You are not logged in.
I'd like to use unprivileged containers on my x86_64 box, following Stéphane's blog post:
1) I compiled user namespaces into my kernel (CONFIG_USER_NS=y).
2) Added the following lines to /etc/lxc/default.conf
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536
3) I setup /etc/subgid and /etc/subuid to contain the matching line although my preference is to continue calling systemd to run the container as root.
cat /etc/subgid /etc/subuid
facade:100000:65536
facade:100000:65536
However, I get errors when trying to create using either the -t download option or the on-file-sytem template:
# lxc-create -n sandbox -t /usr/share/lxc/templates/lxc-archlinux
newuidmap: uid range [0-65536) -> [100000-165536) not allowed
error mapping child
setgid: Invalid argument
lxc-create: lxccontainer.c: create_run_template: 1290 container creation template for sandbox failed
lxc-create: tools/lxc_create.c: main: 318 Error creating container sandbox
I googled the error but didn't find a solution. Do I need to modify the template?
Last edited by graysky (2017-01-09 14:39:10)
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline
Needed to add the root user to /etc/sub{gid,uid} and use the -t download template.
# lxc-create -n sandbox -t download
Setting up the GPG keyring
Downloading the image index
---
DIST RELEASE ARCH VARIANT BUILD
---
alpine 3.1 amd64 default 20170108_17:50
alpine 3.1 armhf default 20161230_08:09
alpine 3.1 i386 default 20170108_17:50
alpine 3.2 amd64 default 20170108_17:50
alpine 3.2 armhf default 20161230_08:09
alpine 3.2 i386 default 20170108_20:22
alpine 3.3 amd64 default 20170108_17:50
alpine 3.3 armhf default 20170103_17:50
alpine 3.3 i386 default 20170108_19:01
alpine 3.4 amd64 default 20170108_17:50
alpine 3.4 armhf default 20161221_17:50
alpine 3.4 i386 default 20170108_19:01
alpine edge amd64 default 20170108_17:50
alpine edge armhf default 20161230_08:09
alpine edge i386 default 20170108_17:50
archlinux current amd64 default 20170109_01:27
archlinux current i386 default 20170109_01:27
centos 6 amd64 default 20170109_02:16
centos 6 i386 default 20170109_02:16
centos 7 amd64 default 20170109_02:16
debian jessie amd64 default 20170108_22:42
debian jessie arm64 default 20170108_22:42
debian jessie armel default 20170108_22:42
debian jessie armhf default 20170108_22:42
debian jessie i386 default 20170108_22:42
debian jessie powerpc default 20170108_22:42
debian jessie ppc64el default 20170108_22:42
debian jessie s390x default 20170108_22:42
debian sid amd64 default 20170108_22:42
debian sid arm64 default 20170108_22:42
debian sid armel default 20170108_22:42
debian sid armhf default 20170108_22:42
debian sid i386 default 20170108_22:42
debian sid powerpc default 20170108_22:42
debian sid ppc64el default 20170108_22:42
debian sid s390x default 20170108_22:42
debian stretch amd64 default 20170108_22:42
debian stretch arm64 default 20170108_22:42
debian stretch armel default 20170108_22:42
debian stretch armhf default 20170108_22:42
debian stretch i386 default 20170108_22:42
debian stretch powerpc default 20161104_22:42
debian stretch ppc64el default 20170108_22:42
debian stretch s390x default 20170108_22:42
debian wheezy amd64 default 20170108_22:42
debian wheezy armel default 20170108_22:42
debian wheezy armhf default 20170108_22:42
debian wheezy i386 default 20170108_22:42
debian wheezy powerpc default 20170108_22:42
debian wheezy s390x default 20170108_22:42
fedora 22 amd64 default 20170109_01:27
fedora 22 i386 default 20170109_01:27
fedora 23 amd64 default 20170109_01:27
fedora 23 i386 default 20170109_01:53
fedora 24 amd64 default 20170109_01:27
fedora 24 i386 default 20170109_01:53
gentoo current amd64 default 20170108_14:12
gentoo current i386 default 20170108_14:12
opensuse 13.2 amd64 default 20170109_00:53
oracle 6 amd64 default 20170109_11:40
oracle 6 i386 default 20170109_11:40
oracle 7 amd64 default 20170109_11:40
plamo 5.x amd64 default 20170108_21:36
plamo 5.x i386 default 20170108_21:36
plamo 6.x amd64 default 20170108_21:36
plamo 6.x i386 default 20170108_21:36
ubuntu precise amd64 default 20170109_03:49
ubuntu precise armel default 20170108_03:49
ubuntu precise armhf default 20170108_03:49
ubuntu precise i386 default 20170109_03:49
ubuntu precise powerpc default 20170108_03:49
ubuntu trusty amd64 default 20170109_03:49
ubuntu trusty arm64 default 20170108_03:49
ubuntu trusty armhf default 20170108_03:49
ubuntu trusty i386 default 20170109_03:49
ubuntu trusty powerpc default 20170108_03:49
ubuntu trusty ppc64el default 20170108_03:49
ubuntu xenial amd64 default 20170109_03:49
ubuntu xenial arm64 default 20170108_03:49
ubuntu xenial armhf default 20170108_03:49
ubuntu xenial i386 default 20170108_03:49
ubuntu xenial powerpc default 20170108_03:49
ubuntu xenial ppc64el default 20170108_03:49
ubuntu xenial s390x default 20170108_03:49
ubuntu yakkety amd64 default 20170108_03:49
ubuntu yakkety arm64 default 20170108_03:49
ubuntu yakkety armhf default 20170108_03:49
ubuntu yakkety i386 default 20170109_03:49
ubuntu yakkety powerpc default 20170108_03:49
ubuntu yakkety ppc64el default 20170108_03:49
ubuntu yakkety s390x default 20170108_03:49
ubuntu zesty amd64 default 20170109_03:49
ubuntu zesty arm64 default 20170109_03:49
ubuntu zesty armhf default 20170108_03:49
ubuntu zesty i386 default 20170109_03:49
ubuntu zesty powerpc default 20170108_03:49
ubuntu zesty ppc64el default 20170108_03:49
ubuntu zesty s390x default 20170108_03:49
---
Distribution: archlinux
Release: current
Architecture: amd64
Downloading the image index
Downloading the rootfs
Downloading the metadata
The image cache is now ready
Unpacking the rootfs
---
You just created an ArchLinux container (release=current, arch=amd64, variant=default)
For security reason, container images ship without user accounts
and without a root password.
Use lxc-attach or chroot directly into the rootfs to set a root password
or create user accounts.
Will update the wiki at some point.
Last edited by graysky (2017-01-09 15:07:27)
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline