[SOLVED] LXD 3.0.3 unprivileged containers Ubuntu 18.04-1, "An error occurred in another process(seq number 5)"

RickDeckard · 03-10-2019, 05:08 PM

Hi, I've been trying to get an unprivileged Fedora 29 LXD container safe to use on my workplace's media server (which is the base system of Ubuntu 18.04-1) but am having absolutely zero luck with fixing one up. I've placed values in my /etc/sub{u,g}id files that are the same for both lxd and root and identical across those files,

Code:

lxd:231072:65536
root:231072:65536

... my container's root filesystem is set to those values, and I've tried "lxc config set <container name> security.privileged false" as well as "lxc profile edit default security.privileged false" --

However, I get "Failed to run /usr/lib/lxd/lxd forkstart cheerful-sturgeon /var/lib/lxd/containers /var/log/lxd/cheerful-sturgeon/lxc.conf. Try 'lxc info --show-log cheerful-sturgeon for more info." So I do that, and see:

Code:

Script exited with status 126
Failed to run mount hooks
Failed to set up container 'cheerful-sturgeon'
An error occurred in another process (expected sequence number 5)
Received container state "ABORTING" instead of "RUNNING"
Failed to spawn container "cheerful-sturgeon"
Connection reset by peer - Failed to receive response for command "get_state"

I did some digging on the web, saw that it might be related to AppArmor running at the same time, and then did "systemctl disable apparmor" and "/etc/init.d/apparmor teardown" to clear the profiles, making sure to restart LXD after. No worky.

Then, I set "raw.lxc: lxc.apparmor.profile=unconfined" in the container settings, followed by another restart. Still no worky.

Then I try to su to the lxd user (who is set up to have access to the lxd group) and start an unprivileged container that way. No workies again.

lxc set raw.idmap "both 231072 65536" where 231072 is the shared lxd/root uid that should be mapped to 0? No workies yet again, it says "Failed to get ID map: Host ID is in the range of subids."

I don't know what to do short of make a sacrifice to Beelzebub, because using a privileged container is completely out of the question for my purposes. I'm hoping someone here can help, I'll be grateful.

Will post my lxc.conf file once I get back to the office.

RickDeckard · 03-11-2019, 01:01 PM

Just a little bit late, but here it is.

/var/log/lxd/cheerful-sturgeon/lxc.conf:

Code:

lxc.log.file = /var/log/lxd/cheerful-sturgeon/lxc.log
lxc.log.level = warn
lxc.console.buffer.size = auto
lxc.console.size = auto
lxc.console.logfile = /var/log/lxd/cheerful-sturgeon/console.log
lxc.mount.auto = proc:rw sys:rw
lxc.autodev = 1
lxc.pty.max = 1024
lxc.mount.entry = /dev/fuse /dev/fuse none bind,create=file,optional
lxc.mount.entry = /dev/net/tun /dev/net/tun none bind,create=file,optional
lxc.mount.entry = /proc/sys/fs/binfmt_misc /proc/sys/fs/binfmt_misc none rbind,create=dir,optional
lxc.mount.entry = /sys/fs/fuse/connections /sys/fs/fuse/connections none rbind,create=dir,optional
lxc.mount.entry = /sys/fs/pstore /sys/fs/pstore none rbind,create=dir,optional
lxc.mount.entry = /sys/kernel/debug /sys/kernel/debug none rbind,create=dir,optional
lxc.mount.entry = /sys/kernel/security /sys/kernel/security none rbind,create=dir,optional
lxc.mount.entry = /dev/mqueue /dev/mqueue none rbind,create=dir,optional
lxc.include = /usr/share/lxc/config/common.conf.d
lxc.arch = linux64
lxc.hook.pre-start = /usr/lib/lxd/lxd callhook /var/lib/lxd 10 start
lxc.hook.post-stop = /usr/lib/lxd/lxd callhook /var/lib/lxd 10 stop
lxc.tty.max = 0
lxc.uts.name = cheerful-sturgeon
lxc.mount.entry = /var/lib/lxd/devlxd /dev/lxd none bind,create=dir 0 0
lxc.apparmor.profile = lxd-cheerful-sturgeon_</var/lib/lxd>//&:lxd-cheerful-sturgeon_</var/lib/lxd>:
lxc.seccomp.profile = /var/lib/lxd/security/seccomp/cheerful-sturgeon
lxc.idmap = u 0 231072 65536
lxc.idmap = g 0 231072 65536
lxc.rootfs.path = dir:/var/lib/lxd/containers/cheerful-sturgeon/rootfs
lxc.mount.entry = /var/lib/lxd/shmounts/cheerful-sturgeon dev/.lxd-mounts none bind,create=dir 0 0

And yes, /proc/sys/kernel/unprivileged_userns_clone has been set to 1 this whole time. I have /proc/self/{u,g}id_map and /proc/self/ns.
I've even tried to unshare user namespaces and map root manually without LXC/D via the unshare command itself, but even that isn't working.

RickDeckard · 03-14-2019, 10:17 AM

Okay, so me being the sole systems administrator in our environment... I managed to solve this after constructing a test LXC installation and looking at the log files. They gave me a "permission denied" message on bind mounting /var/lib/lxcfs/proc.

That led me to check the permissions on /bin/{u}mount, and I noticed they were 4750 with group set to users. Resetting them to defaults fixed it and I can now start the container.