Lab 3.2 - LXC

mkturner

I am trying to do the lxc lab and the command is not giving me the list of unprivileged containers. Similar problem to this thread . I am using a GCP instance, configured to the specifiaction of Lab 1.1.

lxc-create -t download -n unpriv-cont-user
lxc-create: unpriv-cont-user: conf.c: chown_mapped_root: 3226 lxc-usernsexec failed: No such file or directory - Failed to open tt lxc-create: unpriv-cont-user: tools/lxc_create.c: main: 327 Failed to create container unpriv-cont-user

cat /etc/subuid
lxd:100000:65536 root:100000:65536 ubuntu:165536:65536 mktbilling:231072:65536

cat /etc/subgid
lxd:100000:65536 root:100000:65536 ubuntu:165536:65536 mktbilling:231072:65536

cat /etc/lxc/lxc-usernet
# USERNAME TYPE BRIDGE COUNT mktbilling_gmail_com veth lxcbr0 10

cat ~/.config/lxc/default.conf
lxc.net.0.type = veth lxc.net.0.link = lxcbr0 lxc.net.0.flags = up lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx lxc.idmap = u 0 231072 65536 lxc.idmap = g 0 231072 65536

uname -vp
#49~18.04.1-Ubuntu SMP Fri Jun 18 21:33:55 UTC 2021 x86_64

I even tried the suggestion by KevinCSmallwood from the thread:
sudo lxc-create -t download -n unpriv-cont-user -- -d ubuntu -r xenial -a amd64
Setting up the GPG keyring ERROR: Unable to fetch GPG key from keyserver lxc-create: unpriv-cont-user: lxccontainer.c: create_run_template: 1617 Failed to create container from template lxc-create: unpriv-cont-user: tools/lxc_create.c: main: 327 Failed to create container unpriv-cont-user

chrispokorni

Hi @mkturner,

Did the setfacl command and /or the --keyserver option not help to resolve your issue?

Also, there seems to be a slight inconsistency with the content of /etc/lxc/lxc-usernet. Is the username entry correct?

Regards,
-Chris

mkturner

@chrispokorni said:
Hi @mkturner,

Did the setfacl command and /or the --keyserver option not help to resolve your issue?

Also, there seems to be a slight inconsistency with the content of /etc/lxc/lxc-usernet. Is the username entry correct?

Regards,
-Chris

Yes, I noticed that and thought it strange as well. I do have OS Login enabled, would that cause an issue?

whoami
mktbilling_gmail_com

So that's what i put in lxc-usernet.

lxc-create -t download -n unpriv-cont-user -- --keyserver keyserver.ubuntu.com
lxc-create: unpriv-cont-user: conf.c: chown_mapped_root: 3226 lxc-usernsexec failed: No such file or directory - Failed to open tt lxc-create: unpriv-cont-user: tools/lxc_create.c: main: 327 Failed to create container unpriv-cont-user

id -u mktbilling_gmail_com
1073413225

setfacl -R -m u:1073413225:x ~/.local
lxc-create -t download -n unpriv-cont-user
lxc-create: unpriv-cont-user: conf.c: chown_mapped_root: 3226 lxc-usernsexec failed: No such file or directory - Failed to open tt lxc-create: unpriv-cont-user: tools/lxc_create.c: main: 327 Failed to create container unpriv-cont-user

mkturner

I figured it out.

id -u mktbilling
1001

So mktbilling and mktbilling_gmail_com are two different users. That's when I realized I had enabled OS Login on this GCP instance and it probably created this new user. I disabled OS Login and ssh in as the mktbilling user. Then I tried the setfacl suggestion:

setfacl -R -m u:$(id -u mktbilling):x ~/.local
setfacl -R -m u:1001:x ~/.local

Still, errors with the lxc-create command
lxc-create -t download -n priv-cont
Setting up the GPG keyring ERROR: Unable to fetch GPG key from keyserver lxc-create: priv-cont: lxccontainer.c: create_run_template: 1617 Failed to create container from template lxc-create: priv-cont: tools/lxc_create.c: main: 327 Failed to create container priv-cont

Fixed by the suggestion of proliant in the other thread which recommends explicitly specifying key server
lxc-create -t download -n priv-cont -- --keyserver keyserver.ubuntu.com

Setting up the GPG keyring
Downloading the image index

---

DIST RELEASE ARCH VARIANT BUILD

almalinux 8 amd64 default 20210719_23:08
almalinux 8 arm64 default 20210719_23:08
alpine 3.11 amd64 default 20210720_13:36
...

Do you know why this is? If so please explain