On Wed, Feb 17, 2021 at 10:34:22PM +0100, Peter Carlsson wrote: > On Fri, Feb 12, 2021 at 06:41:44AM +0100, Peter Carlsson wrote: > > On Thu, Feb 11, 2021 at 05:45:35PM -0600, Serge E. Hallyn wrote: > > > On Thu, Feb 11, 2021 at 10:22:52PM +0100, Peter Carlsson wrote: > > > > On Thu, Feb 11, 2021 at 11:54:05AM -0600, Serge E. Hallyn wrote: > > > > > On Wed, Feb 10, 2021 at 10:49:55PM +0100, Peter Carlsson wrote: > > > > > > On Wed, Feb 10, 2021 at 07:08:09AM -0600, Serge E. Hallyn wrote: > > > > > > > > > > > > Hello again! > > > > > > > > > > > > Thanks for your help. > > > > > > > > > > > > I decided to start fresh and create the container as unprivileged. I > > > > > > therefor deleted the old thread. > > > > > > > > > > > > Here is basically what I did: > > > > > > > > > > > > As root: > > > > > > > > > > > > usermod -v 100000-200000 -w 100000-200000 peter > > > > > > cat /etc/subuid > > > > > > peter:100000:100001 > > > > > > cat /etc/subgid > > > > > > peter:100000:100001 > > > > > > > > > > > > nano /etc/sysctl.conf > > > > > > # Added by Peter Carlsson 2021-02-10 for lxc > > > > > > kernel.unprivileged_userns_clone=1 > > > > > > > > > > > > nano /etc/default/lxc-net > > > > > > #USE_LXC_BRIDGE="true" > > > > > > > > > > > > nano /etc/lxc/default.conf > > > > > > lxc.net.0.type = veth > > > > > > lxc.net.0.link = lxcbr0 > > > > > > lxc.net.0.flags = up > > > > > > > > > > > > lxc.apparmor.profile = generated > > > > > > lxc.apparmor.allow_nesting = 1 > > > > > > > > > > > > As user peter: > > > > > > > > > > > > mkdir /home/peter/.config/lxc > > > > > > nano /home/peter/.config/lxc/default.conf > > > > > > lxc.net.0.type = veth > > > > > > lxc.net.0.link = lxcbr0 > > > > > > lxc.net.0.flags = up > > > > > > > > > > > > lxc.apparmor.profile = generated > > > > > > lxc.apparmor.allow_nesting = 1 > > > > > > > > > > > > lxc.idmap = u 0 100000 100001 > > > > > > lxc.idmap = g 0 100000 100001 > > > > > > > > > > This all looks good. > > > > > > > > > > > Don't know if this was necessary but I ran this after reading a > > > > > > link found on Google > > > > > > > > > > > > lxc-usernsexec > > > > > > > > > > Sorry I'm not following here. lxc-usernsexec without any arguments > > > > > will put you in a shell in a user namespace. I assume you exited that > > > > > before going on with lxc-create, right? > > > > > > > > Never mind. To try to solve my problems I googled and tried out > > > > different advices but this was something I don't think I did anything > > > > successful with. > > > > > > > > > > lxc-create -t download -n VisualStudioCode -- -d debian -r buster > > > > > > -a amd64 > > > > > > > > > > > > lxc-start -n VisualStudioCode -F > > > > > > > > > > > > lxc-start: VisualStudioCode: network.c: > > > > > > lxc_create_network_unpriv_exec: 2178 lxc-user-nic failed to > > > > > > configure requested network: No such file or directory - Failed to > > > > > > open "/etc/lxc/lxc-usernet" > > > > > > cmd/lxc_user_nic.c: 1296: main: Quota reached > > > > > > lxc-start: VisualStudioCode: start.c: lxc_spawn: 1777 Failed to > > > > > > create the configured network > > > > > > lxc-start: VisualStudioCode: start.c: __lxc_start: 1951 Failed > > > > > > to spawn container "VisualStudioCode" > > > > > > lxc-start: VisualStudioCode: tools/lxc_start.c: main: 330 The > > > > > > container failed to start > > > > > > lxc-start: VisualStudioCode: tools/lxc_start.c: main: 336 > > > > > > Additional information can be obtained by setting the --logfile and > > > > > > --logpriority options > > > > > > > > > > > > What should I put in /etc/lxc/lxc-usernet? > > > > > > > > > > cat << EOF | sudo tee /etc/lxc/lxc-usernet > > > > > # USERNAME TYPE BRIDGE COUNT > > > > > peter veth lxcbr0 10 > > > > > > > > > > > Do you see something else I have missed or should have done > > > > > > differently? > > > > > > > > > > Not offhand. But do make sure that lxc-net is running, i.e. make sure > > > > > that 'brctl show' shows lxcbr0 > > > > > > > > > > > Note that I had the network working for the container created by > > > > > > root. > > > > > > > > Now I have also done these things and had some progress: > > > > > > > > systemctl enable lxc-net > > > > systemctl start lxc-net > > > > > > > > nano /etc/lxc/lxc-usernet > > > > # USERNAME TYPE BRIDGE COUNT > > > > peter veth lxcbr0 10 > > > > > > > > chmod 755 /home/peter/.local/share/ > > > > chmod 755 /home/peter/.local/share/lxc/ > > > > > > > > lxc-start -n VisualStudioCode -F > > > > Failed to mount cgroup at /sys/fs/cgroup/systemd: Permission denied > > > > [!!!!!!] Failed to mount API filesystems. > > > > Exiting PID 1... > > > > > > > > For me it is not obvious what my next step should be. Any help would be > > > > appreciated. > > > > > > serge@sl /etc/pam.d$ dpkg -l | grep cgfs > > > ii libpam-cgfs > > > 1:4.0.3+master~20200706-1105-0ubuntu1~eoan amd64 PAM module for > > > managing cgroups for LXC > > > > > > Do you have something like this? If so, then /etc/pam.d/common-session > > > should have > > > a line like > > > > > > common-session:session optional pam_cgfs.so -c > > > freezer,memory,name=systemd > > > > > > which is what should delegate the cgroups you need to create containers. > > > > dpkg -l libpam-cgfs > > ii libpam-cgfs 1:3.1.0+really3.0.3-8 i386 PAM module for > > managing cgroups for LXC > > > > My /etc/pam.d/common-session already had a similar line (the last one) > > but I added your suggestion as well. > > > > # here are the per-package modules (the "Primary" block) > > session [default=1] pam_permit.so > > # here's the fallback if no module succeeds > > session requisite pam_deny.so > > # prime the stack with a positive return value if there isn't one already; > > # this avoids us returning an error just because nothing sets a success > > code > > # since the modules above will each just jump around > > session required pam_permit.so > > # and here are more per-package modules (the "Additional" block) > > session required pam_unix.so > > session optional pam_winbind.so > > session optional pam_systemd.so > > session optional pam_cgfs.so -c freezer,memory,name=systemd > > # end of pam-auth-update config > > > > # Added by Peter Carlsson 2021-02-12 for lxc > > common-session:session optional pam_cgfs.so -c > > freezer,memory,name=systemd > > > > I also ran pam-auth-update as suggested in the file but I still get: > > > > lxc-start -n VisualStudioCode -F > > Failed to mount cgroup at /sys/fs/cgroup/systemd: Permission denied > > [!!!!!!] Failed to mount API filesystems. > > Exiting PID 1... > > > > Thanks for all your help! > > > > Best regards, > > Peter Carlsson
(Sorry for the delay) > I decided to remove the line from /etc/pam.d/common-session again since > I think I the line you were suggesting was already in the file. Yeah you don't want it twice. > But still the same error message. > > Do you see any errors in the permissions below? I want to be sure before > I change permissions in system folders. > > # ls -l /sys/fs/cgroup/systemd/ > totalt 0 > -rw-r--r-- 1 root root 0 feb 15 23:29 cgroup.clone_children > -rw-r--r-- 1 root root 0 feb 17 22:30 cgroup.procs > -r--r--r-- 1 root root 0 feb 15 23:29 cgroup.sane_behavior > drwxr-xr-x 2 root root 0 feb 15 23:29 docker > drwxr-xr-x 2 root root 0 feb 15 23:29 init.scope > drwxr-xr-x 8 root root 0 feb 15 23:29 lxc > -rw-r--r-- 1 root root 0 feb 15 23:29 notify_on_release > -rw-r--r-- 1 root root 0 feb 15 23:29 release_agent > drwxr-xr-x 151 root root 0 feb 17 22:09 system.slice > -rw-r--r-- 1 root root 0 feb 15 23:29 tasks > drwxr-xr-x 9 root root 0 feb 15 23:29 user > drwxr-xr-x 3 root root 0 feb 17 21:24 user.slice > > # ls -l /sys/fs/cgroup/systemd/lxc/ > totalt 0 > -rw-r--r-- 1 root root 0 feb 15 23:29 cgroup.clone_children > -rw-r--r-- 1 root root 0 feb 15 23:29 cgroup.procs > -rw-r--r-- 1 root root 0 feb 15 23:29 notify_on_release > -rw-r--r-- 1 root root 0 feb 15 23:29 tasks > drwxr-xr-x 2 root root 0 feb 15 23:29 VisualStudioCode > drwxr-xr-x 2 root root 0 feb 15 23:29 VisualStudioCode-1 > drwxr-xr-x 2 root root 0 feb 15 23:29 VisualStudioCode-2 > drwxr-xr-x 2 root root 0 feb 15 23:29 VisualStudioCode-3 > drwxr-xr-x 2 root root 0 feb 15 23:29 VisualStudioCode-4 > drwxr-xr-x 2 root root 0 feb 15 23:29 VisualStudioCode-5 On my laptop, my unprivileged container has: cat /proc/3773/cgroup 12:net_cls,net_prio:/ 11:pids:/user.slice/user-1000.slice/session-2.scope 10:hugetlb:/ 9:memory:/user.slice/user-1000.slice/session-2.scope 8:cpu,cpuacct:/user.slice 7:blkio:/user.slice 6:freezer:/user/serge/0/lxc.payload.mail 5:rdma:/ 4:perf_event:/ 3:cpuset:/ 2:devices:/user.slice 1:name=systemd:/user.slice/user-1000.slice/session-2.scope/lxc.payload.mail/init.scope 0::/user.slice/user-1000.slice/session-2.scope So the systemd cgroup is /user.slice/user-1000.slice/session-2.scope/lxc.payload.mail/init.scope where the first part /user.slice/user-1000.slice/session-2.scope was inherited from my login shell, and serge@sl ~$ ls -l /sys/fs/cgroup/systemd/user.slice/user-1000.slice/session-2.scope/ total 0 -rw-r--r-- 1 root root 0 Feb 17 23:16 cgroup.clone_children -rw-r--r-- 1 root root 0 Feb 17 23:16 cgroup.procs drwxr-xr-x 2 serge serge 0 Feb 1 08:32 lxc.monitor.mail drwxrwxr-x 5 serge 100000 0 Feb 1 08:32 lxc.payload.mail drwxr-xr-x 2 serge serge 0 Feb 9 22:13 lxc.pivot -rw-r--r-- 1 root root 0 Feb 17 23:16 notify_on_release -rw-r--r-- 1 root root 0 Feb 17 23:16 tasks -serge _______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users