-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can't start new unprivileged container in Fedora 27 #1998
Comments
I'll try to check this issue next week, but for now I think opening a bug is good so others can check this out too :) |
Right, I forgot to comment on this one. Fedora 27 comes with selinux enabled by default and a specific profile. All cgroups mounts in the cgroup filesystem carry a |
@brauner in this case, disabling selinux should be enough to start containers? I tried here and it returned the same errors. Still checking why is this happening, so I don't know if some config is still necessary or this should be enough. Meanwhile, running as root worked out of the box! |
investigating more, it seems this issue has the same root cause that #1678 , related to cgroup configuration when starting an unprivileged container, while starting a container as root works as expected. |
The problem is that when you want to run containers as an unprivileged use liblxc you or your administrator need to make sure to place you in writable cgroups. When you are root liblxc can do it by itself obviously. liblxc expects at least the
(Doesn't place you in a writable cgroup for the unified hierarchy though. But that isn't required.) |
@brauner that worked like a charm, thanks! For now, Fedora would need libcgroup-pam in order to make it work out of the box? |
Haven't heard of libcgroup-pam yet. Doesn't Fedora ship lxcfs + libpam-cgfs? |
I found libcgroup-pam in fedora repositories, but it seems this is a wrapper around libcg: https://www.rpmfind.net/linux/RPM/fedora/27/x86_64/l/libcgroup-pam-0.41-13.fc27.x86_64.html So far I didn't find any references to lxcfs and libpam-cgfs in fedora repositories. So, back to blackboard... |
If this issue is clearly not yet resolved, why is it closed? |
@jafd, the root cause of the problem is that unprivileged users on most systems will not be placed into writable cgroups at login time. lxc requires only the |
@brauner , I have an unprivileged container which I can use as unprivileged user if I use (as root) a script provided by stgraber in issue #1678. Now I would like to get rid of that script and instead use the pam module pam_cgfs from lxcfs. So I made a fedora rpm from lxcfs and installed it (will share it if I get it to work). Then I placed |
@laolux, sorry totally missed your ping. I'm not sure how exactly pam modules are enabled on Fedora. Do you see anything interesting |
@brauner Thanks for the reply. I was on vacation, so took a bit longer. The pam module does not seem to fail. If I remove the pam_cgfs.so, then I get an error in journalctl, but if it's there, then I get the following line in journactl: |
Could it be that the permission is granted to a wrong parent? I was under impression that when you move a process into a namespace, its subsequent children will inherit it. Not sure about existing children. |
Can you show
after you logged in? |
I get the same result when I remove the Maybe I loaded the cgfs module at the wrong time? I currently use
in |
Try running |
lxc-start --version
: 2.1.0-devellxc-checkconfig
:Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-4.13.16-300.fc27.x86_64
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
--- Control groups ---
Cgroups: enabled
Cgroup v1 mount points:
/sys/fs/cgroup/systemd
/sys/fs/cgroup/memory
/sys/fs/cgroup/cpu,cpuacct
/sys/fs/cgroup/hugetlb
/sys/fs/cgroup/net_cls,net_prio
/sys/fs/cgroup/cpuset
/sys/fs/cgroup/blkio
/sys/fs/cgroup/perf_event
/sys/fs/cgroup/pids
/sys/fs/cgroup/freezer
/sys/fs/cgroup/devices
Cgroup v2 mount points:
/sys/fs/cgroup/unified
Cgroup v1 clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled
--- Misc ---
Veth pair device: enabled, not loaded
Macvlan: enabled, not loaded
Vlan: enabled, not loaded
Bridges: enabled, loaded
Advanced netfilter: enabled, not loaded
CONFIG_NF_NAT_IPV4: enabled, loaded
CONFIG_NF_NAT_IPV6: enabled, loaded
CONFIG_IP_NF_TARGET_MASQUERADE: enabled, loaded
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled, loaded
CONFIG_NETFILTER_XT_MATCH_COMMENT: enabled, not loaded
FUSE (for use with lxcfs): enabled, loaded
--- Checkpoint/Restore ---
checkpoint restore: enabled
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: enabled
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: enabled
File capabilities:
Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig
uname -a
Linux localhost.localdomain 4.13.16-300.fc27.x86_64 Prefix tests with lxc-test- #1 SMP Mon Nov 27 18:19:43 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
cat /proc/self/cgroup
:11:devices:/user.slice
10:freezer:/
9:pids:/user.slice/user-1000.slice/session-2.scope
8:perf_event:/
7:blkio:/
6:cpuset:/
5:net_cls,net_prio:/
4:hugetlb:/
3:cpu,cpuacct:/
2:memory:/
1:name=systemd:/user.slice/user-1000.slice/session-2.scope
0::/user.slice/user-1000.slice/session-2.scope
cat /proc/1/mounts
:sysfs /sys sysfs rw,seclabel,nosuid,nodev,noexec,relatime 0 0
proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
devtmpfs /dev devtmpfs rw,seclabel,nosuid,size=2003156k,nr_inodes=500789,mode=755 0 0
securityfs /sys/kernel/security securityfs rw,nosuid,nodev,noexec,relatime 0 0
tmpfs /dev/shm tmpfs rw,seclabel,nosuid,nodev 0 0
devpts /dev/pts devpts rw,seclabel,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
tmpfs /run tmpfs rw,seclabel,nosuid,nodev,mode=755 0 0
tmpfs /sys/fs/cgroup tmpfs ro,seclabel,nosuid,nodev,noexec,mode=755 0 0
cgroup /sys/fs/cgroup/unified cgroup2 rw,seclabel,nosuid,nodev,noexec,relatime 0 0
cgroup /sys/fs/cgroup/systemd cgroup rw,seclabel,nosuid,nodev,noexec,relatime,xattr,name=systemd 0 0
pstore /sys/fs/pstore pstore rw,seclabel,nosuid,nodev,noexec,relatime 0 0
cgroup /sys/fs/cgroup/memory cgroup rw,seclabel,nosuid,nodev,noexec,relatime,memory 0 0
cgroup /sys/fs/cgroup/cpu,cpuacct cgroup rw,seclabel,nosuid,nodev,noexec,relatime,cpu,cpuacct 0 0
cgroup /sys/fs/cgroup/hugetlb cgroup rw,seclabel,nosuid,nodev,noexec,relatime,hugetlb 0 0
cgroup /sys/fs/cgroup/net_cls,net_prio cgroup rw,seclabel,nosuid,nodev,noexec,relatime,net_cls,net_prio 0 0
cgroup /sys/fs/cgroup/cpuset cgroup rw,seclabel,nosuid,nodev,noexec,relatime,cpuset 0 0
cgroup /sys/fs/cgroup/blkio cgroup rw,seclabel,nosuid,nodev,noexec,relatime,blkio 0 0
cgroup /sys/fs/cgroup/perf_event cgroup rw,seclabel,nosuid,nodev,noexec,relatime,perf_event 0 0
cgroup /sys/fs/cgroup/pids cgroup rw,seclabel,nosuid,nodev,noexec,relatime,pids 0 0
cgroup /sys/fs/cgroup/freezer cgroup rw,seclabel,nosuid,nodev,noexec,relatime,freezer 0 0
cgroup /sys/fs/cgroup/devices cgroup rw,seclabel,nosuid,nodev,noexec,relatime,devices 0 0
configfs /sys/kernel/config configfs rw,relatime 0 0
/dev/mapper/fedora-root / ext4 rw,seclabel,relatime,data=ordered 0 0
selinuxfs /sys/fs/selinux selinuxfs rw,relatime 0 0
systemd-1 /proc/sys/fs/binfmt_misc autofs rw,relatime,fd=28,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=15534 0 0
debugfs /sys/kernel/debug debugfs rw,seclabel,relatime 0 0
mqueue /dev/mqueue mqueue rw,seclabel,relatime 0 0
hugetlbfs /dev/hugepages hugetlbfs rw,seclabel,relatime,pagesize=2M 0 0
tmpfs /tmp tmpfs rw,seclabel,nosuid,nodev 0 0
/dev/sda1 /boot ext4 rw,seclabel,relatime,data=ordered 0 0
/dev/mapper/fedora-home /home ext4 rw,seclabel,relatime,data=ordered 0 0
sunrpc /var/lib/nfs/rpc_pipefs rpc_pipefs rw,relatime 0 0
tmpfs /run/user/1000 tmpfs rw,seclabel,nosuid,nodev,relatime,size=403228k,mode=700,uid=1000,gid=1000 0 0
fusectl /sys/fs/fuse/connections fusectl rw,relatime 0 0
/dev/fuse /run/user/1000/doc fuse rw,nosuid,nodev,relatime,user_id=1000,group_id=1000 0 0
Issue description
After a lxc-create using download template, Fedora 27 can't start new unprivileged container.
A brief description of what failed or what could be improved:
Steps to reproduce
lxc-create -t download -n container-ubuntu-xenial -- -d ubuntu -r xenial -a amd64
lxc-start -n container-ubuntu-xenial -l TRACE -F
This is returned:
Information to attach
dmesg shows nothing.
Container configs:
cat ~/.config/lxc/default.conf
lxc.include = /etc/lxc/default.conf
lxc.idmap = u 0 165536 65536
lxc.idmap = g 0 165536 65536
cat /etc/lxc/default.conf
lxc.net.0.type = veth
lxc.net.0.link = virbr0
lxc.net.0.flags = up
lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx
OBS: In fedora wiki they instruct users to set link to virbr0 instead of lxcbr0, and to start libvirtd and lxc.service.
If lxc-start is executed by root, this is returned:
Executing '/sbin/init' with no configuration file may crash the host
The text was updated successfully, but these errors were encountered: