On Fri, May 13, 2016 at 3:05 PM, Rémy Dernat <[email protected]> wrote:
> Hi, > > I am new on lxc, although, I used other container technologies in the > past. > I choose to switch to lxc for the userspace capabilties. > How do you define "userpace"? if you mean "lxc can be started by non-root users", root still needs to perform some configurations to allow them do so. > I followed this tutorial: https://help.ubuntu.com/lts/serverguide/lxc.html > > Works for me. For my first tests of lxc I was quite disappointed; the creation of > containers works fine as sudo, but not when you try to run it as non-root > user: http://paste.debian.net/683686/ > > Debug informations: http://paste.debian.net/683687/ > > Did you mix sudo in the commands? e.g. when using lxc-create, or mkdir? In general, you should NOT do so. For unprivileged containers, commands must be run as normal user. And DON'T run it as root while su/sudo-ing to the user either, it won't work. use "ssh" to login as the user. The exception is when preparing the system (e.g. installing packages, modifying /etc/sub[ug]id, /etc/lxc/lxc-usernet), where you (obivously) must be root. Try again with a fresh system. Or, for test purposes, use a container with nesting enabled (e.g. https://insights.ubuntu.com/2016/04/15/lxd-2-0-lxd-in-lxd-812/ , setting security.nesting: true, and use THAT as your 'host') > I also read this thread on ubuntuask: > http://askubuntu.com/questions/623789/problem-setting-up-a-user-space-lxc-container > But running its script and installing lxc from ppa archive in version 2.0 > did not change anything. Note that everything works as expected on ubuntu > 16.04 (from Ubuntu apt official repositories; I did not try the lxc ppa). > This problem only occurs on ubuntu 14.04. > > Just tested this on a container-with-nesting-enabled as 14.04 host: as root: add-apt-repository ppa:ubuntu-lxc/lxc-stable apt-get update apt-get install lxc as normal user (ssh as the existing "ubuntu" user, then following the guide you linked, 'Basic unprivileged usage'): mkdir -p ~/.config/lxc echo "lxc.id_map = u 0 100000 65536" > ~/.config/lxc/default.conf echo "lxc.id_map = g 0 100000 65536" >> ~/.config/lxc/default.conf echo "lxc.network.type = veth" >> ~/.config/lxc/default.conf echo "lxc.network.link = lxcbr0" >> ~/.config/lxc/default.conf echo "$USER veth lxcbr0 2" | sudo tee -a /etc/lxc/lxc-usernet cat /proc/self/cgroup lxc-create -t download -n u1 -- -d ubuntu -r xenial -a amd64 lxc-start -n u1 lxc-attach -n u1 The the "cat /proc/self/group" command, I use it to check whether to user session is already on it's own cgroup. In my case it looks like this: $ cat /proc/self/cgroup 10:perf_event:/lxc/lxc-demo 9:memory:/lxc/lxc-demo/user/ubuntu/0 8:freezer:/lxc/lxc-demo/user/ubuntu/0 7:net_cls,net_prio:/lxc/lxc-demo 6:devices:/lxc/lxc-demo 5:cpu,cpuacct:/lxc/lxc-demo 4:blkio:/lxc/lxc-demo 3:cpuset:/lxc/lxc-demo 2:hugetlb:/lxc/lxc-demo 1:name=systemd:/lxc/lxc-demo/user/ubuntu/0 ... while on a "normal" host it should look like this: $ cat /proc/self/cgroup 10:perf_event:/ 9:memory:/user.slice/user-1000.slice 8:freezer:/ 7:net_cls,net_prio:/ 6:devices:/user.slice/user-1000.slice 5:cpu,cpuacct:/user.slice/user-1000.slice 4:blkio:/user.slice/user-1000.slice 3:cpuset:/ 2:hugetlb:/ 1:name=systemd:/user.slice/user-1000.slice/session-3545.scope The important thing is that there are some cgroups (e.g. memory, name=systemd) which starts with "user-$UID.slice" or "user/$USER". On newer systems, this is created by libpam-cgfs. If you've installed older versions of lxc, you might still have 'cgmanager' and 'libpam-systemd', which might interfere with the correct functions. You might be hitting these limitation. So again, my suggestion: - start with a fresh system as host. fresh install, VM, nesting-enabled-container, whatever - add ubuntu-lxc/lxc-stable ppa, install lxc. Make sure you have latest version (2.0.0-0ubuntu2~ubuntu14.04.1~ppa1 on my test) - use ssh to login as the user. Do NOT use su/sudo - follow the example If you CAN'T start with a fresh system, then you could probably have some luck by uninstalling old packages first (lxc, cgmanager, libpam-systemd, etc). I haven't test this though, and you might end up wasting time. Always use fresh system for testing purposes whenever possible. One last possibly-obvious suggestion: if you can start over with 16.04, do so, and use lxd. nicer, easier, cleaner. You can then create a nesting-capable-container for each of your users, and let them manage it (including creating their own containers under it) -- Fajar
_______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
