LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Virtualization and Cloud
User Name
Password
Linux - Virtualization and Cloud This forum is for the discussion of all topics relating to Linux Virtualization and Linux Cloud platforms. Xen, KVM, OpenVZ, VirtualBox, VMware, Linux-VServer and all other Linux Virtualization platforms are welcome. OpenStack, CloudStack, ownCloud, Cloud Foundry, Eucalyptus, Nimbus, OpenNebula and all other Linux Cloud platforms are welcome. Note that questions relating solely to non-Linux OS's should be asked in the General forum.

Notices


Reply
  Search this Thread
Old 03-10-2019, 05:08 PM   #1
RickDeckard
Member
 
Registered: Jan 2014
Location: Acworth, Georgia, USA
Distribution: Arch+Gentoo Hardened, Ubuntu
Posts: 91

Rep: Reputation: Disabled
LXD 3.0.3 unprivileged containers Ubuntu 18.04-1, "An error occurred in another process(seq number 5)"


Hi, I've been trying to get an unprivileged Fedora 29 LXD container safe to use on my workplace's media server (which is the base system of Ubuntu 18.04-1) but am having absolutely zero luck with fixing one up. I've placed values in my /etc/sub{u,g}id files that are the same for both lxd and root and identical across those files,

Code:
lxd:231072:65536
root:231072:65536
... my container's root filesystem is set to those values, and I've tried "lxc config set <container name> security.privileged false" as well as "lxc profile edit default security.privileged false" --

However, I get "Failed to run /usr/lib/lxd/lxd forkstart cheerful-sturgeon /var/lib/lxd/containers /var/log/lxd/cheerful-sturgeon/lxc.conf. Try 'lxc info --show-log cheerful-sturgeon for more info." So I do that, and see:

Code:
Script exited with status 126
Failed to run mount hooks
Failed to set up container 'cheerful-sturgeon'
An error occurred in another process (expected sequence number 5)
Received container state "ABORTING" instead of "RUNNING"
Failed to spawn container "cheerful-sturgeon"
Connection reset by peer - Failed to receive response for command "get_state"
I did some digging on the web, saw that it might be related to AppArmor running at the same time, and then did "systemctl disable apparmor" and "/etc/init.d/apparmor teardown" to clear the profiles, making sure to restart LXD after. No worky.

Then, I set "raw.lxc: lxc.apparmor.profile=unconfined" in the container settings, followed by another restart. Still no worky.

Then I try to su to the lxd user (who is set up to have access to the lxd group) and start an unprivileged container that way. No workies again.

lxc set raw.idmap "both 231072 65536" where 231072 is the shared lxd/root uid that should be mapped to 0? No workies yet again, it says "Failed to get ID map: Host ID is in the range of subids."

I don't know what to do short of make a sacrifice to Beelzebub, because using a privileged container is completely out of the question for my purposes. I'm hoping someone here can help, I'll be grateful.

Will post my lxc.conf file once I get back to the office.

Last edited by RickDeckard; 03-14-2019 at 10:18 AM.
 
Old 03-11-2019, 01:01 PM   #2
RickDeckard
Member
 
Registered: Jan 2014
Location: Acworth, Georgia, USA
Distribution: Arch+Gentoo Hardened, Ubuntu
Posts: 91

Original Poster
Rep: Reputation: Disabled
Just a little bit late, but here it is.

/var/log/lxd/cheerful-sturgeon/lxc.conf:

Code:
lxc.log.file = /var/log/lxd/cheerful-sturgeon/lxc.log
lxc.log.level = warn
lxc.console.buffer.size = auto
lxc.console.size = auto
lxc.console.logfile = /var/log/lxd/cheerful-sturgeon/console.log
lxc.mount.auto = proc:rw sys:rw
lxc.autodev = 1
lxc.pty.max = 1024
lxc.mount.entry = /dev/fuse /dev/fuse none bind,create=file,optional
lxc.mount.entry = /dev/net/tun /dev/net/tun none bind,create=file,optional
lxc.mount.entry = /proc/sys/fs/binfmt_misc /proc/sys/fs/binfmt_misc none rbind,create=dir,optional
lxc.mount.entry = /sys/fs/fuse/connections /sys/fs/fuse/connections none rbind,create=dir,optional
lxc.mount.entry = /sys/fs/pstore /sys/fs/pstore none rbind,create=dir,optional
lxc.mount.entry = /sys/kernel/debug /sys/kernel/debug none rbind,create=dir,optional
lxc.mount.entry = /sys/kernel/security /sys/kernel/security none rbind,create=dir,optional
lxc.mount.entry = /dev/mqueue /dev/mqueue none rbind,create=dir,optional
lxc.include = /usr/share/lxc/config/common.conf.d
lxc.arch = linux64
lxc.hook.pre-start = /usr/lib/lxd/lxd callhook /var/lib/lxd 10 start
lxc.hook.post-stop = /usr/lib/lxd/lxd callhook /var/lib/lxd 10 stop
lxc.tty.max = 0
lxc.uts.name = cheerful-sturgeon
lxc.mount.entry = /var/lib/lxd/devlxd /dev/lxd none bind,create=dir 0 0
lxc.apparmor.profile = lxd-cheerful-sturgeon_</var/lib/lxd>//&:lxd-cheerful-sturgeon_</var/lib/lxd>:
lxc.seccomp.profile = /var/lib/lxd/security/seccomp/cheerful-sturgeon
lxc.idmap = u 0 231072 65536
lxc.idmap = g 0 231072 65536
lxc.rootfs.path = dir:/var/lib/lxd/containers/cheerful-sturgeon/rootfs
lxc.mount.entry = /var/lib/lxd/shmounts/cheerful-sturgeon dev/.lxd-mounts none bind,create=dir 0 0
And yes, /proc/sys/kernel/unprivileged_userns_clone has been set to 1 this whole time. I have /proc/self/{u,g}id_map and /proc/self/ns.
I've even tried to unshare user namespaces and map root manually without LXC/D via the unshare command itself, but even that isn't working.

Last edited by RickDeckard; 03-11-2019 at 04:51 PM.
 
Old 03-14-2019, 10:17 AM   #3
RickDeckard
Member
 
Registered: Jan 2014
Location: Acworth, Georgia, USA
Distribution: Arch+Gentoo Hardened, Ubuntu
Posts: 91

Original Poster
Rep: Reputation: Disabled
Okay, so me being the sole systems administrator in our environment... I managed to solve this after constructing a test LXC installation and looking at the log files. They gave me a "permission denied" message on bind mounting /var/lib/lxcfs/proc.

That led me to check the permissions on /bin/{u}mount, and I noticed they were 4750 with group set to users. Resetting them to defaults fixed it and I can now start the container.

Last edited by RickDeckard; 03-14-2019 at 10:26 AM. Reason: a simple 0755 also got the job done
 
  


Reply

Tags
fedora, lxc, lxd, ubuntu


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
HOWTO: How to run graphics-accelerated GUI apps in LXD containers on your Ubuntu desktop simosx Linux - Containers 0 05-06-2017 12:48 PM
LXer: Getting Started With LXD containers on Ubuntu 16.04 LXer Syndicated Linux News 0 05-19-2016 11:50 AM
LXer: Will LXD Containers on Ubuntu Revolutionize Open Source Virtualization? LXer Syndicated Linux News 0 11-09-2015 06:03 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Virtualization and Cloud

All times are GMT -5. The time now is 10:04 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration