On Sun, Feb 16, 2014 at 03:51:50AM -0500, Brian Campbell wrote: > I'm running Debian Jessie (testing), and compiled lxc from a fresh git clone > (7da8ab1: close inherited fds when we still have proc mounted). I would like > to create a user container without using root privileges, so I set up UID > mappings such that my user ID would map to root within the container. From > what I can tell, this is all that should be necessary to get it to use user > namespaces to operate unprivileged: > > lambda@gherkin:lxc$ cat ~/.config/lxc/default.conf > lxc.id_map = u 0 1000 9999 > lxc.id_map = g 0 1000 9999 > lambda@gherkin:lxc$ id > uid=1000(lambda) gid=1000(lambda) > groups=1000(lambda),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),104(scanner),109(bluetooth),112(netdev),125(vboxusers)
From the above, it seems like you didn't configure /etc/subuid and /etc/subgid. Without those (and a version of the shadow package which supports them), you won't be able to switch to those UID ranges. > > However, when I try to create the container with lxc-create, I get an > "unshare: Operation not permitted" error, and then a later error about trying > to chown the directory to the container root. Any ideas? Did I do something > wrong? > > lambda@gherkin:lxc$ lxc-create -l DEBUG -o lxc.log --name precise-test -t > download -- -d ubuntu -r precise -a amd64 > unshare: Operation not permitted > read pipe: No such file or directory > lxc-create: Error chowning /home/lambda/.local/share/lxc/precise-test/rootfs > to container root > lxc-create: Error creating backing store type (none) for precise-test > lxc-create: Error creating container precise-test > lambda@gherkin:lxc$ cat lxc.log > lxc-create 1392539899.116 WARN lxc_log - lxc_log_init called with > log already initialized > lxc-create 1392539899.116 INFO lxc_confile - read uid map: type u > nsid 0 hostid 1000 range 9999 > lxc-create 1392539899.116 INFO lxc_confile - read uid map: type g > nsid 0 hostid 1000 range 9999 > lxc-create 1392539899.118 ERROR lxc_container - Error chowning > /home/lambda/.local/share/lxc/precise-test/rootfs to container root > lxc-create 1392539899.118 ERROR lxc_container - Error creating > backing store type (none) for precise-test > lxc-create 1392539899.119 ERROR lxc_create_ui - Error creating > container precise-test > lambda@gherkin:lxc$ lxc-checkconfig > Kernel configuration not found at /proc/config.gz; searching... > Kernel configuration found at /boot/config-3.12-1-amd64 > --- Namespaces --- > Namespaces: enabled > Utsname namespace: enabled > Ipc namespace: enabled > Pid namespace: enabled > User namespace: enabled > Network namespace: enabled > Multiple /dev/pts instances: enabled > > --- Control groups --- > Cgroup: enabled > Cgroup clone_children flag: enabled > Cgroup device: enabled > Cgroup sched: enabled > Cgroup cpu account: enabled > Cgroup memory controller: enabled > Cgroup cpuset: enabled > > --- Misc --- > Veth pair device: enabled > Macvlan: enabled > Vlan: enabled > File capabilities: enabled > > Note : Before booting a new kernel, you can check its configuration > usage : CONFIG=/path/to/config /usr/local/bin/lxc-checkconfig > > -- Brian > _______________________________________________ > lxc-devel mailing list > lxc-devel@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com
signature.asc
Description: Digital signature
_______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel