You are not logged in.
- Topics: Active | Unanswered
#1 2017-12-07 07:12:41
- daniel1988
- Member
- Registered: 2009-06-28
- Posts: 34
[SOLVED] LXD canot create unprivileged containers
Hi all,
I was following LXD wiki page.
In order to run unprivileged containers I installed linux-userns AUR package. And also added:
▶ cat /etc/subuid /etc/subgid
root:1000000:65536
root:1000000:65536However, I still can't run containers in unprivileged mode:
▶ lxc launch ubuntu:16.04 my-ubuntu
Creating my-ubuntu
error: Failed container creation:
- https://cloud-images.ubuntu.com/releases: LXD doesn't have a uid/gid allocation. In this mode, only privileged containers are supported.What else do I need to do?
Running containers in privileged mode works as usual.
More info:
▶ lxc-checkconfig
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: missing
Network namespace: enabled
--- Control groups ---
Cgroups: enabled
Cgroup v1 mount points:
/sys/fs/cgroup/systemd
/sys/fs/cgroup/net_cls,net_prio
/sys/fs/cgroup/memory
/sys/fs/cgroup/devices
/sys/fs/cgroup/cpu,cpuacct
/sys/fs/cgroup/perf_event
/sys/fs/cgroup/freezer
/sys/fs/cgroup/pids
/sys/fs/cgroup/cpuset
/sys/fs/cgroup/blkio
Cgroup v2 mount points:
/sys/fs/cgroup/unified
Cgroup v1 clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled
--- Misc ---
Veth pair device: enabled, loaded
Macvlan: enabled, not loaded
Vlan: enabled, not loaded
Bridges: enabled, loaded
Advanced netfilter: enabled, not loaded
CONFIG_NF_NAT_IPV4: enabled, loaded
CONFIG_NF_NAT_IPV6: enabled, loaded
CONFIG_IP_NF_TARGET_MASQUERADE: enabled, loaded
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled, loaded
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled, loadedCONFIG_NETFILTER_XT_MATCH_COMMENT: enabled, loaded
FUSE (for use with lxcfs): enabled, loaded
--- Checkpoint/Restore ---
checkpoint restore: missing
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: enabled
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: enabled
File capabilities: enabled
Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfigUser names spaces are missing. Is there maybe something related to linux-userns package that I need to do additionally?
Thanks in advance!
Edit: this was solved, see the end of this thread.
Last edited by daniel1988 (2018-01-11 07:22:06)
Offline
#2 2017-12-07 10:10:25
- graysky
- Wiki Maintainer
- From: :wq
- Registered: 2008-12-01
- Posts: 10,726
- Website
Re: [SOLVED] LXD canot create unprivileged containers
Offline
#3 2017-12-08 03:01:48
- daniel1988
- Member
- Registered: 2009-06-28
- Posts: 34
Re: [SOLVED] LXD canot create unprivileged containers
@graysky: thanks for the link. That requires a custom kernel (that I wanted to avoid as of today)
I was hoping for (something like linux-userns) that won't require a custom kernel. Did somebody manage to configure it that way?
Otherwise, I will try with custom kernel on a different machine in the coming days.
Offline
#4 2017-12-12 09:18:04
- bboozzoo
- Member
- From: Poland
- Registered: 2006-08-01
- Posts: 128
Re: [SOLVED] LXD canot create unprivileged containers
Any idea why CONFIG_USER_NS is disabled in Arch kernels?
Offline
#5 2017-12-12 09:30:38
- WorMzy
- Administrator
- From: Scotland
- Registered: 2010-06-16
- Posts: 13,319
- Website
Re: [SOLVED] LXD canot create unprivileged containers
Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD
Making lemonade from lemons since 2015.
Offline
#6 2017-12-12 10:02:04
- progandy
- Member
- Registered: 2012-05-17
- Posts: 5,304
Re: [SOLVED] LXD canot create unprivileged containers
@graysky: thanks for the link. That requires a custom kernel (that I wanted to avoid as of today)
I was hoping for (something like linux-userns) that won't require a custom kernel. Did somebody manage to configure it that way?
Did you reboot into the new kernel? linux-userns is a custom kernel, that claims to be arch-default+CONFIG_USER_NS, so if the desrciption is correct it should work. You can check the running kernel with
uname -aEdit: That only works easily if the kernel config changed CONFIG_LOCALVERSION, otherwise you might be able to use the compile date included in the output I think.
Did you also changed /etc/lxc/default.conf according to the wiki article?
Last edited by progandy (2017-12-12 10:09:48)
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' | alias ENGLISH='LANG=C.UTF-8 ' |
Offline
#7 2017-12-15 08:58:17
- daniel1988
- Member
- Registered: 2009-06-28
- Posts: 34
Re: [SOLVED] LXD canot create unprivileged containers
▶ cat /etc/lxc/default.conf
lxc.net.0.type = empty
lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536▶ lxc-checkconfig
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: missing
Network namespace: enabled
...User namespace is still missing.
▶ uname -a
Linux myhostname 4.14.4-1-ARCH #1 SMP PREEMPT Tue Dec 5 19:10:06 UTC 2017 x86_64 GNU/LinuxI think I am not running the custom kernel, since nothing changed here from defaults (or did it?)
Since there are no new options in Grub menu, I guess I would need to update it. This is my office workstation, I don't feel comfortable doing those changes on it right now. I'll first play around with my home arch and only after do the changes on this workstation.
Thanks everyone for help!
Offline
#8 2017-12-15 13:46:26
- eschwartz
- Fellow
- Registered: 2014-08-08
- Posts: 4,097
Re: [SOLVED] LXD canot create unprivileged containers
If nothing changed from the defaults, then user namespaces is still disabled at runtime, but compiled with support at build time...
Also you need the linux 4.14.4-2 kernel at a minimum. Please run `pacman -Syu` and/or reboot.
Last edited by eschwartz (2017-12-15 13:50:22)
Managing AUR repos The Right Way -- aurpublish (now a standalone tool)
Offline
#9 2017-12-15 14:22:08
- progandy
- Member
- Registered: 2012-05-17
- Posts: 5,304
Re: [SOLVED] LXD canot create unprivileged containers
If nothing changed from the defaults, then user namespaces is still disabled at runtime, but compiled with support at build time...
Also you need the linux 4.14.4-2 kernel at a minimum. Please run `pacman -Syu` and/or reboot.
I completely missed this change, since there is no documentation. If I understand it correctly, then since 4.14.4-2 USERNS works the same as in debian. linux-userns is not needed anymore.
https://superuser.com/questions/1094597 … 77#1122977
echo 1 | sudo tee /proc/sys/kernel/unprivileged_userns_clonemake it permanent with /etc/sysctl.d/00-local-userns.conf.
kernel.unprivileged_userns_clone=1Though, It may be a better idea to run linux-hardened as the LXD wiki page suggests.
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' | alias ENGLISH='LANG=C.UTF-8 ' |
Offline
#10 2017-12-17 06:23:56
- eschwartz
- Fellow
- Registered: 2014-08-08
- Posts: 4,097
Re: [SOLVED] LXD canot create unprivileged containers
Should be, yes.
Managing AUR repos The Right Way -- aurpublish (now a standalone tool)
Offline
#11 2018-01-11 07:21:17
- daniel1988
- Member
- Registered: 2009-06-28
- Posts: 34
Re: [SOLVED] LXD canot create unprivileged containers
Somehow, with latest kernel
▶ uname -a
Linux helios701 4.14.12-1-ARCH #1 SMP PREEMPT Fri Jan 5 18:19:34 UTC 2018 x86_64 GNU/Linuxit is possible to run unprivileged containers even with:
▶ cat /proc/sys/kernel/unprivileged_userns_clone
0It's enough to execute only this after install, as suggested by post-install instructions (of lxd or lxc)
echo "root:1000000:65536" | sudo tee -a /etc/subuid /etc/subgidOffline