I know this isn't exactly the main usecase of LXD but I'm a fan and I'd like to get it to run with all it's features on my favourite distribution. I should add that I followed this wiki article, especially when it comes to the section Sub{u,g}id configuration
Required information
- Distribution: Arch Linux
- The output of "lxc info"
config:
core.https_address: '[::]:8443'
core.trust_password: true
api_extensions:
- storage_zfs_remove_snapshots
- container_host_shutdown_timeout
- container_syscall_filtering
- auth_pki
- container_last_used_at
- etag
- patch
- usb_devices
- https_allowed_credentials
- image_compression_algorithm
- directory_manipulation
- container_cpu_time
- storage_zfs_use_refquota
- storage_lvm_mount_options
- network
- profile_usedby
- container_push
- container_exec_recording
- certificate_update
- container_exec_signal_handling
- gpu_devices
- container_image_properties
- migration_progress
- id_map
- network_firewall_filtering
- network_routes
- storage
- file_delete
- file_append
- network_dhcp_expiry
- storage_lvm_vg_rename
- storage_lvm_thinpool_rename
- network_vlan
- image_create_aliases
- container_stateless_copy
- container_only_migration
- storage_zfs_clone_copy
- unix_device_rename
- storage_lvm_use_thinpool
- storage_rsync_bwlimit
- network_vxlan_interface
- storage_btrfs_mount_options
- entity_description
- image_force_refresh
- storage_lvm_lv_resizing
api_status: stable
api_version: "1.0"
auth: trusted
public: false
environment:
addresses:
- 173.212.227.55:8443
- '[2a02:c207:3002:211::1]:8443'
- 10.130.123.1:8443
- '[fd42:842d:42ea:8869::1]:8443'
architectures:
- x86_64
- i686
certificate: |
-----BEGIN CERTIFICATE-----
MIIFUzCCAzugAwIBAgIRAPVfRYADNX+kt4UsaEXu/9kwDQYJKoZIhvcNAQELBQAw
NDEcMBoGA1UEChMTbGludXhjb250YWluZXJzLm9yZzEUMBIGA1UEAwwLcm9vdEBp
=== SNIP===
Jpv8VzitCj/ZzYIlwkrqpFgGW27r6iUInc7uXvUJQvpj4HZYbXowMGxh7H8Iwi7U
aaTfCnnKchmNOVKH2g6aCRuuQvjEEtE=
-----END CERTIFICATE-----
certificate_fingerprint: 82594a58dad22e126cf26f9f94f78a2b7c142bcb820fbc8b161a3aa82f68b426
driver: lxc
driver_version: 2.0.8
kernel: Linux
kernel_architecture: x86_64
kernel_version: 4.11.2-1-userns
server: lxd
server_pid: 569
server_version: "2.14"
storage: zfs
storage_version: 0.7.0-rc4
Issue description
I can launch privileged containers but it fails when trying to launch unprivileged ones. My kernel has user namespaces configured and (according to lxc-checkconfig) enabled.
Steps to reproduce
- Install Arch base system
- Install linux-userns kernel
- Install zfs-dkms for storage backend [Optional]
- Install LXD from AUR package
- Configured LXD
- Try to launch unprivileged container
Information to attach
Container log:
Log:
lxc 20170611101058.623 ERROR lxc_start - start.c:lxc_spawn:1186 - Failed to set up id mapping.
lxc 20170611101058.679 WARN lxc_conf - conf.c:lxc_delete_network:3095 - Failed to remove "veth1BWAID" from host: Invalid argument.
lxc 20170611101058.679 ERROR lxc_start - start.c:__lxc_start:1358 - Failed to spawn container "gitlab".
lxc 20170611101058.777 ERROR lxc_conf - conf.c:run_buffer:408 - Script exited with status 1.
lxc 20170611101058.777 ERROR lxc_start - start.c:lxc_fini:546 - Failed to run lxc.hook.post-stop for container "gitlab".
lxc 20170611101058.777 WARN lxc_commands - commands.c:lxc_cmd_rsp_recv:177 - Command get_cgroup failed to receive response: Connection reset by peer.
lxc 20170611101058.777 WARN lxc_commands - commands.c:lxc_cmd_rsp_recv:177 - Command get_cgroup failed to receive response: Connection reset by peer.
lxc 20170611101058.778 ERROR lxc_conf - conf.c:userns_exec_1:4600 - Error setting up child mappings
lxc 20170611101058.778 ERROR lxc_cgfsng - cgroups/cgfsng.c:recursive_destroy:1288 - Error destroying /sys/fs/cgroup/systemd//lxc/gitlab
lxc 20170611101058.778 ERROR lxc_conf - conf.c:userns_exec_1:4600 - Error setting up child mappings
lxc 20170611101058.778 ERROR lxc_cgfsng - cgroups/cgfsng.c:recursive_destroy:1288 - Error destroying /sys/fs/cgroup/pids//lxc/gitlab
lxc 20170611101058.779 ERROR lxc_conf - conf.c:userns_exec_1:4600 - Error setting up child mappings
lxc 20170611101058.779 ERROR lxc_cgfsng - cgroups/cgfsng.c:recursive_destroy:1288 - Error destroying /sys/fs/cgroup/cpuset//lxc/gitlab
lxc 20170611101058.779 ERROR lxc_conf - conf.c:userns_exec_1:4600 - Error setting up child mappings
lxc 20170611101058.779 ERROR lxc_cgfsng - cgroups/cgfsng.c:recursive_destroy:1288 - Error destroying /sys/fs/cgroup/net_cls//lxc/gitlab
lxc 20170611101058.780 ERROR lxc_conf - conf.c:userns_exec_1:4600 - Error setting up child mappings
lxc 20170611101058.780 ERROR lxc_cgfsng - cgroups/cgfsng.c:recursive_destroy:1288 - Error destroying /sys/fs/cgroup/cpu//lxc/gitlab
lxc 20170611101058.780 ERROR lxc_conf - conf.c:userns_exec_1:4600 - Error setting up child mappings
lxc 20170611101058.780 ERROR lxc_cgfsng - cgroups/cgfsng.c:recursive_destroy:1288 - Error destroying /sys/fs/cgroup/blkio//lxc/gitlab
lxc 20170611101058.781 ERROR lxc_conf - conf.c:userns_exec_1:4600 - Error setting up child mappings
lxc 20170611101058.781 ERROR lxc_cgfsng - cgroups/cgfsng.c:recursive_destroy:1288 - Error destroying /sys/fs/cgroup/devices//lxc/gitlab
lxc 20170611101058.782 ERROR lxc_conf - conf.c:userns_exec_1:4600 - Error setting up child mappings
lxc 20170611101058.782 ERROR lxc_cgfsng - cgroups/cgfsng.c:recursive_destroy:1288 - Error destroying /sys/fs/cgroup/perf_event//lxc/gitlab
lxc 20170611101058.782 ERROR lxc_conf - conf.c:userns_exec_1:4600 - Error setting up child mappings
lxc 20170611101058.782 ERROR lxc_cgfsng - cgroups/cgfsng.c:recursive_destroy:1288 - Error destroying /sys/fs/cgroup/memory//lxc/gitlab
lxc 20170611101058.783 ERROR lxc_conf - conf.c:userns_exec_1:4600 - Error setting up child mappings
lxc 20170611101058.783 ERROR lxc_cgfsng - cgroups/cgfsng.c:recursive_destroy:1288 - Error destroying /sys/fs/cgroup/freezer//lxc/gitlab
spacekookie
All 3 comments
Right, Archlinux doesn't make new{g,u}idmap setuid. The next release of liblxc (our runtime) will be smarter in that regard. As a fix for now you should be able to just do:
chmod +s /usr/bin/newuidmap
chmod +s /usr/bin/newgidmap
please report back if that works.
And thanks for the kind words, we appreciate it. :)
brauner
on 11 Jun 2017
❤2
Oh you're a life-saver, yea that worked. Thank you <3
And thank you for writing awesome software. I've been using LXC for over a year and LXD for around a year and it has cut my personal hosting headaches down to a bare minimum. So thank you :) And have a nice day!
spacekookie
on 12 Jun 2017
👍1
Cool. It helps me too!
I saw warning in output of command in my Ubuntu 16.04:
sudo lxc-checkconfig
Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-4.4.0-81-generic
...
Warning: newuidmap is not setuid-root
Warning: newgidmap is not setuid-root
...
But I was wrong with command:
chmod u+s /usr/bin/newuidmap
chmod u+s /usr/bin/newgidmap
It turns out, it needs to set SGID too. Now I still got warning in lxc-checkconfig, but unprivileged containers all gets up!
Thank you!
soliverr
on 23 Jun 2017
Was this page helpful?
0 / 5 - 0 ratings
Related issues
rrva
路
5Comments
AndreiPashkin
路
5Comments
shaun-ba
路
3Comments
mlaradji
路
4Comments
teknopaul
路
5Comments
Most helpful comment
Right, Archlinux doesn't make
new{g,u}idmapsetuid. The next release of liblxc (our runtime) will be smarter in that regard. As a fix for now you should be able to just do:please report back if that works.
And thanks for the kind words, we appreciate it. :)