LinuxQuestions.org - [SOLVED] LXD 3.0.3 unprivileged containers Ubuntu 18.04-1, "An error occurred in another process(seq number 5)"

- Linux - Virtualization and Cloud (https://www.linuxquestions.org/questions/linux-virtualization-and-cloud-90/)

- - LXD 3.0.3 unprivileged containers Ubuntu 18.04-1, "An error occurred in another process(seq number 5)" (https://www.linuxquestions.org/questions/linux-virtualization-and-cloud-90/lxd-3-0-3-unprivileged-containers-ubuntu-18-04-1-an-error-occurred-in-another-process-seq-number-5-a-4175649914/)

LXD 3.0.3 unprivileged containers Ubuntu 18.04-1, "An error occurred in another process(seq number 5)"

Hi, I've been trying to get an unprivileged Fedora 29 LXD container safe to use on my workplace's media server (which is the base system of Ubuntu 18.04-1) but am having absolutely zero luck with fixing one up. I've placed values in my /etc/sub{u,g}id files that are the same for both lxd and root and identical across those files,

Code:

lxd:231072:65536

root:231072:65536

... my container's root filesystem is set to those values, and I've tried "lxc config set <container name> security.privileged false" as well as "lxc profile edit default security.privileged false" --

However, I get "Failed to run /usr/lib/lxd/lxd forkstart cheerful-sturgeon /var/lib/lxd/containers /var/log/lxd/cheerful-sturgeon/lxc.conf. Try 'lxc info --show-log cheerful-sturgeon for more info." So I do that, and see:

Code:

Script exited with status 126

Failed to run mount hooks

Failed to set up container 'cheerful-sturgeon'

An error occurred in another process (expected sequence number 5)

Received container state "ABORTING" instead of "RUNNING"

Failed to spawn container "cheerful-sturgeon"

Connection reset by peer - Failed to receive response for command "get_state"

I did some digging on the web, saw that it might be related to AppArmor running at the same time, and then did "systemctl disable apparmor" and "/etc/init.d/apparmor teardown" to clear the profiles, making sure to restart LXD after. No worky.

Then, I set "raw.lxc: lxc.apparmor.profile=unconfined" in the container settings, followed by another restart. Still no worky.

Then I try to su to the lxd user (who is set up to have access to the lxd group) and start an unprivileged container that way. No workies again.

lxc set raw.idmap "both 231072 65536" where 231072 is the shared lxd/root uid that should be mapped to 0? No workies yet again, it says "Failed to get ID map: Host ID is in the range of subids."

I don't know what to do short of make a sacrifice to Beelzebub, because using a privileged container is completely out of the question for my purposes. I'm hoping someone here can help, I'll be grateful.

Will post my lxc.conf file once I get back to the office.

Just a little bit late, but here it is.

/var/log/lxd/cheerful-sturgeon/lxc.conf:

Code:

lxc.log.file = /var/log/lxd/cheerful-sturgeon/lxc.log

lxc.log.level = warn

lxc.console.buffer.size = auto

lxc.console.size = auto

lxc.console.logfile = /var/log/lxd/cheerful-sturgeon/console.log

lxc.mount.auto = proc:rw sys:rw

lxc.autodev = 1

lxc.pty.max = 1024

lxc.mount.entry = /dev/fuse /dev/fuse none bind,create=file,optional

lxc.mount.entry = /dev/net/tun /dev/net/tun none bind,create=file,optional

lxc.mount.entry = /proc/sys/fs/binfmt_misc /proc/sys/fs/binfmt_misc none rbind,create=dir,optional

lxc.mount.entry = /sys/fs/fuse/connections /sys/fs/fuse/connections none rbind,create=dir,optional

lxc.mount.entry = /sys/fs/pstore /sys/fs/pstore none rbind,create=dir,optional

lxc.mount.entry = /sys/kernel/debug /sys/kernel/debug none rbind,create=dir,optional

lxc.mount.entry = /sys/kernel/security /sys/kernel/security none rbind,create=dir,optional

lxc.mount.entry = /dev/mqueue /dev/mqueue none rbind,create=dir,optional

lxc.include = /usr/share/lxc/config/common.conf.d

lxc.arch = linux64

lxc.hook.pre-start = /usr/lib/lxd/lxd callhook /var/lib/lxd 10 start

lxc.hook.post-stop = /usr/lib/lxd/lxd callhook /var/lib/lxd 10 stop

lxc.tty.max = 0

lxc.uts.name = cheerful-sturgeon

lxc.mount.entry = /var/lib/lxd/devlxd /dev/lxd none bind,create=dir 0 0

lxc.apparmor.profile = lxd-cheerful-sturgeon_</var/lib/lxd>//&:lxd-cheerful-sturgeon_</var/lib/lxd>:

lxc.seccomp.profile = /var/lib/lxd/security/seccomp/cheerful-sturgeon

lxc.idmap = u 0 231072 65536

lxc.idmap = g 0 231072 65536

lxc.rootfs.path = dir:/var/lib/lxd/containers/cheerful-sturgeon/rootfs

lxc.mount.entry = /var/lib/lxd/shmounts/cheerful-sturgeon dev/.lxd-mounts none bind,create=dir 0 0

And yes, /proc/sys/kernel/unprivileged_userns_clone has been set to 1 this whole time. I have /proc/self/{u,g}id_map and /proc/self/ns.
I've even tried to unshare user namespaces and map root manually without LXC/D via the unshare command itself, but even that isn't working.

Okay, so me being the sole systems administrator in our environment... I managed to solve this after constructing a test LXC installation and looking at the log files. They gave me a "permission denied" message on bind mounting /var/lib/lxcfs/proc.

That led me to check the permissions on /bin/{u}mount, and I noticed they were 4750 with group set to users. Resetting them to defaults fixed it and I can now start the container.