Hi Everyone ,
I would like to create & start LXC container for specific UID & GID for below purpose.
Login to root user(sudo user) , Do lxc-create of container, then do lxc-start of the container with same root user id. while staring container i need to start all the process inside the container with low privilege(un-priv) user id in which access to the user is restricted to only container and not to host.basically when i say ps -axu , i should be able to see low privilege user id for all the container process.
PS : my host which is VM with ubuntu 16.04 LTS is systemd init system and my container(type busybox) will be started with systemd services . for that i have modified busybox template as below
and also removed all rcS & inittab related scripts in the busybox default template
and for user id map , i have changed as below in my template
after that i just followed below comments
Container created normally with below comment (and i cross checked config file at /var/lib/lxc/testecho_uid/config to make sure that all my template changes are reflected or not, found ok)
Entered below command to start the container with foreground
Error is :
vijay@vijay-VirtualBox:~$ sudo lxc-start -n testecho_uid -F
lxc-start: cgfsng.c: cgfsng_create: 1072 No such file or directory - Failed to create /sys/fs/cgroup/systemd//lxc/testecho_uid: No such file or directory
lxc-start: cgfsng.c: cgfsng_create: 1072 No such file or directory - Failed to create /sys/fs/cgroup/systemd//lxc/testecho_uid-1: No such file or directory
newuidmap: uid range [0-65536) -> [165536-231072) not allowed
lxc-start: start.c: lxc_spawn: 1161 failed to set up id mapping
lxc-start: start.c: __lxc_start: 1353 failed to spawn 'testecho_uid'
newuidmap: uid range [0-65536) -> [165536-231072) not allowed
lxc-start: conf.c: userns_exec_1: 4315 Error setting up child mappings
lxc-start: cgfsng.c: recursive_destroy: 983 Error destroying /sys/fs/cgroup/systemd//lxc/testecho_uid-2
newuidmap: uid range [0-65536) -> [165536-231072) not allowed
lxc-start: conf.c: userns_exec_1: 4315 Error setting up child mappings
lxc-start: cgfsng.c: recursive_destroy: 983 Error destroying /sys/fs/cgroup/perf_event//lxc/testecho_uid-2
newuidmap: uid range [0-65536) -> [165536-231072) not allowed
lxc-start: conf.c: userns_exec_1: 4315 Error setting up child mappings
lxc-start: cgfsng.c: recursive_destroy: 983 Error destroying /sys/fs/cgroup/hugetlb//lxc/testecho_uid-2
newuidmap: uid range [0-65536) -> [165536-231072) not allowed
lxc-start: conf.c: userns_exec_1: 4315 Error setting up child mappings
lxc-start: cgfsng.c: recursive_destroy: 983 Error destroying /sys/fs/cgroup/cpu//lxc/testecho_uid-2
newuidmap: uid range [0-65536) -> [165536-231072) not allowed
lxc-start: conf.c: userns_exec_1: 4315 Error setting up child mappings
lxc-start: cgfsng.c: recursive_destroy: 983 Error destroying /sys/fs/cgroup/memory//lxc/testecho_uid-2
newuidmap: uid range [0-65536) -> [165536-231072) not allowed
lxc-start: conf.c: userns_exec_1: 4315 Error setting up child mappings
lxc-start: cgfsng.c: recursive_destroy: 983 Error destroying /sys/fs/cgroup/pids//lxc/testecho_uid-2
newuidmap: uid range [0-65536) -> [165536-231072) not allowed
lxc-start: conf.c: userns_exec_1: 4315 Error setting up child mappings
lxc-start: cgfsng.c: recursive_destroy: 983 Error destroying /sys/fs/cgroup/blkio//lxc/testecho_uid-2
newuidmap: uid range [0-65536) -> [165536-231072) not allowed
lxc-start: conf.c: userns_exec_1: 4315 Error setting up child mappings
lxc-start: cgfsng.c: recursive_destroy: 983 Error destroying /sys/fs/cgroup/cpuset//lxc/testecho_uid-2
newuidmap: uid range [0-65536) -> [165536-231072) not allowed
lxc-start: conf.c: userns_exec_1: 4315 Error setting up child mappings
lxc-start: cgfsng.c: recursive_destroy: 983 Error destroying /sys/fs/cgroup/net_cls//lxc/testecho_uid-2
newuidmap: uid range [0-65536) -> [165536-231072) not allowed
lxc-start: conf.c: userns_exec_1: 4315 Error setting up child mappings
lxc-start: cgfsng.c: recursive_destroy: 983 Error destroying /sys/fs/cgroup/devices//lxc/testecho_uid-2
newuidmap: uid range [0-65536) -> [165536-231072) not allowed
lxc-start: conf.c: userns_exec_1: 4315 Error setting up child mappings
lxc-start: cgfsng.c: recursive_destroy: 983 Error destroying /sys/fs/cgroup/freezer//lxc/testecho_uid-2
lxc-start: lxc_start.c: main: 344 The container failed to start.
lxc-start: lxc_start.c: main: 348 Additional information can be obtained by setting the --logfile and --logpriority options.
Can anyone please tell me whether i am missing anything here.
below are setup for uid & gid
I have also discussed similar topic on below , but that subject was for un-privilage conatiers and now it is not specific to priv or un-priv , it is just related to UID and GID for systemD init system.
https://ubuntuforums.org/showthread.php?t=2334545
I would like to create & start LXC container for specific UID & GID for below purpose.
Login to root user(sudo user) , Do lxc-create of container, then do lxc-start of the container with same root user id. while staring container i need to start all the process inside the container with low privilege(un-priv) user id in which access to the user is restricted to only container and not to host.basically when i say ps -axu , i should be able to see low privilege user id for all the container process.
PS : my host which is VM with ubuntu 16.04 LTS is systemd init system and my container(type busybox) will be started with systemd services . for that i have modified busybox template as below
Code:
lxc.init_cmd=/lib/systemd/systemdand for user id map , i have changed as below in my template
Code:
lxc.id_map=u 0 165536 65536
lxc.id_map=g 0 165536 65536Container created normally with below comment (and i cross checked config file at /var/lib/lxc/testecho_uid/config to make sure that all my template changes are reflected or not, found ok)
Code:
sudo lxc-create -n testecho_uid -t busybox_systemd_uidCode:
sudo lxc-start -n testecho_uid -FQuote:
vijay@vijay-VirtualBox:~$ sudo lxc-start -n testecho_uid -F
lxc-start: cgfsng.c: cgfsng_create: 1072 No such file or directory - Failed to create /sys/fs/cgroup/systemd//lxc/testecho_uid: No such file or directory
lxc-start: cgfsng.c: cgfsng_create: 1072 No such file or directory - Failed to create /sys/fs/cgroup/systemd//lxc/testecho_uid-1: No such file or directory
newuidmap: uid range [0-65536) -> [165536-231072) not allowed
lxc-start: start.c: lxc_spawn: 1161 failed to set up id mapping
lxc-start: start.c: __lxc_start: 1353 failed to spawn 'testecho_uid'
newuidmap: uid range [0-65536) -> [165536-231072) not allowed
lxc-start: conf.c: userns_exec_1: 4315 Error setting up child mappings
lxc-start: cgfsng.c: recursive_destroy: 983 Error destroying /sys/fs/cgroup/systemd//lxc/testecho_uid-2
newuidmap: uid range [0-65536) -> [165536-231072) not allowed
lxc-start: conf.c: userns_exec_1: 4315 Error setting up child mappings
lxc-start: cgfsng.c: recursive_destroy: 983 Error destroying /sys/fs/cgroup/perf_event//lxc/testecho_uid-2
newuidmap: uid range [0-65536) -> [165536-231072) not allowed
lxc-start: conf.c: userns_exec_1: 4315 Error setting up child mappings
lxc-start: cgfsng.c: recursive_destroy: 983 Error destroying /sys/fs/cgroup/hugetlb//lxc/testecho_uid-2
newuidmap: uid range [0-65536) -> [165536-231072) not allowed
lxc-start: conf.c: userns_exec_1: 4315 Error setting up child mappings
lxc-start: cgfsng.c: recursive_destroy: 983 Error destroying /sys/fs/cgroup/cpu//lxc/testecho_uid-2
newuidmap: uid range [0-65536) -> [165536-231072) not allowed
lxc-start: conf.c: userns_exec_1: 4315 Error setting up child mappings
lxc-start: cgfsng.c: recursive_destroy: 983 Error destroying /sys/fs/cgroup/memory//lxc/testecho_uid-2
newuidmap: uid range [0-65536) -> [165536-231072) not allowed
lxc-start: conf.c: userns_exec_1: 4315 Error setting up child mappings
lxc-start: cgfsng.c: recursive_destroy: 983 Error destroying /sys/fs/cgroup/pids//lxc/testecho_uid-2
newuidmap: uid range [0-65536) -> [165536-231072) not allowed
lxc-start: conf.c: userns_exec_1: 4315 Error setting up child mappings
lxc-start: cgfsng.c: recursive_destroy: 983 Error destroying /sys/fs/cgroup/blkio//lxc/testecho_uid-2
newuidmap: uid range [0-65536) -> [165536-231072) not allowed
lxc-start: conf.c: userns_exec_1: 4315 Error setting up child mappings
lxc-start: cgfsng.c: recursive_destroy: 983 Error destroying /sys/fs/cgroup/cpuset//lxc/testecho_uid-2
newuidmap: uid range [0-65536) -> [165536-231072) not allowed
lxc-start: conf.c: userns_exec_1: 4315 Error setting up child mappings
lxc-start: cgfsng.c: recursive_destroy: 983 Error destroying /sys/fs/cgroup/net_cls//lxc/testecho_uid-2
newuidmap: uid range [0-65536) -> [165536-231072) not allowed
lxc-start: conf.c: userns_exec_1: 4315 Error setting up child mappings
lxc-start: cgfsng.c: recursive_destroy: 983 Error destroying /sys/fs/cgroup/devices//lxc/testecho_uid-2
newuidmap: uid range [0-65536) -> [165536-231072) not allowed
lxc-start: conf.c: userns_exec_1: 4315 Error setting up child mappings
lxc-start: cgfsng.c: recursive_destroy: 983 Error destroying /sys/fs/cgroup/freezer//lxc/testecho_uid-2
lxc-start: lxc_start.c: main: 344 The container failed to start.
lxc-start: lxc_start.c: main: 348 Additional information can be obtained by setting the --logfile and --logpriority options.
Can anyone please tell me whether i am missing anything here.
below are setup for uid & gid
Code:
vijay@vijay-VirtualBox:~$ sudo cat /etc/subgid
vijay:100000:65536
usrlxc:165536:65536
vijay:165536:65537Code:
vijay@vijay-VirtualBox:~$ sudo cat /etc/subuid
vijay:100000:65536
usrlxc:165536:65536
vijay:165536:65537I have also discussed similar topic on below , but that subject was for un-privilage conatiers and now it is not specific to priv or un-priv , it is just related to UID and GID for systemD init system.
https://ubuntuforums.org/showthread.php?t=2334545