Re: [lxc-devel] Error "unshare: Operation not permitted" when trying to create user container

Mon, 17 Feb 2014 09:52:00 -0800 

On Feb 17, 2014, at 11:11 AM, Serge Hallyn <serge.hal...@ubuntu.com> wrote:

> Quoting Brian Campbell (lam...@continuation.org):
>> I tried the demo_userns.c example code from this LWN article 
>> https://lwn.net/Articles/532593/ and got the same result:
>> 
>> lambda@gherkin:userns$ ./demo_userns
>> clone: Operation not permitted
>> 
>> So it looks like something is preventing me from calling 
>> clone(CLONE_NEWUSER) or unshare(CLONE_NEWUSER).
>> 
>> I can't find any documentation on CLONE_NEWUSER outside of that LWN article, 
>> and it indicates that as of 3.8, no privilege should be needed to call 
>> clone(CLONE_NEWUSER), so I'm somewhat puzzled as to why this is failing.
> 
> Without looking at the rest of this thread, it basically has to be
> either your kernel doesn't have CONFIG_USER_NS=y (which I wouldn't
> expect before a 3.13 or at least 3.12 kernel), or your distro kernel
> has a sysctl patch to turn off unprivileged CLONE_NEWUSER by default.
> You can find out whether it's the latter by just trying CLONE_NEWUSER
> as root.  If that works, then look under /proc/sys/kernel for something
> called *userns* or *unpriv* and set it to 1 :)

Ah, that's the ticket:

lambda@gherkin:~$ cat /proc/sys/kernel/unprivileged_userns_clone
0

Looks like this is a Debian specific patch, which is why looking at the 
upstream kernel source left me puzzled about why I'd be getting an EPERM.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712870

* namespaces: Enable USER_NS (Closes: #712870)
     - Restrict creation of user namespaces to root (CAP_SYS_ADMIN) by
       default (sysctl: kernel.unprivileged_userns_clone)

Works much better when I flip that to 1!

    lambda@gherkin:lxc$ lxc-create -l DEBUG -o lxc.log --name precise-test -t 
download -- -d ubuntu -r precise -a amd64Setting up the GPG keyring
    Downloading the image index
    Downloading the rootfs
    Downloading the metadata
    The image cache is now ready
    Unpacking the rootfs

    ---
    You just created an Ubuntu container (release=precise, arch=amd64).
    The default username/password is: ubuntu / ubuntu
    To gain root privileges, please use sudo.

Now I need to figure out what is required for the setup of cgroups, since now 
that's failing. It looks like it's trying to clear out the cgroup hierarchy to 
be able to set it up differently, but obviously doesn't have permissions to do 
so. I'm running systemd, which uses the cgroup hierarchy already. I've seen 
references to cgroup-lite, cgroup-bin, and cgroup-tools; do I need one of these 
to packages to set up cgroups appropriately for unprivileged containers? Or is 
it possible to do natively with systemd?

lambda@gherkin:lxc$ lxc-start -n precise-test
lxc_container: Could not set clone_children to 1 for cpuset hierarchy in parent 
cgroup.
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/perf_event/
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/blkio/
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/net_cls/
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/freezer/
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/devices/
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/cpu,cpuacct//system/cups.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/cpu,cpuacct//system/gdomap.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/cpu,cpuacct//system/cups-browsed.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/cpu,cpuacct//system/netatalk.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/cpu,cpuacct//system/udisks2.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/cpu,cpuacct//system/colord.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/cpu,cpuacct//system/upower.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/cpu,cpuacct//system/winbind.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/cpu,cpuacct//system/smbd.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/cpu,cpuacct//system/console-kit-daemon.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/cpu,cpuacct//system/acpid.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/cpu,cpuacct//system/polkitd.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/cpu,cpuacct//system/gdm3.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/cpu,cpuacct//system/getty@.service/getty@tty1.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/cpu,cpuacct//system/getty@.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/cpu,cpuacct//system/accounts-daemon.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/cpu,cpuacct//system/network-manager.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/cpu,cpuacct//system/dbus.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/cpu,cpuacct//system/rsyslog.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/cpu,cpuacct//system/systemd-logind.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/cpu,cpuacct//system/ntp.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/cpu,cpuacct//system/ssh.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/cpu,cpuacct//system/cron.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/cpu,cpuacct//system/nmbd.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/cpu,cpuacct//system/avahi-daemon.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/cpu,cpuacct//system/incron.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/cpu,cpuacct//system/atd.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/cpu,cpuacct//system/minissdpd.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/cpu,cpuacct//system/exim4.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/cpu,cpuacct//system/mdadm.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/cpu,cpuacct//system/ifup@.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/cpu,cpuacct//system/nfs-common.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/cpu,cpuacct//system/rpcbind.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/cpu,cpuacct//system/systemd-fsck@.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/cpu,cpuacct//system/systemd-udevd.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/cpu,cpuacct//system/systemd-journald.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/cpu,cpuacct//system
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/cpu,cpuacct/
lxc_container: Permission denied - cgroup_rmdir: failed to delete 
/sys/fs/cgroup/cpuset/
lxc_container: failed creating cgroups
lxc_container: failed to spawn 'precise-test'

-- Brian
_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

Reply via email to