Re: [Touch-packages] [Bug 1389305] Re: sudo doesn't work on unprivileged lxc container
Ah, the ecryptfs $HOME might be the problem. I haven't tested that and wouldn't be surprised if ecryptfs prevented the console from looking ok. Could you try something like: rm -rf $HOME/.config/lxc $HOME/.local/share/lxc sudo mkdir /opt/lxc sudo chown -R $USER /opt/lxc mkdir /opt/lxc/config /opt/lxc/store ln -s /opt/lxc/store $HOME/.local/share/lxc ln -s /opt/lxc/config $HOME/.config/lxc Then re-try the container create/setup. This will create the container rootfs on a non-ecryptfs filesystem. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1389305 Title: sudo doesn't work on unprivileged lxc container Status in “lxc” package in Ubuntu: Incomplete Bug description: On Ubuntu 14.04 64 bit, after adding a user into an unprivileged container, the sudo complains that: $ sudo su sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges? To reproduce: 1. Download and install the Ubuntu amd64 minimalcd 2. Install lxc on it and openssh for convenience. 3. follow https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/ ; specifically do: a) sudo usermod --add-subuids 10-165536 $USER b) sudo usermod --add-subgids 10-165536 $USER c) sudo chmod +x $HOME d) create the file ~/.config/lxc/default.conf with the following contents: lxc.include = /etc/lxc/default.conf lxc.id_map = u 0 10 65536 lxc.id_map = g 0 10 65536 e) echo "$USER veth lxcbr0 10" | sudo tee /etc/lxc/lxc-usernet (restart is not required) 4. Create the container with lxc-create -t download -n p1 -- -d ubuntu -r trusty -a amd64 5. Install openssh-server in the container: lxc-start -d -n p1 lxc-attach -n p1 -- apt-get install openssh-server 6. Add a user "adam" with the group sudo lxc-attach -n p1 -- adduser adam sudo 7. Set a password for the user 8. Log in via ssh (and provide the password from step 7) ssh p1@adam 9. On the p1: adam@p1$ sudo su sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges? I expected it to make change the user to root. lxc version: 1.0.3-0ubuntu3 $cat ~/.cache/lxc/download/ubuntu/trusty/amd64/default/build_id 20141101_03:49 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1389305/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
Re: [Touch-packages] [Bug 1389305] Re: sudo doesn't work on unprivileged lxc container
Quoting Adam Ryczkowski (adam.ryczkow...@statystyka.net): > I really don't know how to tell you, which Trusty's 64bit minimal cd I The full url. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1389305 Title: sudo doesn't work on unprivileged lxc container Status in “lxc” package in Ubuntu: Incomplete Bug description: On Ubuntu 14.04 64 bit, after adding a user into an unprivileged container, the sudo complains that: $ sudo su sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges? To reproduce: 1. Download and install the Ubuntu amd64 minimalcd 2. Install lxc on it and openssh for convenience. 3. follow https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/ ; specifically do: a) sudo usermod --add-subuids 10-165536 $USER b) sudo usermod --add-subgids 10-165536 $USER c) sudo chmod +x $HOME d) create the file ~/.config/lxc/default.conf with the following contents: lxc.include = /etc/lxc/default.conf lxc.id_map = u 0 10 65536 lxc.id_map = g 0 10 65536 e) echo "$USER veth lxcbr0 10" | sudo tee /etc/lxc/lxc-usernet (restart is not required) 4. Create the container with lxc-create -t download -n p1 -- -d ubuntu -r trusty -a amd64 5. Install openssh-server in the container: lxc-start -d -n p1 lxc-attach -n p1 -- apt-get install openssh-server 6. Add a user "adam" with the group sudo lxc-attach -n p1 -- adduser adam sudo 7. Set a password for the user 8. Log in via ssh (and provide the password from step 7) ssh p1@adam 9. On the p1: adam@p1$ sudo su sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges? I expected it to make change the user to root. lxc version: 1.0.3-0ubuntu3 $cat ~/.cache/lxc/download/ubuntu/trusty/amd64/default/build_id 20141101_03:49 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1389305/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
Re: [Touch-packages] [Bug 1389305] Re: sudo doesn't work on unprivileged lxc container
On 19.11.2014 15:35, Serge Hallyn wrote: > Ah, the ecryptfs $HOME might be the problem. I haven't tested that > and wouldn't be surprised if ecryptfs prevented the console from > looking ok. Could you try something like: > > rm -rf $HOME/.config/lxc $HOME/.local/share/lxc > sudo mkdir /opt/lxc > sudo chown -R $USER /opt/lxc > mkdir /opt/lxc/config /opt/lxc/store > ln -s /opt/lxc/store $HOME/.local/share/lxc > ln -s /opt/lxc/config $HOME/.config/lxc > > Then re-try the container create/setup. This will create the > container rootfs on a non-ecryptfs filesystem. > Yes! That resolved the problem. Thank you! Would you be able to tell me, why ecryptfs pose a problem for a sudo in a container? Adam -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1389305 Title: sudo doesn't work on unprivileged lxc container Status in “lxc” package in Ubuntu: Incomplete Bug description: On Ubuntu 14.04 64 bit, after adding a user into an unprivileged container, the sudo complains that: $ sudo su sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges? To reproduce: 1. Download and install the Ubuntu amd64 minimalcd 2. Install lxc on it and openssh for convenience. 3. follow https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/ ; specifically do: a) sudo usermod --add-subuids 10-165536 $USER b) sudo usermod --add-subgids 10-165536 $USER c) sudo chmod +x $HOME d) create the file ~/.config/lxc/default.conf with the following contents: lxc.include = /etc/lxc/default.conf lxc.id_map = u 0 10 65536 lxc.id_map = g 0 10 65536 e) echo "$USER veth lxcbr0 10" | sudo tee /etc/lxc/lxc-usernet (restart is not required) 4. Create the container with lxc-create -t download -n p1 -- -d ubuntu -r trusty -a amd64 5. Install openssh-server in the container: lxc-start -d -n p1 lxc-attach -n p1 -- apt-get install openssh-server 6. Add a user "adam" with the group sudo lxc-attach -n p1 -- adduser adam sudo 7. Set a password for the user 8. Log in via ssh (and provide the password from step 7) ssh p1@adam 9. On the p1: adam@p1$ sudo su sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges? I expected it to make change the user to root. lxc version: 1.0.3-0ubuntu3 $cat ~/.cache/lxc/download/ubuntu/trusty/amd64/default/build_id 20141101_03:49 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1389305/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
Re: [Touch-packages] [Bug 1389305] Re: sudo doesn't work on unprivileged lxc container
For one thing, the lxc-create can check if it is going to create a user-space container on top of the ecryptfs, and warn the user if appriopriate with the link to this bug report. That should be fairly easy to implement, because on the default setup the ecryptfs would be the underlying fs, so there is no need to dig into the nested mounts. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1389305 Title: sudo doesn't work on unprivileged lxc container Status in “ecryptfs-utils” package in Ubuntu: New Status in “lxc” package in Ubuntu: Invalid Bug description: On Ubuntu 14.04 64 bit, after adding a user into an unprivileged container, the sudo complains that: $ sudo su sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges? To reproduce: 1. Download and install the Ubuntu amd64 minimalcd 2. Install lxc on it and openssh for convenience. 3. follow https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/ ; specifically do: a) sudo usermod --add-subuids 10-165536 $USER b) sudo usermod --add-subgids 10-165536 $USER c) sudo chmod +x $HOME d) create the file ~/.config/lxc/default.conf with the following contents: lxc.include = /etc/lxc/default.conf lxc.id_map = u 0 10 65536 lxc.id_map = g 0 10 65536 e) echo "$USER veth lxcbr0 10" | sudo tee /etc/lxc/lxc-usernet (restart is not required) 4. Create the container with lxc-create -t download -n p1 -- -d ubuntu -r trusty -a amd64 5. Install openssh-server in the container: lxc-start -d -n p1 lxc-attach -n p1 -- apt-get install openssh-server 6. Add a user "adam" with the group sudo lxc-attach -n p1 -- adduser adam sudo 7. Set a password for the user 8. Log in via ssh (and provide the password from step 7) ssh p1@adam 9. On the p1: adam@p1$ sudo su sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges? I expected it to make change the user to root. lxc version: 1.0.3-0ubuntu3 $cat ~/.cache/lxc/download/ubuntu/trusty/amd64/default/build_id 20141101_03:49 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ecryptfs-utils/+bug/1389305/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
Re: [Touch-packages] [Bug 1389305] Re: sudo doesn't work on unprivileged lxc container
For one thing the lxc-create could warn the user (with the link to this bug report) if it finds, that the user is attempting to create a user-space container on top of the ecryptfs. I believe that should be fairly easy to implement. And I guess it is rather important to do, because user never gets a warning about the inherent incompatiblity between user-space containers and encrypted home folder (which is featured by the Ubuntu installer). -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1389305 Title: sudo doesn't work on unprivileged lxc container Status in “ecryptfs-utils” package in Ubuntu: New Status in “lxc” package in Ubuntu: Invalid Bug description: On Ubuntu 14.04 64 bit, after adding a user into an unprivileged container, the sudo complains that: $ sudo su sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges? To reproduce: 1. Download and install the Ubuntu amd64 minimalcd 2. Install lxc on it and openssh for convenience. 3. follow https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/ ; specifically do: a) sudo usermod --add-subuids 10-165536 $USER b) sudo usermod --add-subgids 10-165536 $USER c) sudo chmod +x $HOME d) create the file ~/.config/lxc/default.conf with the following contents: lxc.include = /etc/lxc/default.conf lxc.id_map = u 0 10 65536 lxc.id_map = g 0 10 65536 e) echo "$USER veth lxcbr0 10" | sudo tee /etc/lxc/lxc-usernet (restart is not required) 4. Create the container with lxc-create -t download -n p1 -- -d ubuntu -r trusty -a amd64 5. Install openssh-server in the container: lxc-start -d -n p1 lxc-attach -n p1 -- apt-get install openssh-server 6. Add a user "adam" with the group sudo lxc-attach -n p1 -- adduser adam sudo 7. Set a password for the user 8. Log in via ssh (and provide the password from step 7) ssh p1@adam 9. On the p1: adam@p1$ sudo su sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges? I expected it to make change the user to root. lxc version: 1.0.3-0ubuntu3 $cat ~/.cache/lxc/download/ubuntu/trusty/amd64/default/build_id 20141101_03:49 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ecryptfs-utils/+bug/1389305/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
