Hi, pk <pkor...@gmail.com> writes:
> Hello, > > I copy-pasted configuration and commands from > /usr/share/doc/lxc/README.Debian.gz under "Unprivileged containers". > Are you talking about another file? > https://salsa.debian.org/lxc-team/lxc/-/blob/7d692c266c63fced9417042ae904cc2a280b96d8/debian/README.Debian The configuration in that file is lxc.include = /etc/lxc/default.conf lxc.idmap = u 0 100000 65536 lxc.idmap = g 0 100000 65536 lxc.mount.auto = proc:mixed sys:ro cgroup:mixed lxc.apparmor.profile = unconfined and goes to ~/.config/lxc/default.conf You removed at least the lxc.include statement, and actually tried something of your own, in particular not creating a default config for your user and a container afterwards. > lxc.rootfs defaults to the system root / per lxc.container.conf(5). Which is not acceptable for an *unprivileged* container, which is the case you brought here. The reason why Apparmor intervenes instead of letting either init crash upon startup (because not being able to manipulate the filesystem) or things explode is because lxc.apparmor.profile doesn't apply to lxc-start call, but to only to the lxc child process. > Creation is unnecessary, it is just a convenience to avoid -f and does > not affect the container runtime. My (still privileged) lxc setup > works perfectly with -f without ever creating any containers. Creation is necessary as you need a valid rootfs to work, and a valid rootfs for an unprivileged container has to fit the usernamespace which will be created upon startup of the container. "/" is not a valid rootfs for an unprivileged container as the uid mappings are totally out of line. You therefore need to at least create one container using lxc-create or manually create a rootfs using mmdebstrap or whatever fits best. > I pasted full logs above. You pasted truncated logs, and actually did not follow the README. > Please try to be respectful and helpful, do not reproduce on a > configured machine, and leave bug triaging to the lxc experts. Being one of the LXC maintainers, I'm totally entitled to triage your bug report, especially since what you claim being a bug does not look like one. I won't reply to your assumption about my expertise. Please follow the README properly and if that fails please come back with full logs. With best regards, -- PEB
signature.asc
Description: PGP signature