Quoting Brian Campbell (lam...@continuation.org): > On Feb 17, 2014, at 11:11 AM, Serge Hallyn <serge.hal...@ubuntu.com> wrote: > > > Quoting Brian Campbell (lam...@continuation.org): > >> I tried the demo_userns.c example code from this LWN article > >> https://lwn.net/Articles/532593/ and got the same result: > >> > >> lambda@gherkin:userns$ ./demo_userns > >> clone: Operation not permitted > >> > >> So it looks like something is preventing me from calling > >> clone(CLONE_NEWUSER) or unshare(CLONE_NEWUSER). > >> > >> I can't find any documentation on CLONE_NEWUSER outside of that LWN > >> article, and it indicates that as of 3.8, no privilege should be needed to > >> call clone(CLONE_NEWUSER), so I'm somewhat puzzled as to why this is > >> failing. > > > > Without looking at the rest of this thread, it basically has to be > > either your kernel doesn't have CONFIG_USER_NS=y (which I wouldn't > > expect before a 3.13 or at least 3.12 kernel), or your distro kernel > > has a sysctl patch to turn off unprivileged CLONE_NEWUSER by default. > > You can find out whether it's the latter by just trying CLONE_NEWUSER > > as root. If that works, then look under /proc/sys/kernel for something > > called *userns* or *unpriv* and set it to 1 :) > > Ah, that's the ticket: > > lambda@gherkin:~$ cat /proc/sys/kernel/unprivileged_userns_clone > 0 > > Looks like this is a Debian specific patch,
*cough* pls not to ask how i knew to query it kthx > which is why looking at the upstream kernel source left me puzzled about why > I'd be getting an EPERM. > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712870 > > * namespaces: Enable USER_NS (Closes: #712870) > - Restrict creation of user namespaces to root (CAP_SYS_ADMIN) by > default (sysctl: kernel.unprivileged_userns_clone) > > Works much better when I flip that to 1! > > lambda@gherkin:lxc$ lxc-create -l DEBUG -o lxc.log --name precise-test -t > download -- -d ubuntu -r precise -a amd64Setting up the GPG keyring > Downloading the image index > Downloading the rootfs > Downloading the metadata > The image cache is now ready > Unpacking the rootfs > > --- > You just created an Ubuntu container (release=precise, arch=amd64). > The default username/password is: ubuntu / ubuntu > To gain root privileges, please use sudo. > > Now I need to figure out what is required for the setup of cgroups, > since now that's failing. It looks like it's trying to clear out the > cgroup hierarchy to be able to set it up differently, but obviously > doesn't have permissions to do so. I'm running systemd, which uses the > cgroup hierarchy already. I've seen references to cgroup-lite, > cgroup-bin, and cgroup-tools; do I need one of these to packages to > set up cgroups appropriately for unprivileged containers? Or is it > possible to do natively with systemd? > > lambda@gherkin:lxc$ lxc-start -n precise-test > lxc_container: Could not set clone_children to 1 for cpuset hierarchy in > parent cgroup. I thought we'd stopped doing that, but I guess not fully. Could you try this patch? Subject: [PATCH 1/1] continue if we cannot set cpuset.clonechildren Signed-off-by: Serge Hallyn <serge.hal...@ubuntu.com> --- src/lxc/cgfs.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/src/lxc/cgfs.c b/src/lxc/cgfs.c index 5ca796e..0641063 100644 --- a/src/lxc/cgfs.c +++ b/src/lxc/cgfs.c @@ -2051,16 +2051,15 @@ static int handle_cgroup_settings(struct cgroup_mount_point *mp, struct stat sb; if (!cc_path) - return -1; + goto set_need_init; /* cgroup.clone_children is not available when running under * older kernel versions; in this case, we'll initialize * cpuset.cpus and cpuset.mems later, after the new cgroup * was created */ if (stat(cc_path, &sb) != 0 && errno == ENOENT) { - mp->need_cpuset_init = true; free(cc_path); - return 0; + goto set_need_init; } r = lxc_read_from_file(cc_path, buf, 1); if (r == 1 && buf[0] == '1') { @@ -2071,9 +2070,13 @@ static int handle_cgroup_settings(struct cgroup_mount_point *mp, saved_errno = errno; free(cc_path); errno = saved_errno; - return r < 0 ? -1 : 0; + if (r < 0) + goto set_need_init; } return 0; +set_need_init: + mp->need_cpuset_init = true; + return 0; } static int cgroup_read_from_file(const char *fn, char buf[], size_t bufsize) -- 1.9.rc1 _______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
