741886 for open_by_handle_at action 327681(errno)
lxc-start arch 20190809112955.549 INFO     seccomp - seccomp.c:parse_config_v2:1002 - Added native rule for arch -1073741762 for open_by_handle_at action 327681(errno)
lxc-start arch 20190809112955.549 INFO     seccomp - seccomp.c:parse_config_v2:789 - Processing "init_module errno 1"
lxc-start arch 20190809112955.549 INFO     seccomp - seccomp.c:parse_config_v2:973 - Added native rule for arch 0 for init_module action 327681(errno)
lxc-start arch 20190809112955.549 INFO     seccomp - seccomp.c:parse_config_v2:982 - Added compat rule for arch 1073741827 for init_module action 327681(errno)
lxc-start arch 20190809112955.549 INFO     seccomp - seccomp.c:parse_config_v2:992 - Added compat rule for arch 1073741886 for init_module action 327681(errno)
lxc-start arch 20190809112955.549 INFO     seccomp - seccomp.c:parse_config_v2:1002 - Added native rule for arch -1073741762 for init_module action 327681(errno)
lxc-start arch 20190809112955.549 INFO     seccomp - seccomp.c:parse_config_v2:789 - Processing "finit_module errno 1"
lxc-start arch 20190809112955.549 INFO     seccomp - seccomp.c:parse_config_v2:973 - Added native rule for arch 0 for finit_module action 327681(errno)
lxc-start arch 20190809112955.549 INFO     seccomp - seccomp.c:parse_config_v2:982 - Added compat rule for arch 1073741827 for finit_module action 327681(errno)
lxc-start arch 20190809112955.549 INFO     seccomp - seccomp.c:parse_config_v2:992 - Added compat rule for arch 1073741886 for finit_module action 327681(errno)
lxc-start arch 20190809112955.549 INFO     seccomp - seccomp.c:parse_config_v2:1002 - Added native rule for arch -1073741762 for finit_module action 327681(errno)
lxc-start arch 20190809112955.549 INFO     seccomp - seccomp.c:parse_config_v2:789 - Processing "delete_module errno 1"
lxc-start arch 20190809112955.549 INFO     seccomp - seccomp.c:parse_config_v2:973 - Added native rule for arch 0 for delete_module action 327681(errno)
lxc-start arch 20190809112955.549 INFO     seccomp - seccomp.c:parse_config_v2:982 - Added compat rule for arch 1073741827 for delete_module action 327681(errno)
lxc-start arch 20190809112955.549 INFO     seccomp - seccomp.c:parse_config_v2:992 - Added compat rule for arch 1073741886 for delete_module action 327681(errno)
lxc-start arch 20190809112955.549 INFO     seccomp - seccomp.c:parse_config_v2:1002 - Added native rule for arch -1073741762 for delete_module action 327681(errno)
lxc-start arch 20190809112955.549 INFO     seccomp - seccomp.c:parse_config_v2:1008 - Merging compat seccomp contexts into main context
lxc-start arch 20190809112955.549 DEBUG    terminal - terminal.c:lxc_terminal_peer_default:683 - Using terminal "/dev/tty" as proxy
lxc-start arch 20190809112955.549 DEBUG    terminal - terminal.c:lxc_terminal_signal_init:167 - Created signal fd 9
lxc-start arch 20190809112955.549 DEBUG    terminal - terminal.c:lxc_terminal_winsz:81 - Set window size to 211 columns and 54 rows
lxc-start arch 20190809112955.550 INFO     start - start.c:lxc_init:932 - Container "arch" is initialized
lxc-start arch 20190809112955.550 INFO     cgfsng - cgroups/cgfsng.c:cgfsng_monitor_create:1405 - The monitor process uses "lxc.monitor/arch" as cgroup
lxc-start arch 20190809112955.550 DEBUG    storage - storage/storage.c:get_storage_by_name:232 - Detected rootfs type "dir"
lxc-start arch 20190809112955.550 ERROR    cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1279 - File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc.payload/arch"
lxc-start arch 20190809112955.550 ERROR    cgfsng - cgroups/cgfsng.c:container_create_path_for_hierarchy:1319 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc.payload/arch"
lxc-start arch 20190809112955.550 ERROR    cgfsng - cgroups/cgfsng.c:cgfsng_payload_create:1455 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc.payload/arch"
lxc-start arch 20190809112955.550 ERROR    cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1279 - File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc.payload/arch-1"
lxc-start arch 20190809112955.550 ERROR    cgfsng - cgroups/cgfsng.c:container_create_path_for_hierarchy:1319 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc.payload/arch-1"
lxc-start arch 20190809112955.550 ERROR    cgfsng - cgroups/cgfsng.c:cgfsng_payload_create:1455 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc.payload/arch-1"
lxc-start arch 20190809112955.551 INFO     cgfsng - cgroups/cgfsng.c:cgfsng_payload_create:1470 - The container process uses "lxc.payload/arch-2" as cgroup
lxc-start arch 20190809112955.551 INFO     start - start.c:lxc_spawn:1778 - Cloned CLONE_NEWUSER
lxc-start arch 20190809112955.551 INFO     start - start.c:lxc_spawn:1778 - Cloned CLONE_NEWNS
lxc-start arch 20190809112955.551 INFO     start - start.c:lxc_spawn:1778 - Cloned CLONE_NEWPID
lxc-start arch 20190809112955.551 INFO     start - start.c:lxc_spawn:1778 - Cloned CLONE_NEWUTS
lxc-start arch 20190809112955.551 INFO     start - start.c:lxc_spawn:1778 - Cloned CLONE_NEWIPC
lxc-start arch 20190809112955.551 DEBUG    start - start.c:lxc_try_preserve_namespaces:192 - Preserved user namespace via fd 15
lxc-start arch 20190809112955.551 DEBUG    start - start.c:lxc_try_preserve_namespaces:192 - Preserved mnt namespace via fd 16
lxc-start arch 20190809112955.551 DEBUG    start - start.c:lxc_try_preserve_namespaces:192 - Preserved pid namespace via fd 17
lxc-start arch 20190809112955.551 DEBUG    start - start.c:lxc_try_preserve_namespaces:192 - Preserved uts namespace via fd 18
lxc-start arch 20190809112955.551 DEBUG    start - start.c:lxc_try_preserve_namespaces:192 - Preserved ipc namespace via fd 19
lxc-start arch 20190809112955.551 DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2861 - The binary "/usr/bin/newuidmap" has CAP_SETUID in its CAP_EFFECTIVE and CAP_PERMITTED sets
lxc-start arch 20190809112955.551 DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2870 - The binary "/usr/bin/newgidmap" has CAP_SETGID in its CAP_EFFECTIVE and CAP_PERMITTED sets
lxc-start arch 20190809112955.551 DEBUG    conf - conf.c:lxc_map_ids:2938 - Functional newuidmap and newgidmap binary found
lxc-start arch 20190809112955.557 ERROR    conf - conf.c:lxc_map_ids:3008 - newuidmap failed to write mapping "newuidmap: uid range [0-65536) -> [100000-165536) not allowed": newuidmap 20909 0 100000 65536
lxc-start arch 20190809112955.558 ERROR    start - start.c:lxc_spawn:1798 - Failed to set up id mapping.
lxc-start arch 20190809112955.558 DEBUG    network - network.c:lxc_delete_network:4027 - Deleted network devices
lxc-start arch 20190809112955.558 ERROR    start - start.c:__lxc_start:2036 - Failed to spawn container "arch"
lxc-start arch 20190809112955.558 DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2861 - The binary "/usr/bin/newuidmap" has CAP_SETUID in its CAP_EFFECTIVE and CAP_PERMITTED sets
lxc-start arch 20190809112955.558 DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2870 - The binary "/usr/bin/newgidmap" has CAP_SETGID in its CAP_EFFECTIVE and CAP_PERMITTED sets
lxc-start arch 20190809112955.558 DEBUG    conf - conf.c:lxc_map_ids:2938 - Functional newuidmap and newgidmap binary found
lxc-start arch 20190809112955.561 ERROR    conf - conf.c:lxc_map_ids:3008 - newuidmap failed to write mapping "newuidmap: uid range [0-65536) -> [100000-165536) not allowed": newuidmap 20911 0 100000 65536 65536 0 1
lxc-start arch 20190809112955.561 ERROR    conf - conf.c:userns_exec_1:4410 - Error setting up {g,u}id mappings for child process "20911"
lxc-start arch 20190809112955.561 WARN     cgfsng - cgroups/cgfsng.c:cgfsng_payload_destroy:1112 - Failed to destroy cgroups
lxc-start arch 20190809112955.573 INFO     conf - conf.c:run_script_argv:371 - Executing script "/usr/share/lxcfs/lxc.reboot.hook" for container "arch", config section "lxc"
lxc-start arch 20190809112956.799 ERROR    lxc_start - tools/lxc_start.c:main:329 - The container failed to start
lxc-start arch 20190809112956.799 ERROR    lxc_start - tools/lxc_start.c:main:334 - Additional information can be obtained by setting the --logfile and --logpriority options
8

It’s failing earlier, apparently about a subuid/subgid problem. I have never understood why subuid and subgid were created for root since root is supposed to have right to everything. Maybe it’s really what’s missing for the start as root to go further.

9

It’s deliberate, it’s an unprivileged container, after all.

You wanted me to start it directly with Sudo. But since this container is unprivileged, this error occurs.

Creating and starting directly via Sudo (privileged) runs without errors. That’s why I thought Sudo wouldn’t do much.

I basically want to do the same as here with Docker. A container limited in user space.


This container should not be able to break out.

Follow that order.

sudo lxc-start -n arch -F --lxcpath=/home/andre/.local/share/lxc --logfile=/home/andre/debug.log --logpriority=DEBUG

An unprivileged container of an unprivileged user is started by Sudo.

10

This is not correct - when I do this lxc-ls -f states that its a privileged container when launching via sudo. Any other suggestions? This happened to me this week testing lxc unprivileged in arch…

11

Create a new topic with a debug log instead of hijacking an old thread ?

13

Sure - done!