Quoting richard -rw- weinberger (richard.weinber...@gmail.com): > On Tue, Apr 9, 2013 at 11:33 PM, richard -rw- weinberger > <richard.weinber...@gmail.com> wrote: > > On Tue, Apr 9, 2013 at 11:07 PM, Serge Hallyn <serge.hal...@ubuntu.com> > > wrote: > >> Quoting richard -rw- weinberger (richard.weinber...@gmail.com): > >>> On Tue, Apr 9, 2013 at 3:19 PM, Serge Hallyn <serge.hal...@ubuntu.com> > >>> wrote: > >>> > Quoting richard -rw- weinberger (richard.weinber...@gmail.com): > >>> >> On Tue, Apr 9, 2013 at 9:58 AM, richard -rw- weinberger > >>> >> <richard.weinber...@gmail.com> wrote: > >>> >> > On Tue, Apr 9, 2013 at 5:28 AM, Serge Hallyn > >>> >> > <serge.hal...@ubuntu.com> wrote: > >>> >> >> Quoting richard -rw- weinberger (richard.weinber...@gmail.com): > >>> >> >>> Am I missing something obvious? > >>> >> >> > >>> >> >> lxc-create does not yet convert the rootfs to the mapped uids, so > >>> >> >> you > >>> >> >> need to do that manually using uidmapshift. Check the > >>> >> >> container-userns-convert script at > >>> >> >> https://code.launchpad.net/~serge-hallyn/+junk/nsexec or in the > >>> >> >> nsexec > >>> >> >> package at ppa:serge-hallyn/userns-natty. > >>> >> > > >>> >> > Hmm, I've fixed the uids already by hand. > >>> >> > Today I've created a new container and used container-userns-convert > >>> >> > but with the same results. > >>> >> > > >>> >> > What I find very strange is that your script does: > >>> >> > lxc.id_map = U ${uid} 0 $range > >>> >> > lxc.id_map = G ${uid} 0 $range > >>> >> > uid is 100000, range is 10000. > >>> >> > > >>> >> > But the lxc docs say: > >>> >> > Four values must be provided. First a character, > >>> >> > either > >>> >> > 'u', or 'g', to specify whether user or group ids are > >>> >> > being mapped. Next is the first userid as seen in the > >>> >> > user namespace of the container. Next is the userid as > >>> >> > seen on the host. Finally, a range indicating the > >>> >> > number > >>> >> > of consecutive ids to map. > >>> >> > > >>> >> > So, this would make more sense: lxc.id_map = u 0 100000 10000 > >>> >> > > >>> >> > Anyways, mount of tmpfs fails with ENOPERM, is there any debugging > >>> >> > mechanism to find out why it is failing? > >>> >> > According to strace some bind mounts before the tmpfs work perfectly > >>> >> > fine. > >>> >> > >>> >> BTW: I found out that tmpfs is not supported within user namespaces... > >>> > > >>> > It should be in 3.9: > >>> > > >>> > userns: Allow the userns root to mount tmpfs. > >>> > >>> Okay. Mounting tmpfs works on 3.9 so far. > >>> > >>> >> Anyways, now lxc-start dies here: > >>> >> lxc-start: Operation not permitted - failed to set mode '020644' to > >>> >> '/dev/pts/1' > >>> >> which is: > >>> >> chmod("/dev/pts/1", 020644) = -1 EPERM (Operation not permitted) > >>> >> Shouldn't this be /usr/lib64/lxc/rootfs/dev/pts/1?! > >>> > > >>> > Look at Eric's user namespaces kernel tree for patches which aren't in > >>> > your tree yet. (I also have one, but right now it is out of date with > >>> > respect to some recent fixes Eric has sent upstream.) Upstream is > >>> > almost 100% there, but an <eensie weensie> bit away. > >>> > >>> Which tree is that? > >>> git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git > >>> for-linus (and for-next) > >>> differ only by one commit: > >>> proc: Restrict mounting the proc filesystem > >> > >> you'll probably have better luck with branch userns-always-map-user-v100 > > > > Nope. Same result. > > FWIW to build userns-always-map-user-v100 on current Linus tree the > > following patch is needed: > > --- > > diff --git a/fs/devpts/inode.c b/fs/devpts/inode.c > > index f0f0faa..ecfd846 100644 > > --- a/fs/devpts/inode.c > > +++ b/fs/devpts/inode.c > > @@ -386,8 +386,8 @@ struct vfsmount *devpts_mntget(struct file *filp) > > struct vfsmount *mnt = ERR_PTR(-ENODEV); > > > > /* Verify the mnt is a devpts mount */ > > - if (filp->f_vfsmnt->mnt_sb->s_magic == DEVPTS_SUPER_MAGIC) > > - mnt = mntget(filp->f_vfsmnt); > > + if (filp->f_path.mnt->mnt_sb->s_magic == DEVPTS_SUPER_MAGIC) > > + mnt = mntget(filp->f_path.mnt); > > return mnt; > > } > > --- > > > >> The unsafe kernel (until I get time to update it) which definately works > >> is in ppa ubuntu-lxc/kernel. > > This one? > https://launchpad.net/~ubuntu-lxc/+archive/kernel/+packages > > I'm not an Ubuntu guy and not very familiar with this ppa thingy. > Isn't there a git repo to find out what the differences between mainline are?
http://kernel.ubuntu.com/git?p=serge/quantal-userns.git;a=summary ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
