LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 08-03-2017, 08:26 AM   #1
Uncle Lumpy
LQ Newbie
 
Registered: Feb 2010
Posts: 29

Rep: Reputation: 10
Slackware 14.2, unprivileged lxc container as root--fail!


Hi all,

I have something weird happening and I'm not sure what additional steps to take to diagnose this.

I have 3 Slackware machines running 14.2 with the latest 4.4.79 kernel. On 2 of the machines, I'm successfully able to create, start and use (as root) unprivileged lxc containers. However, on the third machine (configuration nearly identical to the other two), the container fails to start. I've tripled checked the lxc configuration files--identical to what I did on the other two machines. I got so frustrated yesterday that I blew away the installation and re-installed 14.2 (installing all packages just to be safe)...still no luck at starting an unprivileged container.

The only "Slackware differences" between this machine and the two that work is that this one is running samba and serves as an nfs server. I don't think either of those things should impact starting an unprivileged lxc container.

The first error message that shows up is "Failed to mount none onto /var/lib/rootfs-lxc//proc" and at that point things cascade and the machine fails to start.

I've attached the logfile (using DEBUG mode) from the latest attempt. Any suggestion what to try would be appreciated!

Lumpy
Attached Files
File Type: log test1.log (3.7 KB, 26 views)
 
Old 08-04-2017, 12:53 AM   #2
Richard Cranium
Senior Member
 
Registered: Apr 2009
Location: Carrollton, Texas
Distribution: Slackware64 14.2
Posts: 2,739

Rep: Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161Reputation: 1161
/var/lib/rootfs-lxc//proc

The // bit seems odd.
 
Old 08-04-2017, 03:51 AM   #3
franzen
Member
 
Registered: Nov 2012
Distribution: slackware
Posts: 192

Rep: Reputation: 89
Quote:
Originally Posted by Uncle Lumpy View Post
Code:
lxc_utils - utils.c:safe_mount:1692 - Operation not permitted - Failed to mount none onto /var/lib/rootfs-lxc//proc
Looks like a permission issue.
How do you mount things in the lxc-config?
How are the permission bits set on the "real" host?
Maybe something needs to be set to the unpriviledged uid 100000, to be able to be mounted by the container on startup.

Just a guess, maybe it helps, and it's also bit more secure: for proc and sys, try
Code:
lxc.mount.auto = proc:mixed sys:ro cgroup-full:mixed
Johannes
 
Old 08-04-2017, 05:55 AM   #4
Uncle Lumpy
LQ Newbie
 
Registered: Feb 2010
Posts: 29

Original Poster
Rep: Reputation: 10
Quote:
Originally Posted by Richard Cranium View Post
/var/lib/rootfs-lxc//proc

The // bit seems odd.
I agree...I don't understand the syntax of the error message.

Lumpy
 
Old 08-04-2017, 05:57 AM   #5
Uncle Lumpy
LQ Newbie
 
Registered: Feb 2010
Posts: 29

Original Poster
Rep: Reputation: 10
Quote:
Originally Posted by franzen View Post
Looks like a permission issue.
How do you mount things in the lxc-config?
How are the permission bits set on the "real" host?
Maybe something needs to be set to the unpriviledged uid 100000, to be able to be mounted by the container on startup.

Just a guess, maybe it helps, and it's also bit more secure: for proc and sys, try
Code:
lxc.mount.auto = proc:mixed sys:ro cgroup-full:mixed
Johannes
Thanks, Johannes. I'll give this a try when I get home this evening. At one point I tried an "lxc.mount.auto" command similar to that in the config but it didn't seem to change anything. I'll have to think about your other questions...since root is trying to run the container in the standard Slackware location (/var/lib/lxc) I just assumed that all the permissions were OK (especially since it worked out of the box in the other two Slackware machines).

Lumpy

Last edited by Uncle Lumpy; 08-04-2017 at 06:00 AM. Reason: Additional information
 
Old 08-04-2017, 04:33 PM   #6
Uncle Lumpy
LQ Newbie
 
Registered: Feb 2010
Posts: 29

Original Poster
Rep: Reputation: 10
OK, I tried the lxc.mount.auto command in the test1 config file--slightly different form of the error message but it still failed to mount proc in the container. I've attached the latest test1.log file as well as the config file used (test1.config).

Best,
Lumpy
Attached Files
File Type: log test1.log (3.6 KB, 3 views)
 
Old 08-04-2017, 04:37 PM   #7
Uncle Lumpy
LQ Newbie
 
Registered: Feb 2010
Posts: 29

Original Poster
Rep: Reputation: 10
Hmmmmm, it didn't upload both files. Here's the test1.config file...with a new "log" suffix so that it can be uploaded...

Lumpy
Attached Files
File Type: log test1.config.log (1.5 KB, 4 views)
 
Old 08-08-2017, 08:41 AM   #8
franzen
Member
 
Registered: Nov 2012
Distribution: slackware
Posts: 192

Rep: Reputation: 89
Quote:
Originally Posted by Uncle Lumpy View Post
Thanks, Johannes. I'll give this a try when I get home this evening. At one point I tried an "lxc.mount.auto" command similar to that in the config but it didn't seem to change anything.
Please try with commented line
Code:
# lxc.mount = /var/lib/lxc/test1/rootfs/etc/fstab
What is the Output of
Code:
ls -la /var/lib/lxc/test1/rootfs/
?
 
Old 08-08-2017, 09:08 AM   #9
Chuck56
Member
 
Registered: Dec 2006
Location: Colorado
Distribution: Slackware
Posts: 469

Rep: Reputation: 70
I recently converted to unprivileged LXC and took some notes in the process.

When adding proc & sys mount commands to lxc-config:
Code:
  # proc & sys, remove from /etc/fstab
  lxc.mount.auto = proc:mixed sys:ro cgroup
Don't forget to modify the container's fstab and comment out (or remove) the following lines:
Code:
  #none /var/lib/lxc/guest6/rootfs/proc    proc   defaults 0 0
  #none /var/lib/lxc/guest6/rootfs/sys     sysfs  defaults 0 0
The other significant change I implemented was to stop using cgmanager (deprecated) and start using libcgroup services. I modified rc.cgmanager to non-executable, modified rc.config to executable & added the code below to my rc.local. Chris Willing's guide to unprivileged LXC was a great reference for me.

Code:
# LXC: http://www.darlo.tv/lxc/setup-unpriv-slackware.html
if [ -x /etc/rc.d/rc.cgconfig -a -x /etc/rc.d/rc.cgred -a -d /sys/fs/cgroup ]; then
  echo "Starting libcgroup services"
  /etc/rc.d/rc.cgconfig start
  /etc/rc.d/rc.cgred start
fi
Hope that helps!

Last edited by Chuck56; 08-08-2017 at 09:15 AM.
 
Old 08-08-2017, 07:11 PM   #10
Uncle Lumpy
LQ Newbie
 
Registered: Feb 2010
Posts: 29

Original Poster
Rep: Reputation: 10
Quote:
Originally Posted by franzen View Post
Please try with commented line
Code:
# lxc.mount = /var/lib/lxc/test1/rootfs/etc/fstab
What is the Output of
Code:
ls -la /var/lib/lxc/test1/rootfs/
?
OK, I've attached two files (I hope). test1a.log is the error from running the command with the line you suggested commented out in the config. ls.log shows the output of the ls command...

I don't understand why this worked "out of the box" on two of my Slackware systems but fails on this one.

Thanks for your efforts!
Lumpy
Attached Files
File Type: log test1a.log (3.6 KB, 3 views)
File Type: log ls.log (1.0 KB, 5 views)
 
Old 08-08-2017, 07:14 PM   #11
Uncle Lumpy
LQ Newbie
 
Registered: Feb 2010
Posts: 29

Original Poster
Rep: Reputation: 10
Quote:
Originally Posted by Chuck56 View Post
I recently converted to unprivileged LXC and took some notes in the process.

When adding proc & sys mount commands to lxc-config:
Code:
  # proc & sys, remove from /etc/fstab
  lxc.mount.auto = proc:mixed sys:ro cgroup
Don't forget to modify the container's fstab and comment out (or remove) the following lines:
Code:
  #none /var/lib/lxc/guest6/rootfs/proc    proc   defaults 0 0
  #none /var/lib/lxc/guest6/rootfs/sys     sysfs  defaults 0 0
The other significant change I implemented was to stop using cgmanager (deprecated) and start using libcgroup services. I modified rc.cgmanager to non-executable, modified rc.config to executable & added the code below to my rc.local. Chris Willing's guide to unprivileged LXC was a great reference for me.

Code:
# LXC: http://www.darlo.tv/lxc/setup-unpriv-slackware.html
if [ -x /etc/rc.d/rc.cgconfig -a -x /etc/rc.d/rc.cgred -a -d /sys/fs/cgroup ]; then
  echo "Starting libcgroup services"
  /etc/rc.d/rc.cgconfig start
  /etc/rc.d/rc.cgred start
fi
Hope that helps!

Well, it didn't seem to have much (any) affect. Here is the output from the error log (test1b.log)...

Thanks for your thoughts! I will implement your "cgmanager to libcgroup" conversion on my 2 working machines!

Best,
Lumpy
Attached Files
File Type: log test1b.log (3.6 KB, 13 views)
 
Old 08-09-2017, 08:05 AM   #12
Chuck56
Member
 
Registered: Dec 2006
Location: Colorado
Distribution: Slackware
Posts: 469

Rep: Reputation: 70
Quote:
Originally Posted by Uncle Lumpy View Post
Well, it didn't seem to have much (any) affect. Here is the output from the error log (test1b.log)...
Any chance we could see a copy of the offending config file? The startup log file indicates trouble with a mount command.
 
Old 08-09-2017, 07:19 PM   #13
Uncle Lumpy
LQ Newbie
 
Registered: Feb 2010
Posts: 29

Original Poster
Rep: Reputation: 10
Quote:
Originally Posted by Chuck56 View Post
Any chance we could see a copy of the offending config file? The startup log file indicates trouble with a mount command.
Chuck, I've attached the config file. This one has "lxc.mount = /var/lib/lxc/test1/rootfs/etc/fstab" commented out. I just tried running the container without the line being commented out but the error messages look the same to me whether that line is being read or not being read.

Thanks for looking at this! I'm about ready to throw in the towel as what's happening just doesn't make sense to me.

Best,
Kel
Attached Files
File Type: txt config.txt (1.5 KB, 5 views)

Last edited by Uncle Lumpy; 08-09-2017 at 07:19 PM. Reason: Updating info...
 
Old 08-09-2017, 08:12 PM   #14
chris.willing
Member
 
Registered: Jun 2014
Location: Brisbane, Australia
Distribution: Slackware,LFS
Posts: 400

Rep: Reputation: Disabled
Looking at your config.txt, I see an entry "lxc.include = /usr/share/lxc/config/slackware.userns.conf" which I don't have in any of my containers - not sure if that's significant but that's the first thing I'd try removing.

In your log files, the first thing that looks wrong in both cases is the mounting of the rootfs at /var/lib/rootfs-lxc. The full message there is
Code:
lxc_conf - conf.c:setup_rootfs:1215 - mounted '/var/lib/lxc/test1/rootfs' on '/var/lib/rootfs-lxc'
so looks like something to do with lxc.conf. Looking at man lxc.conf, the files in which something could be wrongly set are /etc/lxc/default.conf (or ~/.config/lxc/default.conf). It also mentions /etc/lxc/lxc.conf (or ~/.config/lxc/lxc.conf). In particular, check /etc/lxc/lxc.conf. I don't actually have one, just /etc/lxc/lxc.conf.sample which I presume isn't used. However it contains 'lxcpath = /var/lib/lxc' so I would worry that this may be incorrectly set somewhere to /var/lib instead of /var/lib/lxc.

chris
 
Old 08-13-2017, 01:31 PM   #15
Uncle Lumpy
LQ Newbie
 
Registered: Feb 2010
Posts: 29

Original Poster
Rep: Reputation: 10
Quote:
Originally Posted by chris.willing View Post
Looking at your config.txt, I see an entry "lxc.include = /usr/share/lxc/config/slackware.userns.conf" which I don't have in any of my containers - not sure if that's significant but that's the first thing I'd try removing.

In your log files, the first thing that looks wrong in both cases is the mounting of the rootfs at /var/lib/rootfs-lxc. The full message there is
Code:
lxc_conf - conf.c:setup_rootfs:1215 - mounted '/var/lib/lxc/test1/rootfs' on '/var/lib/rootfs-lxc'
so looks like something to do with lxc.conf. Looking at man lxc.conf, the files in which something could be wrongly set are /etc/lxc/default.conf (or ~/.config/lxc/default.conf). It also mentions /etc/lxc/lxc.conf (or ~/.config/lxc/lxc.conf). In particular, check /etc/lxc/lxc.conf. I don't actually have one, just /etc/lxc/lxc.conf.sample which I presume isn't used. However it contains 'lxcpath = /var/lib/lxc' so I would worry that this may be incorrectly set somewhere to /var/lib instead of /var/lib/lxc.

chris
Thanks for the suggestions, Chris. The "lxc.include = /usr/share/lxc/config/slackware.userns.conf" came from a couple of online sources for creating unprivileged root containers. Since it works (or at least doesn't prevent the successful creation of unprivileged root containers) in two other Slackware machines I'm running I don't think this is the problem. I commented it out and had the same error.

I looked at the various lxc configuration files across the three machines...they are identical. Two machines work fine, nothing unprivileged container related works on the third. Could the problem somehow be hardware related?

At this point, I feel like marking this thread [Abandoned] rahter than solved. I've wasted way too much of my (and everyone else's) time chasing this--I'm moving on.

Thanks for everyone's help,
Lumpy

Last edited by Uncle Lumpy; 08-13-2017 at 01:32 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] LXC unprivileged container for Slackware guest mralk3 Slackware 64 05-23-2016 11:40 AM
[SOLVED] LXC unprivileged container in Debian Jessie - Cgroups permissions? matiasar Linux - Kernel 6 06-07-2015 01:17 PM
Unable to start unprivileged Lxc container on Debian Sid hurd Debian 0 02-02-2015 11:45 PM
LXC unprivileged container - operation no permitted gauthig Linux - Virtualization and Cloud 2 07-15-2014 04:34 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 11:10 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration