Error creating unprivileged container [SOLVED]

graysky · 2017-01-09 14:00:26

I'd like to use unprivileged containers on my x86_64 box, following Stéphane's blog post:

1) I compiled user namespaces into my kernel (CONFIG_USER_NS=y).
2) Added the following lines to /etc/lxc/default.conf

lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536

3) I setup /etc/subgid and /etc/subuid to contain the matching line although my preference is to continue calling systemd to run the container as root.

cat /etc/subgid /etc/subuid
facade:100000:65536
facade:100000:65536

However, I get errors when trying to create using either the -t download option or the on-file-sytem template:

# lxc-create -n sandbox -t /usr/share/lxc/templates/lxc-archlinux
newuidmap: uid range [0-65536) -> [100000-165536) not allowed
error mapping child
setgid: Invalid argument
lxc-create: lxccontainer.c: create_run_template: 1290 container creation template for sandbox failed
lxc-create: tools/lxc_create.c: main: 318 Error creating container sandbox

I googled the error but didn't find a solution. Do I need to modify the template?

Last edited by graysky (2017-01-09 14:39:10)

graysky · 2017-01-09 14:39:14

Needed to add the root user to /etc/sub{gid,uid} and use the -t download template.

# lxc-create -n sandbox -t download
Setting up the GPG keyring
Downloading the image index

---
DIST	RELEASE	ARCH	VARIANT	BUILD
---
alpine	3.1	amd64	default	20170108_17:50
alpine	3.1	armhf	default	20161230_08:09
alpine	3.1	i386	default	20170108_17:50
alpine	3.2	amd64	default	20170108_17:50
alpine	3.2	armhf	default	20161230_08:09
alpine	3.2	i386	default	20170108_20:22
alpine	3.3	amd64	default	20170108_17:50
alpine	3.3	armhf	default	20170103_17:50
alpine	3.3	i386	default	20170108_19:01
alpine	3.4	amd64	default	20170108_17:50
alpine	3.4	armhf	default	20161221_17:50
alpine	3.4	i386	default	20170108_19:01
alpine	edge	amd64	default	20170108_17:50
alpine	edge	armhf	default	20161230_08:09
alpine	edge	i386	default	20170108_17:50
archlinux	current	amd64	default	20170109_01:27
archlinux	current	i386	default	20170109_01:27
centos	6	amd64	default	20170109_02:16
centos	6	i386	default	20170109_02:16
centos	7	amd64	default	20170109_02:16
debian	jessie	amd64	default	20170108_22:42
debian	jessie	arm64	default	20170108_22:42
debian	jessie	armel	default	20170108_22:42
debian	jessie	armhf	default	20170108_22:42
debian	jessie	i386	default	20170108_22:42
debian	jessie	powerpc	default	20170108_22:42
debian	jessie	ppc64el	default	20170108_22:42
debian	jessie	s390x	default	20170108_22:42
debian	sid	amd64	default	20170108_22:42
debian	sid	arm64	default	20170108_22:42
debian	sid	armel	default	20170108_22:42
debian	sid	armhf	default	20170108_22:42
debian	sid	i386	default	20170108_22:42
debian	sid	powerpc	default	20170108_22:42
debian	sid	ppc64el	default	20170108_22:42
debian	sid	s390x	default	20170108_22:42
debian	stretch	amd64	default	20170108_22:42
debian	stretch	arm64	default	20170108_22:42
debian	stretch	armel	default	20170108_22:42
debian	stretch	armhf	default	20170108_22:42
debian	stretch	i386	default	20170108_22:42
debian	stretch	powerpc	default	20161104_22:42
debian	stretch	ppc64el	default	20170108_22:42
debian	stretch	s390x	default	20170108_22:42
debian	wheezy	amd64	default	20170108_22:42
debian	wheezy	armel	default	20170108_22:42
debian	wheezy	armhf	default	20170108_22:42
debian	wheezy	i386	default	20170108_22:42
debian	wheezy	powerpc	default	20170108_22:42
debian	wheezy	s390x	default	20170108_22:42
fedora	22	amd64	default	20170109_01:27
fedora	22	i386	default	20170109_01:27
fedora	23	amd64	default	20170109_01:27
fedora	23	i386	default	20170109_01:53
fedora	24	amd64	default	20170109_01:27
fedora	24	i386	default	20170109_01:53
gentoo	current	amd64	default	20170108_14:12
gentoo	current	i386	default	20170108_14:12
opensuse	13.2	amd64	default	20170109_00:53
oracle	6	amd64	default	20170109_11:40
oracle	6	i386	default	20170109_11:40
oracle	7	amd64	default	20170109_11:40
plamo	5.x	amd64	default	20170108_21:36
plamo	5.x	i386	default	20170108_21:36
plamo	6.x	amd64	default	20170108_21:36
plamo	6.x	i386	default	20170108_21:36
ubuntu	precise	amd64	default	20170109_03:49
ubuntu	precise	armel	default	20170108_03:49
ubuntu	precise	armhf	default	20170108_03:49
ubuntu	precise	i386	default	20170109_03:49
ubuntu	precise	powerpc	default	20170108_03:49
ubuntu	trusty	amd64	default	20170109_03:49
ubuntu	trusty	arm64	default	20170108_03:49
ubuntu	trusty	armhf	default	20170108_03:49
ubuntu	trusty	i386	default	20170109_03:49
ubuntu	trusty	powerpc	default	20170108_03:49
ubuntu	trusty	ppc64el	default	20170108_03:49
ubuntu	xenial	amd64	default	20170109_03:49
ubuntu	xenial	arm64	default	20170108_03:49
ubuntu	xenial	armhf	default	20170108_03:49
ubuntu	xenial	i386	default	20170108_03:49
ubuntu	xenial	powerpc	default	20170108_03:49
ubuntu	xenial	ppc64el	default	20170108_03:49
ubuntu	xenial	s390x	default	20170108_03:49
ubuntu	yakkety	amd64	default	20170108_03:49
ubuntu	yakkety	arm64	default	20170108_03:49
ubuntu	yakkety	armhf	default	20170108_03:49
ubuntu	yakkety	i386	default	20170109_03:49
ubuntu	yakkety	powerpc	default	20170108_03:49
ubuntu	yakkety	ppc64el	default	20170108_03:49
ubuntu	yakkety	s390x	default	20170108_03:49
ubuntu	zesty	amd64	default	20170109_03:49
ubuntu	zesty	arm64	default	20170109_03:49
ubuntu	zesty	armhf	default	20170108_03:49
ubuntu	zesty	i386	default	20170109_03:49
ubuntu	zesty	powerpc	default	20170108_03:49
ubuntu	zesty	ppc64el	default	20170108_03:49
ubuntu	zesty	s390x	default	20170108_03:49
---

Distribution: archlinux
Release: current
Architecture: amd64

Downloading the image index
Downloading the rootfs
Downloading the metadata
The image cache is now ready
Unpacking the rootfs

---
You just created an ArchLinux container (release=current, arch=amd64, variant=default)


For security reason, container images ship without user accounts
and without a root password.

Use lxc-attach or chroot directly into the rootfs to set a root password
or create user accounts.

Will update the wiki at some point.

Last edited by graysky (2017-01-09 15:07:27)

Arch Linux

#1 2017-01-09 14:00:26

Error creating unprivileged container [SOLVED]

#2 2017-01-09 14:39:14

Re: Error creating unprivileged container [SOLVED]

Board footer