[SOLVED] LXC unprivileged container in Debian Jessie

matiasar · 04-19-2015, 07:26 PM

I've been trying to start an unprivileged LXC container in Debian Jessie (stock kernel version: 3.16.0-4-686-pae) for several days with no success.

I've followed these tutorials:
https://www.stgraber.org/2014/01/17/...ed-containers/

Created the subuid and subgid for the user I wish to start the containers with:

Code:

# grep -w lxcuser /etc/sub* 2>/dev/null
/etc/subgid:lxcuser:100000:65537
/etc/subuid:lxcuser:100000:65537

I configured those subids within lxc config file:

Code:

lxcuser@matuxntbk:~$ cat .config/lxc/default.conf 
lxc.id_map = u 0 100000 65537
lxc.id_map = g 0 100000 65537

I was able to create the container (debian wheezy)

Code:

$ lxc-ls --fancy
NAME       STATE    IPV4  IPV6  AUTOSTART  
-----------------------------------------
retuxinho  STOPPED  -     -     NO

But trying to start the container I always get the following error:

Code:

lxcuser@matuxntbk:~$ lxc-start -f .config/lxc/default.conf -n retuxinho --logfile=/tmp/startretuxinho.log --logpriority=trace
lxc-start: Permission denied - Could not create cgroup '/retuxinho' in '/sys/fs/cgroup/perf_event'.
lxc-start: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/perf_event/
lxc-start: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/blkio/
lxc-start: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/net_cls,net_prio/
lxc-start: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/freezer/
lxc-start: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/devices/
lxc-start: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/memory/
lxc-start: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct/
lxc-start: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpuset/
lxc-start: failed creating cgroups
lxc-start: failed to spawn 'retuxinho'
lxc-start: The container failed to start.
lxc-start: Additional information can be obtained by setting the --logfile and --logpriority options.

The full logs:

Code:

 lxc-start 1429489340.992 INFO     lxc_confile - read uid map: type u nsid 0 hostid 100000 range 65537
      lxc-start 1429489340.992 INFO     lxc_confile - read uid map: type g nsid 0 hostid 100000 range 65537
      lxc-start 1429489340.992 WARN     lxc_log - lxc_log_init called with log already initialized
      lxc-start 1429489340.992 INFO     lxc_confile - read uid map: type u nsid 0 hostid 100000 range 65537
      lxc-start 1429489340.992 INFO     lxc_confile - read uid map: type g nsid 0 hostid 100000 range 65537
      lxc-start 1429489340.992 INFO     lxc_lsm - LSM security driver nop
      lxc-start 1429489340.992 DEBUG    lxc_start - sigchild handler set
      lxc-start 1429489340.992 INFO     lxc_start - 'retuxinho' is initialized
      lxc-start 1429489341.002 DEBUG    lxc_start - Not dropping cap_sys_boot or watching utmp
      lxc-start 1429489341.002 INFO     lxc_start - Cloning a new user namespace
      lxc-start 1429489341.003 INFO     lxc_cgroup - cgroup driver cgroupfs initing for retuxinho
      lxc-start 1429489341.004 ERROR    lxc_cgfs - Permission denied - Could not create cgroup '/retuxinho' in '/sys/fs/cgroup/perf_event'.
      lxc-start 1429489341.006 ERROR    lxc_cgfs - Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/perf_event/
      lxc-start 1429489341.007 ERROR    lxc_cgfs - Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/blkio/
      lxc-start 1429489341.007 ERROR    lxc_cgfs - Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/net_cls,net_prio/
      lxc-start 1429489341.007 ERROR    lxc_cgfs - Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/freezer/
      lxc-start 1429489341.008 ERROR    lxc_cgfs - Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/devices/
      lxc-start 1429489341.008 ERROR    lxc_cgfs - Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/memory/
      lxc-start 1429489341.008 ERROR    lxc_cgfs - Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct/
      lxc-start 1429489341.009 ERROR    lxc_cgfs - Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpuset/
      lxc-start 1429489341.009 ERROR    lxc_start - failed creating cgroups
      lxc-start 1429489341.009 ERROR    lxc_start - failed to spawn 'retuxinho'
      lxc-start 1429489341.009 ERROR    lxc_start_ui - The container failed to start.
      lxc-start 1429489341.009 ERROR    lxc_start_ui - Additional information can be obtained by setting the --logfile and --logpriority options.

I think the problem may be related with cgroups configurations/permissions, but I couldn't solve it. cgmanager service is running. I'm new to cgroups and lxc.
Does anybody knows what needs to be done in order to cgroups have appropiatted permissions?
Any help will be ver appreciated.

Thanks!

ceyx · 04-20-2015, 01:39 AM

From :
https://linuxcontainers.org/lxc/getting-started/

Quote:

Just before you create your first container, you probably should logout and login again,
or even reboot your machine to make sure that your user is placed in the right cgroups.

Do you recall if you took this step ?

matiasar · 04-20-2015, 07:15 AM

ceyx, thanks for your response.
Yes, you know, I tried it both relogin, rebooting. Starting from ssh and tty session, if running from an xterm I set XDG_RUNTIME_DIR environment variable also.
I think i'm missing some cgroup settings so lxc can create a cgroup for the container...

ceyx · 04-20-2015, 02:04 PM

It seems as if Ubuntu 14 is the way to go with these containers. The LXC document (above) states :

Quote:

Ubuntu is also one of the few (if not only) Linux distributions to come by default
with everything that's needed for safe, unprivileged LXC containers.

This is probably because Canonical has offerings in the 'cloud'.

You might want to get a successful Ubuntu installation going, and compare it with your Debian one to help you troubleshoot.

Not much help, but there is my two cents.

matiasar · 04-20-2015, 02:48 PM

I was wondering the same today, so I installed an ubuntu 14.10 and LXC containers run without effort there, just as described in documentation.

I will remain with Debian... think ubuntu might share his work as long is open source and inherited lot of work from Debian...
I will try to compare, if i can find any difference.

vandroiy.cl · 06-05-2015, 12:36 AM

Hi,
I was having the same issues with cgroups and network config to be able to start a lxc container
on Debian Jessie lxde,

Quickest solution I've found: Running the install script of https://www.flockport.com/start/
There's nice documentation about lxc on that site,
and after running the script, I was allowed to run privileged containers

To run unprivileged containers, what's on this link worked for me: https://www.flockport.com/lxc-using-...ed-containers/
Though I didn't wanted to run this part

sudo usermod --add-subuids 100000-165536 username
sudo usermod --add-subgids 100000-165536 username

Cause I really can't understand how to "choose" those numbers in debian
So, the workaround for the cgroups issues while trying to run unprivileged containers I do the following,
as stated here http://unix.stackexchange.com/questi...s-with-systemd

sudo service cgmanager start
sudo cgm create all $USER
sudo cgm chown all $USER $(id -u $USER) $(id -g $USER)
sudo cgm movepid all $USER $$

Though I have to do this every time I run the container, but at least I can now run it =)
Hope this helps someone.

A more permanent fix and explanations about "usermod" stuff are welcome =)

matiasar · 06-07-2015, 12:17 PM

Vandoroy.cl, cool info! Thanks.
I managed to run unprivileged containers in Debian in a very similar way.
I documented here in my blog (in spanish), forgot to write a couple of lines here, good you did it!

http://www.equiscentrico.com.ar/2015...an-jessie.html

thanks and regards,
Matías