Quoting Eytan Heidingsfeld ([email protected]): > Hi, > I know this is definitely not on the list of things regularly tested but I > have a scenario where I'm running trying to run an unprivileged LXC > container inside a docker container. The docker container is privileged and > I would like the LXC container to be unprivileged. > I have setup /etc/subuid,/etc/subgid in the both the host and the docker > container. > Currently lxc-start fails with: lxc_conf - conf.c:lxc_setup_rootfs:1323 - > Failed to mount rootfs "/data/vm/mount/bind/rootdir" onto > "/usr/lib/x86_64-linux-gnu/lxc" with options "(null)" (lxc-3.0). > > I don't understand why it is failing the mount, using strace I can see: > 565 access("/usr/lib/x86_64-linux-gnu/lxc", F_OK) = 0 > 565 stat("/data/rootdir", 0x7ffcd1c5a7f0) = -1 EACCES (Permission denied) > > Where data/rootdir is my rootdir for the container and it's contents are > with the subuid/subgid I allocated. > > Longer quote from log: > lxc-start container 20180425170139.363 INFO lxc_start - > start.c:do_start:1070 - Unshared CLONE_NEWNET > lxc-start container 20180425170139.364 DEBUG lxc_conf - > conf.c:idmaptool_on_path_and_privileged:2745 - The binary > "/usr/bin/newuidmap" does have the setuid bit set > lxc-start container 20180425170139.364 DEBUG lxc_conf - > conf.c:idmaptool_on_path_and_privileged:2745 - The binary > "/usr/bin/newgidmap" does have the setuid bit set > lxc-start container 20180425170139.364 DEBUG lxc_conf - > conf.c:lxc_map_ids:2833 - Functional newuidmap and newgidmap binary found > lxc-start container 20180425170139.370 DEBUG lxc_start - > start.c:lxc_spawn:1668 - Preserved net namespace via fd 10 > lxc-start container 20180425170139.388 DEBUG lxc_network - > network.c:lxc_network_move_created_netdev_priv:2479 - Moved network device > "vethVGW02V"/"(null)" to network namespace of 657 > lxc-start container 20180425170139.388 NOTICE lxc_utils - > utils.c:lxc_switch_uid_gid:2029 - Switched to gid 0. > lxc-start container 20180425170139.388 NOTICE lxc_utils - > utils.c:lxc_switch_uid_gid:2035 - Switched to uid 0. > lxc-start container 20180425170139.388 NOTICE lxc_utils - > utils.c:lxc_setgroups:2047 - Dropped additional groups. > lxc-start container 20180425170139.389 INFO lxc_start - > start.c:do_start:1177 - Unshared CLONE_NEWCGROUP > lxc-start container 20180425170139.393 ERROR lxc_conf - > conf.c:lxc_setup_rootfs:1323 - Failed to mount rootfs "/data/rootdir" onto > "/usr/lib/x86_64-linux-gnu/lxc" with options "(null)" > lxc-start container 20180425170139.393 ERROR lxc_conf - > conf.c:do_rootfs_setup:3266 - Failed to setup rootfs for > lxc-start container 20180425170139.393 ERROR lxc_conf - > conf.c:lxc_setup:3311 - Failed to setup rootfs > > Any clues where to look?
Look at the LSM (probably apparmor) policy. See /proc/pid/current/attr for the policy name. _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
