How do I configure unprivileged Linux containers?
I'm trying to set up unprivileged LXC containers and failing at every turn. I think I've followed every relevant step of the guide:
Normal users are allowed to create unprivileged containers:
$ sysctl kernel.unprivileged_userns_clone
kernel.unprivileged_userns_clone = 1
The control groups PAM module is enabled:
$ grep -F pam_cgfs.so /etc/pam.d/system-login
session optional pam_cgfs.so -c freezer,memory,name=systemd,unified
The UID and GID mappings are set up:
$ cat /etc/lxc/default.conf
lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up
lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx
$ cat /etc/subuid
root:100000:65536
$ cat /etc/subgid
root:100000:65536
The network is set up:
$ grep --invert-match --regexp='^#' --regexp='^$' /etc/default/lxc-net
USE_LXC_BRIDGE="true"
LXC_BRIDGE="lxcbr0"
LXC_ADDR="10.0.3.1"
LXC_NETMASK="255.255.255.0"
LXC_NETWORK="10.0.3.0/24"
LXC_DHCP_RANGE="10.0.3.2,10.0.3.254"
LXC_DHCP_MAX="253"
The services look fine:
$ systemctl status --lines=0 --no-pager lxc.service lxc-net.service
● lxc.service - LXC Container Initialization and Autoboot Code
Loaded: loaded (/usr/lib/systemd/system/lxc.service; disabled; vendor preset: disabled)
Active: active (exited) since Fri 2019-03-08 15:31:47 NZDT; 40min ago
Docs: man:lxc-autostart
man:lxc
Main PID: 4147 (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 4915)
Memory: 0B
CGroup: /system.slice/lxc.service
● lxc-net.service - LXC network bridge setup
Loaded: loaded (/usr/lib/systemd/system/lxc-net.service; enabled; vendor preset: disabled)
Active: active (exited) since Fri 2019-03-08 15:31:45 NZDT; 40min ago
Main PID: 4099 (code=exited, status=0/SUCCESS)
Tasks: 1 (limit: 4915)
Memory: 8.4M
CGroup: /system.slice/lxc-net.service
└─4121 dnsmasq -u dnsmasq --strict-order --bind-interfaces --pid-file=/run/lxc/dnsm…
- The packages are up to date and I've just rebooted.
Even so, I can't create containers:
$ lxc-create -n test -t download
lxc-create: test: parse.c: lxc_file_for_each_line_mmap: 100 No such file or directory - Failed to open file "/home/user/.config/lxc/default.conf"
lxc-create: test: conf.c: chown_mapped_root: 3179 No uid mapping for container root
lxc-create: test: lxccontainer.c: do_storage_create: 1310 Error chowning "/home/user/.local/share/lxc/test/rootfs" to container root
lxc-create: test: conf.c: suggest_default_idmap: 4801 You do not have subuids or subgids allocated
lxc-create: test: conf.c: suggest_default_idmap: 4802 Unprivileged containers require subuids and subgids
lxc-create: test: lxccontainer.c: do_lxcapi_create: 1891 Failed to create (none) storage for test
lxc-create: test: tools/lxc_create.c: main: 327 Failed to create container test
Is there anything obviously wrong with this setup? There's no mention anywhere in the linked article about ~/.config/lxc/default.conf, and I don't understand why it says I haven't allocated subuids and subgids.
Additional info:
- Running
lxc-create
as root works, but this is explicitly about creating containers as a normal user.
cp /etc/lxc/default.conf ~/.config/lxc/default.conf
gets rid of the complaint about the configuration file, but results in this message instead:
lxc-create: playtime: conf.c: chown_mapped_root: 3279 lxc-usernsexec failed: No such file or directory - Failed to open ttyNo such file or directory - Failed to open tt
arch-linux lxc
add a comment |
I'm trying to set up unprivileged LXC containers and failing at every turn. I think I've followed every relevant step of the guide:
Normal users are allowed to create unprivileged containers:
$ sysctl kernel.unprivileged_userns_clone
kernel.unprivileged_userns_clone = 1
The control groups PAM module is enabled:
$ grep -F pam_cgfs.so /etc/pam.d/system-login
session optional pam_cgfs.so -c freezer,memory,name=systemd,unified
The UID and GID mappings are set up:
$ cat /etc/lxc/default.conf
lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up
lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx
$ cat /etc/subuid
root:100000:65536
$ cat /etc/subgid
root:100000:65536
The network is set up:
$ grep --invert-match --regexp='^#' --regexp='^$' /etc/default/lxc-net
USE_LXC_BRIDGE="true"
LXC_BRIDGE="lxcbr0"
LXC_ADDR="10.0.3.1"
LXC_NETMASK="255.255.255.0"
LXC_NETWORK="10.0.3.0/24"
LXC_DHCP_RANGE="10.0.3.2,10.0.3.254"
LXC_DHCP_MAX="253"
The services look fine:
$ systemctl status --lines=0 --no-pager lxc.service lxc-net.service
● lxc.service - LXC Container Initialization and Autoboot Code
Loaded: loaded (/usr/lib/systemd/system/lxc.service; disabled; vendor preset: disabled)
Active: active (exited) since Fri 2019-03-08 15:31:47 NZDT; 40min ago
Docs: man:lxc-autostart
man:lxc
Main PID: 4147 (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 4915)
Memory: 0B
CGroup: /system.slice/lxc.service
● lxc-net.service - LXC network bridge setup
Loaded: loaded (/usr/lib/systemd/system/lxc-net.service; enabled; vendor preset: disabled)
Active: active (exited) since Fri 2019-03-08 15:31:45 NZDT; 40min ago
Main PID: 4099 (code=exited, status=0/SUCCESS)
Tasks: 1 (limit: 4915)
Memory: 8.4M
CGroup: /system.slice/lxc-net.service
└─4121 dnsmasq -u dnsmasq --strict-order --bind-interfaces --pid-file=/run/lxc/dnsm…
- The packages are up to date and I've just rebooted.
Even so, I can't create containers:
$ lxc-create -n test -t download
lxc-create: test: parse.c: lxc_file_for_each_line_mmap: 100 No such file or directory - Failed to open file "/home/user/.config/lxc/default.conf"
lxc-create: test: conf.c: chown_mapped_root: 3179 No uid mapping for container root
lxc-create: test: lxccontainer.c: do_storage_create: 1310 Error chowning "/home/user/.local/share/lxc/test/rootfs" to container root
lxc-create: test: conf.c: suggest_default_idmap: 4801 You do not have subuids or subgids allocated
lxc-create: test: conf.c: suggest_default_idmap: 4802 Unprivileged containers require subuids and subgids
lxc-create: test: lxccontainer.c: do_lxcapi_create: 1891 Failed to create (none) storage for test
lxc-create: test: tools/lxc_create.c: main: 327 Failed to create container test
Is there anything obviously wrong with this setup? There's no mention anywhere in the linked article about ~/.config/lxc/default.conf, and I don't understand why it says I haven't allocated subuids and subgids.
Additional info:
- Running
lxc-create
as root works, but this is explicitly about creating containers as a normal user.
cp /etc/lxc/default.conf ~/.config/lxc/default.conf
gets rid of the complaint about the configuration file, but results in this message instead:
lxc-create: playtime: conf.c: chown_mapped_root: 3279 lxc-usernsexec failed: No such file or directory - Failed to open ttyNo such file or directory - Failed to open tt
arch-linux lxc
add a comment |
I'm trying to set up unprivileged LXC containers and failing at every turn. I think I've followed every relevant step of the guide:
Normal users are allowed to create unprivileged containers:
$ sysctl kernel.unprivileged_userns_clone
kernel.unprivileged_userns_clone = 1
The control groups PAM module is enabled:
$ grep -F pam_cgfs.so /etc/pam.d/system-login
session optional pam_cgfs.so -c freezer,memory,name=systemd,unified
The UID and GID mappings are set up:
$ cat /etc/lxc/default.conf
lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up
lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx
$ cat /etc/subuid
root:100000:65536
$ cat /etc/subgid
root:100000:65536
The network is set up:
$ grep --invert-match --regexp='^#' --regexp='^$' /etc/default/lxc-net
USE_LXC_BRIDGE="true"
LXC_BRIDGE="lxcbr0"
LXC_ADDR="10.0.3.1"
LXC_NETMASK="255.255.255.0"
LXC_NETWORK="10.0.3.0/24"
LXC_DHCP_RANGE="10.0.3.2,10.0.3.254"
LXC_DHCP_MAX="253"
The services look fine:
$ systemctl status --lines=0 --no-pager lxc.service lxc-net.service
● lxc.service - LXC Container Initialization and Autoboot Code
Loaded: loaded (/usr/lib/systemd/system/lxc.service; disabled; vendor preset: disabled)
Active: active (exited) since Fri 2019-03-08 15:31:47 NZDT; 40min ago
Docs: man:lxc-autostart
man:lxc
Main PID: 4147 (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 4915)
Memory: 0B
CGroup: /system.slice/lxc.service
● lxc-net.service - LXC network bridge setup
Loaded: loaded (/usr/lib/systemd/system/lxc-net.service; enabled; vendor preset: disabled)
Active: active (exited) since Fri 2019-03-08 15:31:45 NZDT; 40min ago
Main PID: 4099 (code=exited, status=0/SUCCESS)
Tasks: 1 (limit: 4915)
Memory: 8.4M
CGroup: /system.slice/lxc-net.service
└─4121 dnsmasq -u dnsmasq --strict-order --bind-interfaces --pid-file=/run/lxc/dnsm…
- The packages are up to date and I've just rebooted.
Even so, I can't create containers:
$ lxc-create -n test -t download
lxc-create: test: parse.c: lxc_file_for_each_line_mmap: 100 No such file or directory - Failed to open file "/home/user/.config/lxc/default.conf"
lxc-create: test: conf.c: chown_mapped_root: 3179 No uid mapping for container root
lxc-create: test: lxccontainer.c: do_storage_create: 1310 Error chowning "/home/user/.local/share/lxc/test/rootfs" to container root
lxc-create: test: conf.c: suggest_default_idmap: 4801 You do not have subuids or subgids allocated
lxc-create: test: conf.c: suggest_default_idmap: 4802 Unprivileged containers require subuids and subgids
lxc-create: test: lxccontainer.c: do_lxcapi_create: 1891 Failed to create (none) storage for test
lxc-create: test: tools/lxc_create.c: main: 327 Failed to create container test
Is there anything obviously wrong with this setup? There's no mention anywhere in the linked article about ~/.config/lxc/default.conf, and I don't understand why it says I haven't allocated subuids and subgids.
Additional info:
- Running
lxc-create
as root works, but this is explicitly about creating containers as a normal user.
cp /etc/lxc/default.conf ~/.config/lxc/default.conf
gets rid of the complaint about the configuration file, but results in this message instead:
lxc-create: playtime: conf.c: chown_mapped_root: 3279 lxc-usernsexec failed: No such file or directory - Failed to open ttyNo such file or directory - Failed to open tt
arch-linux lxc
I'm trying to set up unprivileged LXC containers and failing at every turn. I think I've followed every relevant step of the guide:
Normal users are allowed to create unprivileged containers:
$ sysctl kernel.unprivileged_userns_clone
kernel.unprivileged_userns_clone = 1
The control groups PAM module is enabled:
$ grep -F pam_cgfs.so /etc/pam.d/system-login
session optional pam_cgfs.so -c freezer,memory,name=systemd,unified
The UID and GID mappings are set up:
$ cat /etc/lxc/default.conf
lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up
lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx
$ cat /etc/subuid
root:100000:65536
$ cat /etc/subgid
root:100000:65536
The network is set up:
$ grep --invert-match --regexp='^#' --regexp='^$' /etc/default/lxc-net
USE_LXC_BRIDGE="true"
LXC_BRIDGE="lxcbr0"
LXC_ADDR="10.0.3.1"
LXC_NETMASK="255.255.255.0"
LXC_NETWORK="10.0.3.0/24"
LXC_DHCP_RANGE="10.0.3.2,10.0.3.254"
LXC_DHCP_MAX="253"
The services look fine:
$ systemctl status --lines=0 --no-pager lxc.service lxc-net.service
● lxc.service - LXC Container Initialization and Autoboot Code
Loaded: loaded (/usr/lib/systemd/system/lxc.service; disabled; vendor preset: disabled)
Active: active (exited) since Fri 2019-03-08 15:31:47 NZDT; 40min ago
Docs: man:lxc-autostart
man:lxc
Main PID: 4147 (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 4915)
Memory: 0B
CGroup: /system.slice/lxc.service
● lxc-net.service - LXC network bridge setup
Loaded: loaded (/usr/lib/systemd/system/lxc-net.service; enabled; vendor preset: disabled)
Active: active (exited) since Fri 2019-03-08 15:31:45 NZDT; 40min ago
Main PID: 4099 (code=exited, status=0/SUCCESS)
Tasks: 1 (limit: 4915)
Memory: 8.4M
CGroup: /system.slice/lxc-net.service
└─4121 dnsmasq -u dnsmasq --strict-order --bind-interfaces --pid-file=/run/lxc/dnsm…
- The packages are up to date and I've just rebooted.
Even so, I can't create containers:
$ lxc-create -n test -t download
lxc-create: test: parse.c: lxc_file_for_each_line_mmap: 100 No such file or directory - Failed to open file "/home/user/.config/lxc/default.conf"
lxc-create: test: conf.c: chown_mapped_root: 3179 No uid mapping for container root
lxc-create: test: lxccontainer.c: do_storage_create: 1310 Error chowning "/home/user/.local/share/lxc/test/rootfs" to container root
lxc-create: test: conf.c: suggest_default_idmap: 4801 You do not have subuids or subgids allocated
lxc-create: test: conf.c: suggest_default_idmap: 4802 Unprivileged containers require subuids and subgids
lxc-create: test: lxccontainer.c: do_lxcapi_create: 1891 Failed to create (none) storage for test
lxc-create: test: tools/lxc_create.c: main: 327 Failed to create container test
Is there anything obviously wrong with this setup? There's no mention anywhere in the linked article about ~/.config/lxc/default.conf, and I don't understand why it says I haven't allocated subuids and subgids.
Additional info:
- Running
lxc-create
as root works, but this is explicitly about creating containers as a normal user.
cp /etc/lxc/default.conf ~/.config/lxc/default.conf
gets rid of the complaint about the configuration file, but results in this message instead:
lxc-create: playtime: conf.c: chown_mapped_root: 3279 lxc-usernsexec failed: No such file or directory - Failed to open ttyNo such file or directory - Failed to open tt
arch-linux lxc
arch-linux lxc
edited 54 mins ago
l0b0
asked 1 hour ago
l0b0l0b0
28.4k19119248
28.4k19119248
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f505067%2fhow-do-i-configure-unprivileged-linux-containers%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f505067%2fhow-do-i-configure-unprivileged-linux-containers%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown