Arch Linux

DevAlone

Member

Registered: 2018-10-31

Posts: 20

How to run unprivileged lxc container on Arch Linux?

I'm trying to create unprivileged container, went to

Error: Failed to initialize cgroup driver / PAM unable to open pam_cgfs.so

Downgraded lxc to 3.0.1 as it's suggested in doc https://wiki.archlinux.org/index.php/Linux_Containers but now lxc doesn't even say what's wrong:

> lxc-create -l DEBUG -n test2345 -t download -- --dist archlinux --release current --arch amd64
Error creating container test2345

container log:

> cat /home/user/.local/share/lxc/test2345/test2345.log 
lxc-create test2345 20181121173634.835 INFO     lxc_confile - confile.c:set_config_idmaps:1666 - Read uid map: type u nsid 0 hostid 100000 range 65536
lxc-create test2345 20181121173634.835 INFO     lxc_confile - confile.c:set_config_idmaps:1666 - Read uid map: type g nsid 0 hostid 100000 range 65536
lxc-create test2345 20181121173634.835 DEBUG    lxc_conf - conf.c:chown_mapped_root:3086 - trying to chown "/home/user/.local/share/lxc/test2345" to 1000

configs:

> cat /etc/subuid 
user:100000:65536
  
> cat /etc/subgid 
user:100000:65536
  
> cat /home/user/.config/lxc/default.conf  
lxc.idmap = u 0 100000 65536 
lxc.idmap = g 0 100000 65536

Tried to compile from sources, but it doesn't help either, still "Failed to initialize cgroup driver"

Everette88

Member

Registered: 2018-02-17

Posts: 41

Re: How to run unprivileged lxc container on Arch Linux?

Did you set kernel.unprivileged_userns_clone=1 with sysyctl?

DevAlone

Member

Registered: 2018-10-31

Posts: 20

Re: How to run unprivileged lxc container on Arch Linux?

Did you set kernel.unprivileged_userns_clone=1 with sysyctl?

yes

bitmapkid

Member

Registered: 2018-11-24

Posts: 5

Re: How to run unprivileged lxc container on Arch Linux?

Hello,

Please, try with

lxc-create --template download --name test1234 -- --keyserver hkp://p80.pool.sks-keyservers.net:80

Note that I set an other name.

Originally, you may have a problem with your firewall. Reason why I set --keyserver on port 80.

And when somethings goes wrong during lxc-create, it seems that the name is definitively unusable even if the container does not appear with lxc-ls.

DevAlone

Member

Registered: 2018-10-31

Posts: 20

Re: How to run unprivileged lxc container on Arch Linux?

Hello,

Please, try with

lxc-create --template download --name test1234 -- --keyserver hkp://p80.pool.sks-keyservers.net:80

Note that I set an other name.

Originally, you may have a problem with your firewall. Reason why I set --keyserver on port 80.

And when somethings goes wrong during lxc-create, it seems that the name is definitively unusable even if the container does not appear with lxc-ls.

I tried with keyserver, doesn't help, still same issue.

I think it's not a problem with a firewall(also I don't have one) because I'm able to create privileged container from root like this

sudo lxc-create -n asdfeqrqw -t download -- --dist archlinux --release current --arch amd64

and it works.
About the name, afaik lxc creates only directory inside ~/.local/share/lxc/ for even failed containers, so it should be enough to delete this directory to use the name again. But I also tried some new names and it doesn't work either, still "Error creating container" without any extra information.

bitmapkid

Member

Registered: 2018-11-24

Posts: 5

Re: How to run unprivileged lxc container on Arch Linux?

Look at my log please :

[th@mecanic ~/.local/share/lxc] ls
steam  steam2
[th@mecanic ~/.local/share/lxc] lxc-create -l DEBUG -n test2345 -t download -- --dist archlinux --release current --arch amd64
lxc-create: test2345: tools/lxc_create.c: main: 327 Failed to create container test2345
[th@mecanic ~/.local/share/lxc] ls
steam  steam2  test2345
[th@mecanic ~/.local/share/lxc] rm -rf test2345
rm: impossible de supprimer 'test2345/test2345.log': Permission non accordée
[th@mecanic ~/.local/share/lxc] sudo rm -rf test2345
[th@mecanic ~/.local/share/lxc] ls
steam  steam2
[th@mecanic ~/.local/share/lxc] lxc-create -n test2345 -t download -- --dist archlinux --release current --arch amd64
Using image from local cache
Unpacking the rootfs

---
You just created an ArchLinux container (release=current, arch=amd64, variant=default)


For security reason, container images ship without user accounts
and without a root password.

Use lxc-attach or chroot directly into the rootfs to set a root password
or create user accounts.

Note the difference the two lxc-create commands. I removed "-l DEBUG" option.

Last edited by bitmapkid (2018-11-25 15:26:21)

DevAlone

Member

Registered: 2018-10-31

Posts: 20

Re: How to run unprivileged lxc container on Arch Linux?

Look at my log please :

[th@mecanic ~/.local/share/lxc] ls
steam  steam2
[th@mecanic ~/.local/share/lxc] lxc-create -l DEBUG -n test2345 -t download -- --dist archlinux --release current --arch amd64
lxc-create: test2345: tools/lxc_create.c: main: 327 Failed to create container test2345
[th@mecanic ~/.local/share/lxc] ls
steam  steam2  test2345
[th@mecanic ~/.local/share/lxc] rm -rf test2345
rm: impossible de supprimer 'test2345/test2345.log': Permission non accordée
[th@mecanic ~/.local/share/lxc] sudo rm -rf test2345
[th@mecanic ~/.local/share/lxc] ls
steam  steam2
[th@mecanic ~/.local/share/lxc] lxc-create -n test2345 -t download -- --dist archlinux --release current --arch amd64
Using image from local cache
Unpacking the rootfs

---
You just created an ArchLinux container (release=current, arch=amd64, variant=default)


For security reason, container images ship without user accounts
and without a root password.

Use lxc-attach or chroot directly into the rootfs to set a root password
or create user accounts.

Note the difference the two lxc-create commands. I removed "-l DEBUG" option.

lol, it works, so stupid.. Thanks, now it creates container but still "Failed to initialize cgroup driver" when trying to start one.

bitmapkid

Member

Registered: 2018-11-24

Posts: 5

Re: How to run unprivileged lxc container on Arch Linux?

Yeah I know this problem. I don't know if it is the job of pam_cgfs to do that, but as pam_cgfs is in trouble in this moment, you have manually to do WITH ROOT the following lines :

for d in /sys/fs/cgroup/*
do
    f=$(basename $d)
    if [ "$f" = "cpuset" ]
    then
        echo 1 | sudo tee -a $d/cgroup.clone_children >> /dev/null;
    elif [ "$f" = "memory" ]
    then
        echo 1 | sudo tee -a $d/memory.use_hierarchy >> /dev/null;
    fi

    sudo mkdir -p $d/$USERS
    sudo chown -R $USERS $d/$USERS
    echo $PPID | tee -a $d/$USERS/tasks >> /dev/null
done

After that, you can connect.

DevAlone

Member

Registered: 2018-10-31

Posts: 20

Re: How to run unprivileged lxc container on Arch Linux?

Yeah I know this problem. I don't know if it is the job of pam_cgfs to do that, but as pam_cgfs is in trouble in this moment, you have manually to do WITH ROOT the following lines :

for d in /sys/fs/cgroup/*
do
    f=$(basename $d)
    if [ "$f" = "cpuset" ]
    then
        echo 1 | sudo tee -a $d/cgroup.clone_children >> /dev/null;
    elif [ "$f" = "memory" ]
    then
        echo 1 | sudo tee -a $d/memory.use_hierarchy >> /dev/null;
    fi

    sudo mkdir -p $d/$USERS
    sudo chown -R $USERS $d/$USERS
    echo $PPID | tee -a $d/$USERS/tasks >> /dev/null
done

After that, you can connect.

You have mistakes in file, the correct one is here https://github.com/lxc/lxc/issues/1205 but it also doesn't help, same issue

progandy

Member

Registered: 2012-05-17

Posts: 5,262

Re: How to run unprivileged lxc container on Arch Linux?

but as pam_cgfs is in trouble in this moment,

lxc 3.0.3 is released, now only the arch package has to be updated.

Edit: And you did add pam_cgfs.so to your pam.d/system-login file as described in the wiki? Afterwards you'll have to log out and log in again.

Last edited by progandy (2018-11-25 17:45:38)

---

| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

DevAlone

Member

Registered: 2018-10-31

Posts: 20

Re: How to run unprivileged lxc container on Arch Linux?

Edit: And you did add pam_cgfs.so to your pam.d/system-login file as described in the wiki? Afterwards you'll have to log out and log in again.

Yes, I even tried to reboot after that

lxc 3.0.3 is released, now only the arch package has to be updated.

awesome, I built from sources and now it works. Thanks. I'll be waiting till it's added to the repositories