On Thu, Feb 11, 2021 at 10:22:52PM +0100, Peter Carlsson wrote: > On Thu, Feb 11, 2021 at 11:54:05AM -0600, Serge E. Hallyn wrote: > > On Wed, Feb 10, 2021 at 10:49:55PM +0100, Peter Carlsson wrote: > > > On Wed, Feb 10, 2021 at 07:08:09AM -0600, Serge E. Hallyn wrote: > > > > > > Hello again! > > > > > > Thanks for your help. > > > > > > I decided to start fresh and create the container as unprivileged. I > > > therefor deleted the old thread. > > > > > > Here is basically what I did: > > > > > > As root: > > > > > > usermod -v 100000-200000 -w 100000-200000 peter > > > cat /etc/subuid > > > peter:100000:100001 > > > cat /etc/subgid > > > peter:100000:100001 > > > > > > nano /etc/sysctl.conf > > > # Added by Peter Carlsson 2021-02-10 for lxc > > > kernel.unprivileged_userns_clone=1 > > > > > > nano /etc/default/lxc-net > > > #USE_LXC_BRIDGE="true" > > > > > > nano /etc/lxc/default.conf > > > lxc.net.0.type = veth > > > lxc.net.0.link = lxcbr0 > > > lxc.net.0.flags = up > > > > > > lxc.apparmor.profile = generated > > > lxc.apparmor.allow_nesting = 1 > > > > > > As user peter: > > > > > > mkdir /home/peter/.config/lxc > > > nano /home/peter/.config/lxc/default.conf > > > lxc.net.0.type = veth > > > lxc.net.0.link = lxcbr0 > > > lxc.net.0.flags = up > > > > > > lxc.apparmor.profile = generated > > > lxc.apparmor.allow_nesting = 1 > > > > > > lxc.idmap = u 0 100000 100001 > > > lxc.idmap = g 0 100000 100001 > > > > This all looks good. > > > > > Don't know if this was necessary but I ran this after reading a link > > > found on Google > > > > > > lxc-usernsexec > > > > Sorry I'm not following here. lxc-usernsexec without any arguments > > will put you in a shell in a user namespace. I assume you exited that > > before going on with lxc-create, right? > > Never mind. To try to solve my problems I googled and tried out > different advices but this was something I don't think I did anything > successful with. > > > > lxc-create -t download -n VisualStudioCode -- -d debian -r buster -a > > > amd64 > > > > > > lxc-start -n VisualStudioCode -F > > > > > > lxc-start: VisualStudioCode: network.c: > > > lxc_create_network_unpriv_exec: 2178 lxc-user-nic failed to configure > > > requested network: No such file or directory - Failed to open > > > "/etc/lxc/lxc-usernet" > > > cmd/lxc_user_nic.c: 1296: main: Quota reached > > > lxc-start: VisualStudioCode: start.c: lxc_spawn: 1777 Failed to > > > create the configured network > > > lxc-start: VisualStudioCode: start.c: __lxc_start: 1951 Failed to > > > spawn container "VisualStudioCode" > > > lxc-start: VisualStudioCode: tools/lxc_start.c: main: 330 The > > > container failed to start > > > lxc-start: VisualStudioCode: tools/lxc_start.c: main: 336 Additional > > > information can be obtained by setting the --logfile and --logpriority > > > options > > > > > > What should I put in /etc/lxc/lxc-usernet? > > > > cat << EOF | sudo tee /etc/lxc/lxc-usernet > > # USERNAME TYPE BRIDGE COUNT > > peter veth lxcbr0 10 > > > > > Do you see something else I have missed or should have done differently? > > > > Not offhand. But do make sure that lxc-net is running, i.e. make sure > > that 'brctl show' shows lxcbr0 > > > > > Note that I had the network working for the container created by root. > > Now I have also done these things and had some progress: > > systemctl enable lxc-net > systemctl start lxc-net > > nano /etc/lxc/lxc-usernet > # USERNAME TYPE BRIDGE COUNT > peter veth lxcbr0 10 > > chmod 755 /home/peter/.local/share/ > chmod 755 /home/peter/.local/share/lxc/ > > lxc-start -n VisualStudioCode -F > Failed to mount cgroup at /sys/fs/cgroup/systemd: Permission denied > [!!!!!!] Failed to mount API filesystems. > Exiting PID 1... > > For me it is not obvious what my next step should be. Any help would be > appreciated.
serge@sl /etc/pam.d$ dpkg -l | grep cgfs ii libpam-cgfs 1:4.0.3+master~20200706-1105-0ubuntu1~eoan amd64 PAM module for managing cgroups for LXC Do you have something like this? If so, then /etc/pam.d/common-session should have a line like common-session:session optional pam_cgfs.so -c freezer,memory,name=systemd which is what should delegate the cgroups you need to create containers. -serge _______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
