Lab 3.2 - lxc containers - running unprivileged as root (but not part of exercise)

heiko_s

I ran through the LXC lab again, and tried a variation that is mentioned at the beginning: unprivileged containers can be created by root.
The regular unprivileged setup described in the lab works well. Except for that it can't create LVM volumes (the -B lvm option).

Privileged container also works well. Again, LVM doesn't work and I can't explain.

Next I tried what was hinted: create an unprivileged container as root.

The default Ubuntu 18.04 server installation already had a root entry in /etc/subuid and subgid:

lxd:100000:65536
root:100000:65536
heiko:165536:65536

I edited /etc/lxc/default.conf and added:

lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536

Then I followed the steps installing a container as root. Once created, I tried to start it, but got the following:

[email protected]:~# lxc-start -n priv -d
lxc-start: priv: lxccontainer.c: wait_on_daemonized_start: 842 Received container state "ABORTING" instead of "RUNNING"
lxc-start: priv: tools/lxc_start.c: main: 330 The container failed to start
lxc-start: priv: tools/lxc_start.c: main: 333 To get more details, run the container in foreground mode
lxc-start: priv: tools/lxc_start.c: main: 336 Additional information can be obtained by setting the --logfile and --logpriority options

I wonder what went wrong?

Also, wouldn't it make sense to include this exercise - creating non-privileged containers as root - in the lab? I know it's a lot of stuff and hard to decide where to shorten.

If anyone has any thoughts on why LVM doesn't work (including as root), that would be a bonus.

Right now my feeling about lxc is that it's not that practical. But I definitely don't know enough about it.

chrispokorni

Hi @heiko_s,

LXC is one of the classics, and it was used by Docker in its early days.

As far as LVM, you may find some helpful tips on the linuxcontainers.org forum.

I will try to run thru this (non)exercise to investigate what is happening. I will post my findings as soon as I have something.

Regards,
-Chris

chrispokorni

Hello @heiko_s,

I have attempted to create the unprivileged container as root, but so far I have been stuck at the same step as reported by you. There have been many inconsistent issues reported around this method, where the container start fails.

This makes me wonder if what the documentation states (but does not prove) has any specific requirements or dependencies. I will keep this on my radar and report back with any relevant info.

Regards,
-Chris

heiko_s

Thanks for digging into this, Chris.