Hi,
I know this is definitely not on the list of things regularly tested but I
have a scenario where I'm running trying to run an unprivileged LXC
container inside a docker container. The docker container is privileged and
I would like the LXC container to be unprivileged.
I have setup /etc/subuid,/etc/subgid in the both the host and the docker
container.
Currently lxc-start fails with: lxc_conf - conf.c:lxc_setup_rootfs:1323 -
Failed to mount rootfs "/data/vm/mount/bind/rootdir" onto
"/usr/lib/x86_64-linux-gnu/lxc" with options "(null)" (lxc-3.0).
I don't understand why it is failing the mount, using strace I can see:
565 access("/usr/lib/x86_64-linux-gnu/lxc", F_OK) = 0
565 stat("/data/rootdir", 0x7ffcd1c5a7f0) = -1 EACCES (Permission denied)
Where data/rootdir is my rootdir for the container and it's contents are
with the subuid/subgid I allocated.
Longer quote from log:
lxc-start container 20180425170139.363 INFO lxc_start -
start.c:do_start:1070 - Unshared CLONE_NEWNET
lxc-start container 20180425170139.364 DEBUG lxc_conf -
conf.c:idmaptool_on_path_and_privileged:2745 - The binary
"/usr/bin/newuidmap" does have the setuid bit set
lxc-start container 20180425170139.364 DEBUG lxc_conf -
conf.c:idmaptool_on_path_and_privileged:2745 - The binary
"/usr/bin/newgidmap" does have the setuid bit set
lxc-start container 20180425170139.364 DEBUG lxc_conf -
conf.c:lxc_map_ids:2833 - Functional newuidmap and newgidmap binary found
lxc-start container 20180425170139.370 DEBUG lxc_start -
start.c:lxc_spawn:1668 - Preserved net namespace via fd 10
lxc-start container 20180425170139.388 DEBUG lxc_network -
network.c:lxc_network_move_created_netdev_priv:2479 - Moved network device
"vethVGW02V"/"(null)" to network namespace of 657
lxc-start container 20180425170139.388 NOTICE lxc_utils -
utils.c:lxc_switch_uid_gid:2029 - Switched to gid 0.
lxc-start container 20180425170139.388 NOTICE lxc_utils -
utils.c:lxc_switch_uid_gid:2035 - Switched to uid 0.
lxc-start container 20180425170139.388 NOTICE lxc_utils -
utils.c:lxc_setgroups:2047 - Dropped additional groups.
lxc-start container 20180425170139.389 INFO lxc_start -
start.c:do_start:1177 - Unshared CLONE_NEWCGROUP
lxc-start container 20180425170139.393 ERROR lxc_conf -
conf.c:lxc_setup_rootfs:1323 - Failed to mount rootfs "/data/rootdir" onto
"/usr/lib/x86_64-linux-gnu/lxc" with options "(null)"
lxc-start container 20180425170139.393 ERROR lxc_conf -
conf.c:do_rootfs_setup:3266 - Failed to setup rootfs for
lxc-start container 20180425170139.393 ERROR lxc_conf -
conf.c:lxc_setup:3311 - Failed to setup rootfs
Any clues where to look?
Thanks,
Eytan
_______________________________________________
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
