Arch Linux

graysky

Wiki Maintainer

From: :wq

Registered: 2008-12-01

Posts: 10,597

Website

...is anyone successfully running unprivileged containers on Arch?

I have been trying to do so but am running into systemd related snags.  Just wondering if other Achers have encountered these and fixed them?

I setup /etc/subuid and /etc/subgid and modified /etc/lxc/default.conf to add the needed uid/gids:

% grep root /etc/sub*
/etc/subgid:root:100000:65536
/etc/subuid:root:100000:65536

% cat /etc/lxc/default.conf 
lxc.network.type = empty
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536

I then created an lxc via:

# lxc-create -t download -n nw

I pulled down the archlinux current amd64 image.

This is my config:

#Distribution configuration
lxc.include = /usr/share/lxc/config/archlinux.common.conf
lxc.include = /usr/share/lxc/config/archlinux.userns.conf
lxc.arch = x86_64

# Container specific configuration
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536
lxc.rootfs = /var/lib/lxc/nw/rootfs
lxc.rootfs.backend = dir
lxc.utsname = nw

# Network configuration
lxc.network.type = empty

The problem is when I start the container, I see numerous errors relating to systemd and I am not sure what is missing from my config.

# lxc-start -n nw -F

systemd 232 running in system mode. (+PAM -AUDIT -SELINUX -IMA -APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN)
Detected virtualization lxc.
Detected architecture x86-64.

Welcome to Arch Linux!

Set hostname to <nw>.
Failed to read AF_UNIX datagram queue length, ignoring: No such file or directory
Failed to install release agent, ignoring: No such file or directory
[  OK  ] Listening on Journal Socket.
[  OK  ] Started Forward Password Requests to Wall Directory Watch.
[  OK  ] Listening on Process Core Dump Socket.
[  OK  ] Listening on Journal Socket (/dev/log).
[  OK  ] Listening on /dev/initctl Compatibility Named Pipe.
[  OK  ] Listening on Device-mapper event daemon FIFOs.
user.slice: Failed to reset devices.list: Operation not permitted
user.slice: Failed to set invocation ID on control group /user.slice, ignoring: Operation not permitted
[  OK  ] Created slice User and Session Slice.
[  OK  ] Listening on Network Service Netlink Socket.
[  OK  ] Reached target Remote File Systems.
[  OK  ] Started Dispatch Password Requests to Console Directory Watch.
[  OK  ] Reached target Encrypted Volumes.
[  OK  ] Reached target Paths.
system.slice: Failed to reset devices.list: Operation not permitted
system.slice: Failed to set invocation ID on control group /system.slice, ignoring: Operation not permitted
[  OK  ] Created slice System Slice.
dev-mqueue.mount: Failed to reset devices.list: Operation not permitted
dev-mqueue.mount: Failed to set invocation ID on control group /system.slice/dev-mqueue.mount, ignoring: Operation not permitted
Mounting POSIX Message Queue File System...
systemd-journald.service: Failed to reset devices.list: Operation not permitted
systemd-journald.service: Failed to set invocation ID on control group /system.slice/systemd-journald.service, ignoring: Operation not permitted
Starting Journal Service...
systemd-remount-fs.service: Failed to reset devices.list: Operation not permitted
systemd-remount-fs.service: Failed to set invocation ID on control group /system.slice/systemd-remount-fs.service, ignoring: Operation not permitted
Starting Remount Root and Kernel File Systems...
[  OK  ] Reached target Slices.
systemd-sysctl.service: Failed to reset devices.list: Operation not permitted
systemd-sysctl.service: Failed to set invocation ID on control group /system.slice/systemd-sysctl.service, ignoring: Operation not permitted
Starting Apply Kernel Variables...
system-container\x2dgetty.slice: Failed to reset devices.list: Operation not permitted
system-container\x2dgetty.slice: Failed to set invocation ID on control group /system.slice/system-container\x2dgetty.slice, ignoring: Operation not permitted
[  OK  ] Created slice system-container\x2dgetty.slice.
system-getty.slice: Failed to reset devices.list: Operation not permitted
system-getty.slice: Failed to set invocation ID on control group /system.slice/system-getty.slice, ignoring: Operation not permitted
[  OK  ] Created slice system-getty.slice.
[  OK  ] Reached target Swap.
tmp.mount: Failed to reset devices.list: Operation not permitted
tmp.mount: Failed to set invocation ID on control group /system.slice/tmp.mount, ignoring: Operation not permitted
Mounting Temporary Directory...
[  OK  ] Listening on LVM2 metadata daemon socket.
dev-random.mount: Failed to reset devices.list: Operation not permitted
dev-tty1.mount: Failed to reset devices.list: Operation not permitted
proc-sys-net.mount: Failed to reset devices.list: Operation not permitted
dev-tty.mount: Failed to reset devices.list: Operation not permitted
dev-zero.mount: Failed to reset devices.list: Operation not permitted
dev-full.mount: Failed to reset devices.list: Operation not permitted
dev-tty3.mount: Failed to reset devices.list: Operation not permitted
dev-urandom.mount: Failed to reset devices.list: Operation not permitted
dev-tty2.mount: Failed to reset devices.list: Operation not permitted
proc-sysrq\x2dtrigger.mount: Failed to reset devices.list: Operation not permitted
-.mount: Failed to reset devices.list: Operation not permitted
sys-devices-virtual-net.mount: Failed to reset devices.list: Operation not permitted
dev-tty4.mount: Failed to reset devices.list: Operation not permitted
dev-null.mount: Failed to reset devices.list: Operation not permitted
sys-fs-fuse-connections.mount: Failed to reset devices.list: Operation not permitted
dev-tty5.mount: Failed to reset devices.list: Operation not permitted
dev-tty6.mount: Failed to reset devices.list: Operation not permitted
init.scope: Failed to reset devices.list: Operation not permitted
[  OK  ] Mounted POSIX Message Queue File System.
[  OK  ] Mounted Temporary Directory.
[  OK  ] Started Remount Root and Kernel File Systems.
[  OK  ] Started Apply Kernel Variables.
[  OK  ] Reached target Local File Systems (Pre).
[  OK  ] Reached target Local File Systems.
[  OK  ] Started Journal Service.
Starting Flush Journal to Persistent Storage...
[  OK  ] Started Flush Journal to Persistent Storage.
Starting Create Volatile Files and Directories...
[  OK  ] Started Create Volatile Files and Directories.
Starting Update UTMP about System Boot/Shutdown...
[  OK  ] Started Update UTMP about System Boot/Shutdown.
[  OK  ] Reached target System Initialization.
[  OK  ] Listening on D-Bus System Message Bus Socket.
[  OK  ] Reached target Sockets.
[  OK  ] Reached target Basic System.
[  OK  ] Started D-Bus System Message Bus.
Starting Network Service...
Starting Login Service...
[  OK  ] Started Daily rotation of log files.
[  OK  ] Started Daily Cleanup of Temporary Directories.
[  OK  ] Started Daily verification of password and group files.
[  OK  ] Started Daily man-db cache update.
[  OK  ] Reached target Timers.
[  OK  ] Started Login Service.
[  OK  ] Started Network Service.
[  OK  ] Reached target Network.
Starting Permit User Sessions...
Starting Network Name Resolution...
[  OK  ] Started Permit User Sessions.
[  OK  ] Started Console Getty.
[  OK  ] Started Getty on lxc/tty6.
[  OK  ] Started Container Getty on /dev/pts/2.
[  OK  ] Started Getty on lxc/tty2.
[  OK  ] Started Getty on lxc/tty5.
[  OK  ] Started Container Getty on /dev/pts/1.
[  OK  ] Started Container Getty on /dev/pts/5.
[  OK  ] Started Container Getty on /dev/pts/3.
[  OK  ] Started Getty on lxc/tty4.
[  OK  ] Started Getty on lxc/tty1.
[  OK  ] Started Getty on lxc/tty3.
[  OK  ] Started Container Getty on /dev/pts/0.
[  OK  ] Started Container Getty on /dev/pts/4.
[  OK  ] Reached target Login Prompts.
[  OK  ] Started Network Name Resolution.
[  OK  ] Reached target Multi-User System.

Arch Linux 4.9.2-2-custom (console)

nw login:

---

CPU-optimized Linux-ck packages @ Repo-ck  • AUR packages • Zsh and other configs

pa314159

Member

From: Amsterdam, Netherlands

Registered: 2018-06-26

Posts: 3

Website

Re: ...is anyone successfully running unprivileged containers on Arch?

Create a file /etc/lxc/unpriv.seccomp with the following content

2
blacklist
[all]
keyctl errno 38

... then add the line following line at the end of your config file

lxc.seccomp.profile = /etc/lxc/unpriv.seccomp

progandy

Member

Registered: 2012-05-17

Posts: 5,196

Re: ...is anyone successfully running unprivileged containers on Arch?

pa314159, I think that belongs in the wiki if you have tested it and it works.
https://wiki.archlinux.org/index.php/Linux_Containers

---

| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

pa314159

Member

From: Amsterdam, Netherlands

Registered: 2018-06-26

Posts: 3

Website

Re: ...is anyone successfully running unprivileged containers on Arch?

https://wiki.archlinux.org/index.php/Li … G_spawning...

a_manthey

Member

Registered: 2017-08-21

Posts: 35

Re: ...is anyone successfully running unprivileged containers on Arch?

this post comes from falkon-browser running in unprivileged lxc-container. Chromium-browser and mediathekview are running in unprivileged containers too.
Since this post i had to solve several issues (network-connection, iptables and sound).
I run the containers as non-root user. If you are interested, i can provide my installation steps and configuration.