I was able to create a temporary application container using lxc-execute command when the version of lxc is 1.0.11. And the config file is as follows:
lxc.utsname=guest
lxc.network.type=veth
lxc.network.name=eth1
lxc.network.flags=up
lxc.network.link=lxcbr0
lxc.network.hwaddr=02:00:01:01:00:01
lxc.network.ipv4=10.0.3.2/24
lxc.network.veth.pair=veth1.1
lxc.network.type=veth
lxc.network.name=eth2
lxc.network.hwaddr=02:00:01:02:00:01
lxc.network.veth.pair=veth1.2
lxc.network.type = empty
lxc.network.flags=up
lxc.console = none
lxc.tty = 1
lxc.pts = 128
lxc.cgroup.devices.allow = a
lxc.autodev = 1
lxc.hook.autodev = /home/xxx/lxc.hook.autodev.sh
lxc.aa_profile = unconfined
Now, the major version of lxc is updated to 6, and I try to do the same thing. I know some config keys has changed, so I modify the config file above as follows:
lxc.uts.name=guest
lxc.net.0.type=veth
lxc.net.0.name=eth1
lxc.net.0.flags=up
lxc.net.0.link=lxcbr0
lxc.net.0.hwaddr=02:00:01:01:00:01
lxc.net.0.ipv4.address=10.0.3.2/24
lxc.net.0.ipv4.gateway=10.0.3.1
lxc.net.0.veth.pair=veth1.1
lxc.console.path = none
lxc.tty.max = 4
lxc.pty.max = 128
lxc.cgroup.devices.allow = a
lxc.autodev = 1
lxc.hook.autodev = /home/xxx/lxc.hook.autodev.sh
Then I execute the command:
lxc-execute -f guest.config -n guest -- /usr/sbin/sshd
It failed, and the output is:
lxc-execute: guest: ../src/lxc/conf.c: lxc_transient_proc: 3349 No such file or directory - Failed to mount temporary procfs
lxc-execute: guest: ../src/lxc/mount_utils.c: mount_at: 660 No such file or directory - Failed to mount "/proc/self/fd/20" to "/proc/self/fd/21"
lxc-execute: guest: ../src/lxc/conf.c: lxc_setup_devpts_child: 1654 Failed to bind mount "/dev/pts/ptmx" to "/dev/ptmx"
lxc-execute: guest: ../src/lxc/conf.c: lxc_setup_devpts_child: 1664 No such file or directory - Failed to create symlink from "/dev/ptmx" to "/dev/pts/ptmx"
lxc-execute: guest: ../src/lxc/conf.c: lxc_setup: 3969 Failed to prepare new devpts instance
lxc-execute: guest: ../src/lxc/start.c: do_start: 1273 Failed to setup container "guest"
lxc-execute: guest: ../src/lxc/sync.c: sync_wait: 34 An error occurred in another process (expected sequence number 4)
lxc-execute: guest: ../src/lxc/start.c: __lxc_start: 2114 Failed to spawn container "guest"
lxc-execute: guest: ../src/lxc/tools/lxc_execute.c: lxc_execute_main: 225 Failed run an application inside container
I guess it’s because I do not set the path of rootfs, so I add a line to the config file:
lxc.rootfs.path = dir:/
Yeah, I try to set the path of rootfs to the root directory of host, because I think this is same as I did with lxc 1.0.11 as mentioned above.
Then it seems that the container is successfully launched and sshd server is running. But if I try to login the container via ssh:
ssh root@10.0.3.2
the output is:
A valid context for root could not be obtained.
Last login: Thu Mar 13 20:26:57 2025
Connection to 10.0.3.2 closed.
so the login is failed.
Then I try to make a rootfs in /tmp/guest/rootfs manually, and add some mount.entry settings to the config file:
lxc.rootfs.path=dir:/tmp/guest/rootfs
lxc.mount.entry=/lib /tmp/guest/rootfs/lib none ro,bind 0 0
lxc.mount.entry=/usr/libexec /tmp/guest/rootfs/usr/libexec none ro,bind 0 0
lxc.mount.entry=/lib64 /tmp/guest/rootfs/lib64 none ro,bind 0 0
lxc.mount.entry=/usr/lib64 /tmp/guest/rootfs/usr/lib64 none ro,bind 0 0
lxc.mount.entry=/bin /tmp/guest/rootfs/bin none ro,bind 0 0
lxc.mount.entry=/usr/bin /tmp/guest/rootfs/usr/bin none ro,bind 0 0
lxc.mount.entry=/usr/sbin /tmp/guest/rootfs/usr/sbin none ro,bind 0 0
lxc.mount.entry=/usr/share /tmp/guest/rootfs/usr/share none ro,bind 0 0
lxc.mount.entry=/etc /tmp/guest/rootfs/etc none ro,bind 0 0
lxc.mount.entry=/root /tmp/guest/rootfs/root none ro,bind 0 0
Then I try to login the container via ssh again, and it succeed. Althogh there are still some strange outputs that I don’t know why, the conneciton is not closed accidently:
-bash: /usr/lib/os-release: No such file or directory
basename: missing operand
Try 'basename --help' for more information.
root@guest:~#
So, my question is, why it output “A valid context for root could not be obtained” when I set the root directory of host as the rootfs path of container? What does this message mean and how to fix it? And what does the output after I successfully login to container mean?
The output of uname -a of my OS is:
Linux localhost 6.13.5-200.fc41.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Feb 27 15:07:31 UTC 2025 x86_64 GNU/Linux
And the output of sestatus in host is:
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
I accidently discovered that the output of sestatus in container that I created with lxc.rootfs.path=dir:/tmp/guest/rootfs is:
root@guest:~# sestatus
SELinux status: disabled
And the output of sestatus in container that created with lxc.rootfs.path=dir:/ is the same as the output in host.
So, maybe it’s selinux that prevent me from login to container via ssh. But I don’t know how to deal with selinux to fix the problem.