How do I configure unprivileged Linux containers?












0















I'm trying to set up unprivileged LXC containers and failing at every turn. I think I've followed every relevant step of the guide:





  • Normal users are allowed to create unprivileged containers:



    $ sysctl kernel.unprivileged_userns_clone
    kernel.unprivileged_userns_clone = 1



  • The control groups PAM module is enabled:



    $ grep -F pam_cgfs.so /etc/pam.d/system-login
    session optional pam_cgfs.so -c freezer,memory,name=systemd,unified



  • The UID and GID mappings are set up:



    $ cat /etc/lxc/default.conf
    lxc.idmap = u 0 100000 65536
    lxc.idmap = g 0 100000 65536
    lxc.net.0.type = veth
    lxc.net.0.link = lxcbr0
    lxc.net.0.flags = up
    lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx
    $ cat /etc/subuid
    root:100000:65536
    $ cat /etc/subgid
    root:100000:65536



  • The network is set up:



    $ grep --invert-match --regexp='^#' --regexp='^$' /etc/default/lxc-net
    USE_LXC_BRIDGE="true"
    LXC_BRIDGE="lxcbr0"
    LXC_ADDR="10.0.3.1"
    LXC_NETMASK="255.255.255.0"
    LXC_NETWORK="10.0.3.0/24"
    LXC_DHCP_RANGE="10.0.3.2,10.0.3.254"
    LXC_DHCP_MAX="253"



  • The services look fine:



    $ systemctl status --lines=0 --no-pager lxc.service lxc-net.service 
    ● lxc.service - LXC Container Initialization and Autoboot Code
    Loaded: loaded (/usr/lib/systemd/system/lxc.service; disabled; vendor preset: disabled)
    Active: active (exited) since Fri 2019-03-08 15:31:47 NZDT; 40min ago
    Docs: man:lxc-autostart
    man:lxc
    Main PID: 4147 (code=exited, status=0/SUCCESS)
    Tasks: 0 (limit: 4915)
    Memory: 0B
    CGroup: /system.slice/lxc.service

    ● lxc-net.service - LXC network bridge setup
    Loaded: loaded (/usr/lib/systemd/system/lxc-net.service; enabled; vendor preset: disabled)
    Active: active (exited) since Fri 2019-03-08 15:31:45 NZDT; 40min ago
    Main PID: 4099 (code=exited, status=0/SUCCESS)
    Tasks: 1 (limit: 4915)
    Memory: 8.4M
    CGroup: /system.slice/lxc-net.service
    └─4121 dnsmasq -u dnsmasq --strict-order --bind-interfaces --pid-file=/run/lxc/dnsm…


  • The packages are up to date and I've just rebooted.


Even so, I can't create containers:



$ lxc-create -n test -t download
lxc-create: test: parse.c: lxc_file_for_each_line_mmap: 100 No such file or directory - Failed to open file "/home/user/.config/lxc/default.conf"
lxc-create: test: conf.c: chown_mapped_root: 3179 No uid mapping for container root
lxc-create: test: lxccontainer.c: do_storage_create: 1310 Error chowning "/home/user/.local/share/lxc/test/rootfs" to container root
lxc-create: test: conf.c: suggest_default_idmap: 4801 You do not have subuids or subgids allocated
lxc-create: test: conf.c: suggest_default_idmap: 4802 Unprivileged containers require subuids and subgids
lxc-create: test: lxccontainer.c: do_lxcapi_create: 1891 Failed to create (none) storage for test
lxc-create: test: tools/lxc_create.c: main: 327 Failed to create container test


Is there anything obviously wrong with this setup? There's no mention anywhere in the linked article about ~/.config/lxc/default.conf, and I don't understand why it says I haven't allocated subuids and subgids.



Additional info:




  • Running lxc-create as root works, but this is explicitly about creating containers as a normal user.


  • cp /etc/lxc/default.conf ~/.config/lxc/default.conf gets rid of the complaint about the configuration file, but results in this message instead:




    lxc-create: playtime: conf.c: chown_mapped_root: 3279 lxc-usernsexec failed: No such file or directory - Failed to open ttyNo such file or directory - Failed to open tt













share|improve this question





























    0















    I'm trying to set up unprivileged LXC containers and failing at every turn. I think I've followed every relevant step of the guide:





    • Normal users are allowed to create unprivileged containers:



      $ sysctl kernel.unprivileged_userns_clone
      kernel.unprivileged_userns_clone = 1



    • The control groups PAM module is enabled:



      $ grep -F pam_cgfs.so /etc/pam.d/system-login
      session optional pam_cgfs.so -c freezer,memory,name=systemd,unified



    • The UID and GID mappings are set up:



      $ cat /etc/lxc/default.conf
      lxc.idmap = u 0 100000 65536
      lxc.idmap = g 0 100000 65536
      lxc.net.0.type = veth
      lxc.net.0.link = lxcbr0
      lxc.net.0.flags = up
      lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx
      $ cat /etc/subuid
      root:100000:65536
      $ cat /etc/subgid
      root:100000:65536



    • The network is set up:



      $ grep --invert-match --regexp='^#' --regexp='^$' /etc/default/lxc-net
      USE_LXC_BRIDGE="true"
      LXC_BRIDGE="lxcbr0"
      LXC_ADDR="10.0.3.1"
      LXC_NETMASK="255.255.255.0"
      LXC_NETWORK="10.0.3.0/24"
      LXC_DHCP_RANGE="10.0.3.2,10.0.3.254"
      LXC_DHCP_MAX="253"



    • The services look fine:



      $ systemctl status --lines=0 --no-pager lxc.service lxc-net.service 
      ● lxc.service - LXC Container Initialization and Autoboot Code
      Loaded: loaded (/usr/lib/systemd/system/lxc.service; disabled; vendor preset: disabled)
      Active: active (exited) since Fri 2019-03-08 15:31:47 NZDT; 40min ago
      Docs: man:lxc-autostart
      man:lxc
      Main PID: 4147 (code=exited, status=0/SUCCESS)
      Tasks: 0 (limit: 4915)
      Memory: 0B
      CGroup: /system.slice/lxc.service

      ● lxc-net.service - LXC network bridge setup
      Loaded: loaded (/usr/lib/systemd/system/lxc-net.service; enabled; vendor preset: disabled)
      Active: active (exited) since Fri 2019-03-08 15:31:45 NZDT; 40min ago
      Main PID: 4099 (code=exited, status=0/SUCCESS)
      Tasks: 1 (limit: 4915)
      Memory: 8.4M
      CGroup: /system.slice/lxc-net.service
      └─4121 dnsmasq -u dnsmasq --strict-order --bind-interfaces --pid-file=/run/lxc/dnsm…


    • The packages are up to date and I've just rebooted.


    Even so, I can't create containers:



    $ lxc-create -n test -t download
    lxc-create: test: parse.c: lxc_file_for_each_line_mmap: 100 No such file or directory - Failed to open file "/home/user/.config/lxc/default.conf"
    lxc-create: test: conf.c: chown_mapped_root: 3179 No uid mapping for container root
    lxc-create: test: lxccontainer.c: do_storage_create: 1310 Error chowning "/home/user/.local/share/lxc/test/rootfs" to container root
    lxc-create: test: conf.c: suggest_default_idmap: 4801 You do not have subuids or subgids allocated
    lxc-create: test: conf.c: suggest_default_idmap: 4802 Unprivileged containers require subuids and subgids
    lxc-create: test: lxccontainer.c: do_lxcapi_create: 1891 Failed to create (none) storage for test
    lxc-create: test: tools/lxc_create.c: main: 327 Failed to create container test


    Is there anything obviously wrong with this setup? There's no mention anywhere in the linked article about ~/.config/lxc/default.conf, and I don't understand why it says I haven't allocated subuids and subgids.



    Additional info:




    • Running lxc-create as root works, but this is explicitly about creating containers as a normal user.


    • cp /etc/lxc/default.conf ~/.config/lxc/default.conf gets rid of the complaint about the configuration file, but results in this message instead:




      lxc-create: playtime: conf.c: chown_mapped_root: 3279 lxc-usernsexec failed: No such file or directory - Failed to open ttyNo such file or directory - Failed to open tt













    share|improve this question



























      0












      0








      0








      I'm trying to set up unprivileged LXC containers and failing at every turn. I think I've followed every relevant step of the guide:





      • Normal users are allowed to create unprivileged containers:



        $ sysctl kernel.unprivileged_userns_clone
        kernel.unprivileged_userns_clone = 1



      • The control groups PAM module is enabled:



        $ grep -F pam_cgfs.so /etc/pam.d/system-login
        session optional pam_cgfs.so -c freezer,memory,name=systemd,unified



      • The UID and GID mappings are set up:



        $ cat /etc/lxc/default.conf
        lxc.idmap = u 0 100000 65536
        lxc.idmap = g 0 100000 65536
        lxc.net.0.type = veth
        lxc.net.0.link = lxcbr0
        lxc.net.0.flags = up
        lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx
        $ cat /etc/subuid
        root:100000:65536
        $ cat /etc/subgid
        root:100000:65536



      • The network is set up:



        $ grep --invert-match --regexp='^#' --regexp='^$' /etc/default/lxc-net
        USE_LXC_BRIDGE="true"
        LXC_BRIDGE="lxcbr0"
        LXC_ADDR="10.0.3.1"
        LXC_NETMASK="255.255.255.0"
        LXC_NETWORK="10.0.3.0/24"
        LXC_DHCP_RANGE="10.0.3.2,10.0.3.254"
        LXC_DHCP_MAX="253"



      • The services look fine:



        $ systemctl status --lines=0 --no-pager lxc.service lxc-net.service 
        ● lxc.service - LXC Container Initialization and Autoboot Code
        Loaded: loaded (/usr/lib/systemd/system/lxc.service; disabled; vendor preset: disabled)
        Active: active (exited) since Fri 2019-03-08 15:31:47 NZDT; 40min ago
        Docs: man:lxc-autostart
        man:lxc
        Main PID: 4147 (code=exited, status=0/SUCCESS)
        Tasks: 0 (limit: 4915)
        Memory: 0B
        CGroup: /system.slice/lxc.service

        ● lxc-net.service - LXC network bridge setup
        Loaded: loaded (/usr/lib/systemd/system/lxc-net.service; enabled; vendor preset: disabled)
        Active: active (exited) since Fri 2019-03-08 15:31:45 NZDT; 40min ago
        Main PID: 4099 (code=exited, status=0/SUCCESS)
        Tasks: 1 (limit: 4915)
        Memory: 8.4M
        CGroup: /system.slice/lxc-net.service
        └─4121 dnsmasq -u dnsmasq --strict-order --bind-interfaces --pid-file=/run/lxc/dnsm…


      • The packages are up to date and I've just rebooted.


      Even so, I can't create containers:



      $ lxc-create -n test -t download
      lxc-create: test: parse.c: lxc_file_for_each_line_mmap: 100 No such file or directory - Failed to open file "/home/user/.config/lxc/default.conf"
      lxc-create: test: conf.c: chown_mapped_root: 3179 No uid mapping for container root
      lxc-create: test: lxccontainer.c: do_storage_create: 1310 Error chowning "/home/user/.local/share/lxc/test/rootfs" to container root
      lxc-create: test: conf.c: suggest_default_idmap: 4801 You do not have subuids or subgids allocated
      lxc-create: test: conf.c: suggest_default_idmap: 4802 Unprivileged containers require subuids and subgids
      lxc-create: test: lxccontainer.c: do_lxcapi_create: 1891 Failed to create (none) storage for test
      lxc-create: test: tools/lxc_create.c: main: 327 Failed to create container test


      Is there anything obviously wrong with this setup? There's no mention anywhere in the linked article about ~/.config/lxc/default.conf, and I don't understand why it says I haven't allocated subuids and subgids.



      Additional info:




      • Running lxc-create as root works, but this is explicitly about creating containers as a normal user.


      • cp /etc/lxc/default.conf ~/.config/lxc/default.conf gets rid of the complaint about the configuration file, but results in this message instead:




        lxc-create: playtime: conf.c: chown_mapped_root: 3279 lxc-usernsexec failed: No such file or directory - Failed to open ttyNo such file or directory - Failed to open tt













      share|improve this question
















      I'm trying to set up unprivileged LXC containers and failing at every turn. I think I've followed every relevant step of the guide:





      • Normal users are allowed to create unprivileged containers:



        $ sysctl kernel.unprivileged_userns_clone
        kernel.unprivileged_userns_clone = 1



      • The control groups PAM module is enabled:



        $ grep -F pam_cgfs.so /etc/pam.d/system-login
        session optional pam_cgfs.so -c freezer,memory,name=systemd,unified



      • The UID and GID mappings are set up:



        $ cat /etc/lxc/default.conf
        lxc.idmap = u 0 100000 65536
        lxc.idmap = g 0 100000 65536
        lxc.net.0.type = veth
        lxc.net.0.link = lxcbr0
        lxc.net.0.flags = up
        lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx
        $ cat /etc/subuid
        root:100000:65536
        $ cat /etc/subgid
        root:100000:65536



      • The network is set up:



        $ grep --invert-match --regexp='^#' --regexp='^$' /etc/default/lxc-net
        USE_LXC_BRIDGE="true"
        LXC_BRIDGE="lxcbr0"
        LXC_ADDR="10.0.3.1"
        LXC_NETMASK="255.255.255.0"
        LXC_NETWORK="10.0.3.0/24"
        LXC_DHCP_RANGE="10.0.3.2,10.0.3.254"
        LXC_DHCP_MAX="253"



      • The services look fine:



        $ systemctl status --lines=0 --no-pager lxc.service lxc-net.service 
        ● lxc.service - LXC Container Initialization and Autoboot Code
        Loaded: loaded (/usr/lib/systemd/system/lxc.service; disabled; vendor preset: disabled)
        Active: active (exited) since Fri 2019-03-08 15:31:47 NZDT; 40min ago
        Docs: man:lxc-autostart
        man:lxc
        Main PID: 4147 (code=exited, status=0/SUCCESS)
        Tasks: 0 (limit: 4915)
        Memory: 0B
        CGroup: /system.slice/lxc.service

        ● lxc-net.service - LXC network bridge setup
        Loaded: loaded (/usr/lib/systemd/system/lxc-net.service; enabled; vendor preset: disabled)
        Active: active (exited) since Fri 2019-03-08 15:31:45 NZDT; 40min ago
        Main PID: 4099 (code=exited, status=0/SUCCESS)
        Tasks: 1 (limit: 4915)
        Memory: 8.4M
        CGroup: /system.slice/lxc-net.service
        └─4121 dnsmasq -u dnsmasq --strict-order --bind-interfaces --pid-file=/run/lxc/dnsm…


      • The packages are up to date and I've just rebooted.


      Even so, I can't create containers:



      $ lxc-create -n test -t download
      lxc-create: test: parse.c: lxc_file_for_each_line_mmap: 100 No such file or directory - Failed to open file "/home/user/.config/lxc/default.conf"
      lxc-create: test: conf.c: chown_mapped_root: 3179 No uid mapping for container root
      lxc-create: test: lxccontainer.c: do_storage_create: 1310 Error chowning "/home/user/.local/share/lxc/test/rootfs" to container root
      lxc-create: test: conf.c: suggest_default_idmap: 4801 You do not have subuids or subgids allocated
      lxc-create: test: conf.c: suggest_default_idmap: 4802 Unprivileged containers require subuids and subgids
      lxc-create: test: lxccontainer.c: do_lxcapi_create: 1891 Failed to create (none) storage for test
      lxc-create: test: tools/lxc_create.c: main: 327 Failed to create container test


      Is there anything obviously wrong with this setup? There's no mention anywhere in the linked article about ~/.config/lxc/default.conf, and I don't understand why it says I haven't allocated subuids and subgids.



      Additional info:




      • Running lxc-create as root works, but this is explicitly about creating containers as a normal user.


      • cp /etc/lxc/default.conf ~/.config/lxc/default.conf gets rid of the complaint about the configuration file, but results in this message instead:




        lxc-create: playtime: conf.c: chown_mapped_root: 3279 lxc-usernsexec failed: No such file or directory - Failed to open ttyNo such file or directory - Failed to open tt










      arch-linux lxc






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited 54 mins ago







      l0b0

















      asked 1 hour ago









      l0b0l0b0

      28.4k19119248




      28.4k19119248






















          0






          active

          oldest

          votes











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "106"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f505067%2fhow-do-i-configure-unprivileged-linux-containers%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          0






          active

          oldest

          votes








          0






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes
















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Unix & Linux Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f505067%2fhow-do-i-configure-unprivileged-linux-containers%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Loup dans la culture

          How to solve the problem of ntp “Unable to contact time server” from KDE?

          ASUS Zenbook UX433/UX333 — Configure Touchpad-embedded numpad on Linux