New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to start an unprivileged container on fresh install of Fedora 31 #3221
Comments
I observed the same phenomenon with Ubuntu 19.10 booted with
When I started a container with @brauner @stgraber Could you consider to update the user instruction or the program code at the next bug fix release of 3.0 LTS series so that a non-root user following the instruction can start an unprivileged container? |
On December 9, 2019 9:08:55 PM GMT+01:00, emojifreak ***@***.***> wrote:
I observed the same phenomenon with Ubuntu 19.10 booted with
`systemd.unified_cgroup_hierarchy` and
```shell-session
$ dpkg-query -W | grep lxc
liblxc-common 3.0.4-0ubuntu1
liblxc1 3.0.4-0ubuntu1
lxc-utils 3.0.4-0ubuntu1
lxcfs 3.0.4-2
```
When I started a container with `systemd-run --user --scope -p
"Delegate=yes" lxc-start` then the error reported in this issue
disappeared and I could start `/bin/bash` by `lxc.init.cmd = /bin/bash`
in the config file.
@brauner @stgraber Could you consider to update the user instruction or
the program code at the next bug fix release of 3.0 LTS series so that
a non-root user following the instruction can start an unprivileged
container?
Sure, but also, I've backported all the cgroup2 improvements from the master branch to the stable-3.0 branch. So on the next stable bugfix release the experience should be way better.
|
@brauner Thank you very much for your quick response! Are you going to tell users to use Unless user-writable cgroupv2 directory is provided, lxc completely fails to function even with the newest github master branch and user experience is probably the same. The LXC user instruction should allow a non-root user to at least start a container, even with no CGroup V2 controllers enabled. |
On Mon, Dec 09, 2019 at 01:29:33PM -0800, emojifreak wrote:
@brauner Thank you very much for your quick response! Are you going to tell users to use `systemctl / systemd-run --user` or to use another mechanism? I am just asking from my curiosity and I don't have an opinion about that.
I think I'd point that that LXC expects to be placed into a delegated
cgroup and will assume complete ownership of it. Then go on to point out
that systemctl and systemd-run --user are ways to achieve that and give
an example. If you want you can also send a patch for this.
|
Thank you for your reply.
https://linuxcontainers.org/lxc/getting-started/ seems the most popular and the most authoritative instruction on how to prepare and start an unprivileged LXC container by a non-root user. Because googling On the other hand, the LXC github does not seem to have a definitive instruction on how a system administrator and non-root users should prepare and start an unprivileged LXC container used by non-root users. So, to which file did you mean by a patch? Is it https://github.com/lxc/lxc/blob/master/doc/pam_cgfs.sgml.in ? |
Hi @brauner, @emojifreak, @brauner, good to hear you've already backported a few fixes to address this. What's your release candence like? It'd be a huge help if we could get that bugfix release before the holidays. @emojifreak, https://linuxcontainers.org/lxc/getting-started/ is exactly the page that lead us astray. Given it's popularity (it's the top Google result, it's linked to from almost everywhere in StackOverflow, etc.), it was our understanding that this was the actual, official guide maintained by LXC. Its GitHub repo (https://github.com/lxc/linuxcontainers.org) seems to confirm that as it has many of the same contributors as this repo. @brauner, was our understanding correct? Regardless, we'd also be happy to assisst with updating the guide so that it's no longer incorrect/doesn't mislead readers. |
I am unsure if I am qualified to make a pull request to the document. But it seems that
For a host Linux with systemd.unified_cgroup_hierarchy (e.g. Fedora 31), |
@brauner, pinging you again on this - do you plan to push out a release incorporating these bugfixes soon?
@emojifreak, awesome, thanks for the suggested invocation method. |
Yeah, once we've stabilized for sure. Pre-holidays there's always a lot going on at the same time so my response times varies, sorry about that. @stgraber might have a date for the next LTS-bugfix release in mind. |
I hope https://github.com/lxc/linuxcontainers.org/blob/master/content/lxc/getting-started.md will also be properly updated before the 3.0.5 release, otherwise Fedora 31 users continue to suffer from being unable to start an unprivileged container by non-root users, reading and following "Getting started" in the same way as @toddhpoole ... |
@brauner, understood - thanks for the added clarity. We're in a similar boat re: the pre-holiday hustle and are trying wrap up a few things before the holidays (this being one of them). @stgraber, do you have any insight on the next bugfix release? Every project's release process is different, but we'd be happy to contribute man-hours if it'd help move the needle. |
Hi @stgraber, Quick ping on the above. Any guidance on when the next LXC release will occur? 3.0.4 was published 6 months ago and there's been a lot of useful fixes and cgroup-releated changes merged since then. In terms of timing, Fedora 32 expects to branch from Rawhide in a few weeks. Do you think you'll be able to release before early February? |
We're about to release LXC 4.0 at the end of this week! |
Hi @brauner, Glad to finally get some clarity here. 9 months is a long time for a project like LXC to go with no clear communication regarding a roadmap or release schedule. @stgraber, if either of these resources exist and I missed them, it might be worth ensuring they're visible on the project's website. Two quick questions about your planned 4.0 release:
|
Well, I've just been playing around with things a little - while moving back to lxc from lxd again for my private stuff, thanks to snap - and found that there's two very different things to consider: cgroup v2 integration and systemd (for cgroup v2) integration. And the complaints I came across during testing mostly concerned the latter. More precisely, if you happened to read through https://systemd.io/CGROUP_DELEGATION/ you'd understand why systemd units need to be "delegated" and (some) lxc commands be launched through systemd-run if you're an unprivileged user. That's just because "no procs in inner nodes" and systemd trying to lay its greedy, greasy claws onto the entire tree, grabbing as much as it can (how often they repeat how much was "off limits" to you is actually pretty amusing - you come under the impression that you're trying to steal their chocolate from them). Anyway, with the Arch recommendations (https://wiki.archlinux.org/index.php/Cgroups#Switching_to_cgroups_v2) my containers seem to run quite smoothly under an unprivileged user, too, on Ubuntu Focal. So, again, it's not cgroup v2 that seems to be the problem. Edit: Just for clarification, the relevant part is "systemctl edit user@1000.service" to enable delegation on the user's service. Then run lxc-start like "systemd-run --user --scope lxc-start" to put it into a transient scope beneath (!) your user service, where it has write access thanks to delegation. And, for example, attach like "systemd-run --user -t lxc-attach" to do the same, only this time with a transient service that retains a terminal for you to use. Edit # 2: Fact is, when reading through the systemd document, you do recognize (some of) the lxc cgroup v2 integration proper that has been done. Like the split into "-monitor" and "-payload" trees, to comply with the v2 "procs only in leaves" paradigm. See point 1 under "Some Dos." Edit # 3: To close, all this works under Bionic, too, except systemd 237 doesn't play along and forces you to do what Poettering&affiliates so vehemently argue against, mess with the user slice: systemd/systemd#3388 (comment) |
Hi, Wrapping lxc-start in a systemd-run call looks like a big regression in term of user experience. I added an alias to my shell to workaround this. Is there a way for lxc to manage this ? $ grep lxc-start ~/.bashrc
alias lxc-start='systemd-run --user --remain-after-exit --property Delegate=yes lxc-start' |
On Wed, Apr 14, 2021 at 01:14:35AM -0700, Étienne BERSAC wrote:
Hi,
Wrapping lxc-start in a systemd-run call looks like a big regression in term of user experience. I added an alias to my shell to workaround this. Is there a way for lxc to manage this ?
Yeah, it's certainly annoying. I'm not sure if we could either move this
into the lxc-* binaries for now to make this work as a short-term
solution and ultimately find a way to interact with systemd directly.
The problem I have with this is that the APIs they currently provide are
a bit too convoluted. I essentially would like to have a simple single
sd-bus call:
int gimme_a_delegated_cgroup_fd()
and be done with it. That's what we need. No complicated connecting to
the bus first and stuff like that.
Christian
|
I'm just commenting, from more of a user viewpoint, to add that I absolutely agree that having to use The amount of old/outdated info out there concerning lxc doesn't help either. Even Debian's own wiki page for LXC gives outdated info: https://wiki.debian.org/LXC#Unprivileged_container |
Required information
lxc-start --version
lxc-checkconfig
uname -a
cat /proc/self/cgroup
cat /proc/1/mounts
Issue description
After a fresh install of Fedora 31 and LXC, and after creating the
~/.config/lxc
directories and~/.config/lxc/default.conf
configuration file per the LXC Getting Started Guide, we're unable to start a newly-created container.Steps to reproduce
lxc-create
as an unprivileged user on a fresh install:Information to attach
dmesg
)Not applicable. No kernel logs generated.
lxc-start -n <c> -l <log> -o DEBUG
)Attached output.log.
Attached config.txt.
The text was updated successfully, but these errors were encountered: