I'm running Debian Jessie (testing), and compiled lxc from a fresh git clone
(7da8ab1: close inherited fds when we still have proc mounted). I would like to
create a user container without using root privileges, so I set up UID mappings
such that my user ID would map to root within the container. From what I can
tell, this is all that should be necessary to get it to use user namespaces to
operate unprivileged:
lambda@gherkin:lxc$ cat ~/.config/lxc/default.conf
lxc.id_map = u 0 1000 9999
lxc.id_map = g 0 1000 9999
lambda@gherkin:lxc$ id
uid=1000(lambda) gid=1000(lambda)
groups=1000(lambda),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),104(scanner),109(bluetooth),112(netdev),125(vboxusers)
However, when I try to create the container with lxc-create, I get an "unshare:
Operation not permitted" error, and then a later error about trying to chown
the directory to the container root. Any ideas? Did I do something wrong?
lambda@gherkin:lxc$ lxc-create -l DEBUG -o lxc.log --name precise-test -t
download -- -d ubuntu -r precise -a amd64
unshare: Operation not permitted
read pipe: No such file or directory
lxc-create: Error chowning /home/lambda/.local/share/lxc/precise-test/rootfs to
container root
lxc-create: Error creating backing store type (none) for precise-test
lxc-create: Error creating container precise-test
lambda@gherkin:lxc$ cat lxc.log
lxc-create 1392539899.116 WARN lxc_log - lxc_log_init called with log
already initialized
lxc-create 1392539899.116 INFO lxc_confile - read uid map: type u nsid
0 hostid 1000 range 9999
lxc-create 1392539899.116 INFO lxc_confile - read uid map: type g nsid
0 hostid 1000 range 9999
lxc-create 1392539899.118 ERROR lxc_container - Error chowning
/home/lambda/.local/share/lxc/precise-test/rootfs to container root
lxc-create 1392539899.118 ERROR lxc_container - Error creating backing
store type (none) for precise-test
lxc-create 1392539899.119 ERROR lxc_create_ui - Error creating
container precise-test
lambda@gherkin:lxc$ lxc-checkconfig
Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-3.12-1-amd64
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
Multiple /dev/pts instances: enabled
--- Control groups ---
Cgroup: enabled
Cgroup clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled
--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
File capabilities: enabled
Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/local/bin/lxc-checkconfig
-- Brian
_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
