Re: [Lxc-users] User Namespace Support in LXC

Fajar A. Nugraha Wed, 13 Nov 2013 14:36:02 -0800

On Wed, Nov 13, 2013 at 11:23 PM, Serge Hallyn <serge.hal...@ubuntu.com>wrote:


> Quoting Fajar A. Nugraha (l...@fajar.net):
> > On Wed, Nov 13, 2013 at 5:11 PM, Daniel P. Berrange <berra...@redhat.com
> >wrote:
> >
> > > For a start I think you should update to the curent Fedora 19
> > > kernels which are version 3.11.6. Then I'd suggest taking thue
> > > Fedora kernel src.rpm and just setting the CONFIG_USER_NS var
> > > in its config file, rather than trying navigate the menus.
> > >
> > > We're not supporting user namespaces in Fedora until at least
> > > Fedora 21, since we don't consider the implementation sufficiently
> > > mature / secure to enable it sooner.
> > >
> > >
> > Is there an example somewhere on how to enable user namespace in lxc,
> > preferably using manual steps? e.g. which lxc configuration directive
> > enables it?
>
> For non-libvirt lxc, I've shown a few times a more manual way to do it
> on s3hh.wordpress.com, however, the pieces are there now so that you
> should be able to just add
>
>         lxc.id_map = u 0 100000 9999
>         lxc.id_map = g 0 100000 9999
>
> to a copy of /etc/lxc/lxc.conf, then do
>
>         lxc-create -t ubuntu-cloud -n u1 -f /copy/of/lxc.conf
>
> I've been focusing on unprivileged creation, and don't think I've
> yet pushed the fixes needed for root to be able to do that.   (which
> is complicated by newuidmap not letting root use arbitrary subuids)
>
>

Hmmm ... I got this on my system:
as normal user:
$ lxc-create -t ubuntu-cloud -n u1 -f /etc/lxc/user.conf
You lack access to /var/lib/lxc

... and after editing permission on /var/lib/lxc, I get this
$ lxc-create -t ubuntu-cloud -n u1 -f /etc/lxc/user.conf
lxc_container: No such file or directory - Failed executing usernsexec
lxc_container: Error chowning /var/lib/lxc/u1/rootfs to container root

lxc_container: Error creating backing store type (none) for u1
lxc_container: Error creating container u1

a "strace -f" shows it's looking for "lxc-usernsexec", which is not
available. Which package has that?



when testing as root (which, if I read your post correctly, is not possible
yet):
# lxc-create -t ubuntu-cloud -n u1 -f /etc/lxc/user.conf
ubuntu-cloudimg-query is /usr/bin/ubuntu-cloudimg-query
wget is /usr/bin/wget
--2013-11-14 04:34:08--
https://cloud-images.ubuntu.com/server/releases/raring/release-20131022/ubuntu-13.04-server-cloudimg-amd64-root.tar.gz
Resolving cloud-images.ubuntu.com (cloud-images.ubuntu.com)... 91.189.88.141
Connecting to cloud-images.ubuntu.com
(cloud-images.ubuntu.com)|91.189.88.141|:443...
connected.
HTTP request sent, awaiting response... 302 Found
Location:
https://cloud-images.ubuntu.com/releases/raring/release-20131022/ubuntu-13.04-server-cloudimg-amd64-root.tar.gz[following]
--2013-11-14 04:34:10--
https://cloud-images.ubuntu.com/releases/raring/release-20131022/ubuntu-13.04-server-cloudimg-amd64-root.tar.gz
Reusing existing connection to cloud-images.ubuntu.com:443.
HTTP request sent, awaiting response... 200 OK
Length: 213508744 (204M) [application/x-gzip]
Saving to: ‘ubuntu-13.04-server-cloudimg-amd64-root.tar.gz’

100%[============================================================================================================>]
213,508,744  503KB/s   in 9m 27s

2013-11-14 04:43:37 (368 KB/s) -
‘ubuntu-13.04-server-cloudimg-amd64-root.tar.gz’ saved [213508744/213508744]

Extracting container rootfs
Container u1 created.

# lxc-start -n u1
lxc-start: Operation not permitted - failed to mount 'proc' on
'/usr/lib/x86_64-linux-gnu/lxc/proc'
lxc-start: failed to setup the mounts for 'u1'
lxc-start: failed to setup the container
lxc-start: invalid sequence number 1. expected 2
lxc-start: failed to spawn 'u1'



This is my /etc/lxc/user.conf:
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up

lxc.id_map = u 0 100000 9999
lxc.id_map = g 0 100000 9999


test system is ubuntu raring,
lxc 1.0.0~alpha2+master~20131112-2220-0ubuntu1~ppa1~raring1 from daily
ppa, linux-image-3.12.0-2-generic from trusty.

-- 
Fajar

------------------------------------------------------------------------------
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk

_______________________________________________
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users

Re: [Lxc-users] User Namespace Support in LXC

Reply via email to