[SOLVED] Slackware 14.2, unprivileged lxc container as root--fail!
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Slackware 14.2, unprivileged lxc container as root--fail!
Hi all,
I have something weird happening and I'm not sure what additional steps to take to diagnose this.
I have 3 Slackware machines running 14.2 with the latest 4.4.79 kernel. On 2 of the machines, I'm successfully able to create, start and use (as root) unprivileged lxc containers. However, on the third machine (configuration nearly identical to the other two), the container fails to start. I've tripled checked the lxc configuration files--identical to what I did on the other two machines. I got so frustrated yesterday that I blew away the installation and re-installed 14.2 (installing all packages just to be safe)...still no luck at starting an unprivileged container.
The only "Slackware differences" between this machine and the two that work is that this one is running samba and serves as an nfs server. I don't think either of those things should impact starting an unprivileged lxc container.
The first error message that shows up is "Failed to mount none onto /var/lib/rootfs-lxc//proc" and at that point things cascade and the machine fails to start.
I've attached the logfile (using DEBUG mode) from the latest attempt. Any suggestion what to try would be appreciated!
lxc_utils - utils.c:safe_mount:1692 - Operation not permitted - Failed to mount none onto /var/lib/rootfs-lxc//proc
Looks like a permission issue.
How do you mount things in the lxc-config?
How are the permission bits set on the "real" host?
Maybe something needs to be set to the unpriviledged uid 100000, to be able to be mounted by the container on startup.
Just a guess, maybe it helps, and it's also bit more secure: for proc and sys, try
Looks like a permission issue.
How do you mount things in the lxc-config?
How are the permission bits set on the "real" host?
Maybe something needs to be set to the unpriviledged uid 100000, to be able to be mounted by the container on startup.
Just a guess, maybe it helps, and it's also bit more secure: for proc and sys, try
Thanks, Johannes. I'll give this a try when I get home this evening. At one point I tried an "lxc.mount.auto" command similar to that in the config but it didn't seem to change anything. I'll have to think about your other questions...since root is trying to run the container in the standard Slackware location (/var/lib/lxc) I just assumed that all the permissions were OK (especially since it worked out of the box in the other two Slackware machines).
Lumpy
Last edited by Uncle Lumpy; 08-04-2017 at 05:00 AM.
Reason: Additional information
OK, I tried the lxc.mount.auto command in the test1 config file--slightly different form of the error message but it still failed to mount proc in the container. I've attached the latest test1.log file as well as the config file used (test1.config).
Thanks, Johannes. I'll give this a try when I get home this evening. At one point I tried an "lxc.mount.auto" command similar to that in the config but it didn't seem to change anything.
The other significant change I implemented was to stop using cgmanager (deprecated) and start using libcgroup services. I modified rc.cgmanager to non-executable, modified rc.config to executable & added the code below to my rc.local. Chris Willing's guide to unprivileged LXC was a great reference for me.
Code:
# LXC: http://www.darlo.tv/lxc/setup-unpriv-slackware.html
if [ -x /etc/rc.d/rc.cgconfig -a -x /etc/rc.d/rc.cgred -a -d /sys/fs/cgroup ]; then
echo "Starting libcgroup services"
/etc/rc.d/rc.cgconfig start
/etc/rc.d/rc.cgred start
fi
OK, I've attached two files (I hope). test1a.log is the error from running the command with the line you suggested commented out in the config. ls.log shows the output of the ls command...
I don't understand why this worked "out of the box" on two of my Slackware systems but fails on this one.
The other significant change I implemented was to stop using cgmanager (deprecated) and start using libcgroup services. I modified rc.cgmanager to non-executable, modified rc.config to executable & added the code below to my rc.local. Chris Willing's guide to unprivileged LXC was a great reference for me.
Code:
# LXC: http://www.darlo.tv/lxc/setup-unpriv-slackware.html
if [ -x /etc/rc.d/rc.cgconfig -a -x /etc/rc.d/rc.cgred -a -d /sys/fs/cgroup ]; then
echo "Starting libcgroup services"
/etc/rc.d/rc.cgconfig start
/etc/rc.d/rc.cgred start
fi
Hope that helps!
Well, it didn't seem to have much (any) affect. Here is the output from the error log (test1b.log)...
Thanks for your thoughts! I will implement your "cgmanager to libcgroup" conversion on my 2 working machines!
Any chance we could see a copy of the offending config file? The startup log file indicates trouble with a mount command.
Chuck, I've attached the config file. This one has "lxc.mount = /var/lib/lxc/test1/rootfs/etc/fstab" commented out. I just tried running the container without the line being commented out but the error messages look the same to me whether that line is being read or not being read.
Thanks for looking at this! I'm about ready to throw in the towel as what's happening just doesn't make sense to me.
Best,
Kel
Last edited by Uncle Lumpy; 08-09-2017 at 06:19 PM.
Reason: Updating info...
Looking at your config.txt, I see an entry "lxc.include = /usr/share/lxc/config/slackware.userns.conf" which I don't have in any of my containers - not sure if that's significant but that's the first thing I'd try removing.
In your log files, the first thing that looks wrong in both cases is the mounting of the rootfs at /var/lib/rootfs-lxc. The full message there is
Code:
lxc_conf - conf.c:setup_rootfs:1215 - mounted '/var/lib/lxc/test1/rootfs' on '/var/lib/rootfs-lxc'
so looks like something to do with lxc.conf. Looking at man lxc.conf, the files in which something could be wrongly set are /etc/lxc/default.conf (or ~/.config/lxc/default.conf). It also mentions /etc/lxc/lxc.conf (or ~/.config/lxc/lxc.conf). In particular, check /etc/lxc/lxc.conf. I don't actually have one, just /etc/lxc/lxc.conf.sample which I presume isn't used. However it contains 'lxcpath = /var/lib/lxc' so I would worry that this may be incorrectly set somewhere to /var/lib instead of /var/lib/lxc.
Looking at your config.txt, I see an entry "lxc.include = /usr/share/lxc/config/slackware.userns.conf" which I don't have in any of my containers - not sure if that's significant but that's the first thing I'd try removing.
In your log files, the first thing that looks wrong in both cases is the mounting of the rootfs at /var/lib/rootfs-lxc. The full message there is
Code:
lxc_conf - conf.c:setup_rootfs:1215 - mounted '/var/lib/lxc/test1/rootfs' on '/var/lib/rootfs-lxc'
so looks like something to do with lxc.conf. Looking at man lxc.conf, the files in which something could be wrongly set are /etc/lxc/default.conf (or ~/.config/lxc/default.conf). It also mentions /etc/lxc/lxc.conf (or ~/.config/lxc/lxc.conf). In particular, check /etc/lxc/lxc.conf. I don't actually have one, just /etc/lxc/lxc.conf.sample which I presume isn't used. However it contains 'lxcpath = /var/lib/lxc' so I would worry that this may be incorrectly set somewhere to /var/lib instead of /var/lib/lxc.
chris
Thanks for the suggestions, Chris. The "lxc.include = /usr/share/lxc/config/slackware.userns.conf" came from a couple of online sources for creating unprivileged root containers. Since it works (or at least doesn't prevent the successful creation of unprivileged root containers) in two other Slackware machines I'm running I don't think this is the problem. I commented it out and had the same error.
I looked at the various lxc configuration files across the three machines...they are identical. Two machines work fine, nothing unprivileged container related works on the third. Could the problem somehow be hardware related?
At this point, I feel like marking this thread [Abandoned] rahter than solved. I've wasted way too much of my (and everyone else's) time chasing this--I'm moving on.
Thanks for everyone's help,
Lumpy
Last edited by Uncle Lumpy; 08-13-2017 at 12:32 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.