Control: severity -1 normal Hi,
I don't like to make judgemental calls when I try to help our users, but here I'll still make a guess. I guess that you actually did not read carefully README.Debian.gz and therefore did not follow these instructions carefully. pk <pkor...@gmail.com> writes: > Thank you for answering. kernel.unprivileged_userns_clone = 1 on my > machine and on the Live DVD. All instructions of the README.Debian.gz > were followed. > > To rule out machine-specific misconfiguration, this log is from the > Live DVD, Debian 11.0 AMD64 Standard: > > > > Warning: Permanently added '[localhost]:12346' (ECDSA) to the list of > known hosts. > user@localhost's password: > Linux debian 5.10.0-8-amd64 #1 SMP Debian 5.10.46-4 (2021-08-03) x86_64 > > The programs included with the Debian GNU/Linux system are free software; > the exact distribution terms for each program are described in the > individual files in /usr/share/doc/*/copyright. > > Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent > permitted by applicable law. > user@debian:~$ sudo su -l > root@debian:~# apt-get update ; apt-get install lxc > [snip] What's in there apart from apt-get output? > root@debian:~# sysctl kernel.unprivileged_userns_clone > kernel.unprivileged_userns_clone = 1 > root@debian:~# grep user /etc/subuid /etc/subgid > /etc/subuid:user:100000:65536 > /etc/subgid:user:100000:65536 > root@debian:~# > logout > user@debian:~$ mkdir -p .local/share/lxc > user@debian:~$ chmod +x . .local .local/share > user@debian:~$ > user@debian:~$ cat > test_config > lxc.idmap = u 0 100000 65536 > lxc.idmap = g 0 100000 65536 > lxc.mount.auto = proc:mixed sys:ro cgroup:mixed > lxc.apparmor.profile = unconfined This is not in the README, and you actually don't seem to have created any container yet. Furthermore, your configuration actually doesn't mention any rootfs or block device to pivot on! Here is what I get doing something like what you pasted here. .-(0:03:50)-(~)--------------------------------------------------------------------------(peb@xxxxx)- `--[130]-> lxc-ls -f NAME STATE AUTOSTART GROUPS IPV4 IPV6 UNPRIVILEGED autopkgtest-lxc-xwkkud STOPPED 0 - - - true autopkgtest-unstable STOPPED 0 - - - true As you see I only have two containers. I'll try to start a container named "blah" which does not exist. I wrote a blah.cfg containing roughly the same config as you just adapted for my subuids. .-(0:03:51)-(~)--------------------------------------------------------------------------(peb@xxxxx)- `---> cat blah.cfg lxc.idmap = u 0 1214112 65536 lxc.idmap = g 0 1214112 65536 lxc.mount.auto = proc:mixed sys:ro cgroup:mixed lxc.apparmor.profile = unconfined Here I'll use your command, but note that README.Debian.gz states we have lxc-unpriv-start which makes things quite more elegant. -(0:04:40)-(~)--------------------------------------------------------------------------(peb@xxxxx)- `--[1]-> systemd-run --user --scope -p "Delegate=yes" /usr/bin/lxc-start -o /dev/stdout -f blah.cfg blah Running scope as unit: run-r34581cfe965441428e3520ecb8c0bb7b.scope lxc-start blah 20210901220449.759 ERROR utils - utils.c:safe_mount:1204 - Permission denied - Failed to mount "proc" onto "/proc" lxc-start blah 20210901220449.759 ERROR conf - conf.c:lxc_mount_auto_mounts:681 - Permission denied - Failed to mount "proc" on "/proc" with flags 14 lxc-start blah 20210901220449.759 ERROR conf - conf.c:lxc_setup:3330 - Failed to setup first automatic mounts lxc-start blah 20210901220449.759 ERROR start - start.c:do_start:1218 - Failed to setup container "blah" lxc-start blah 20210901220449.759 ERROR sync - sync.c:__sync_wait:36 - An error occurred in another process (expected sequence number 5) lxc-start blah 20210901220449.759 ERROR lxccontainer - lxccontainer.c:wait_on_daemonized_start:859 - Received container state "ABORTING" instead of "RUNNING" lxc-start blah 20210901220449.759 ERROR start - start.c:__lxc_start:1999 - Failed to spawn container "blah" [and it goes on] With of course the Apparmor denial in dmesg. I guess the reason is that lxc having no rootfs or block device to pivot on tries to mount proc on "/proc" (maybe because it concatenates $rootfs+"/proc", whith $rootfs being "" here?), ie on the host's /proc, or anyway on something you don't have a right to mount on. Of course with a created container and a real config, things are going smoothly. Considering what I gathered, I would recommend you take the time to actually read the documentation properly and try to follow it. If you fail to have a running container, please do provide a full log of what you did step by step, and which part of README.Debian.gz it were covered by what you did, in your opinion. With best regards, -- PEB
signature.asc
Description: PGP signature
