[libvirt-users] Problems with user namespaces
Gao feng
gaofeng at cn.fujitsu.com
Fri Sep 6 01:41:49 UTC 2013
On 09/06/2013 03:15 AM, Jaka Hudoklin wrote:
> Hello!
>
> I'm testing user namespaces and I have quite some problem getting them to work.
>
> First of all, I have user namespaces support enabled in kernel:
>
> offlinehacker:~/ $ uname -r
> 3.10.10
> offlinehacker:~/ $ ls /proc/self/ns/
> ipc@ mnt@ net@ pid@ user@ uts@
>
> I created simple ubuntu rootfs and when I start container without idmap, so without user namespace mappings, it works just fine:
>
> Libivrt config:
>
> <domain type='lxc'>
> <name>helloworld</name>
> <memory>102400</memory>
> <os>
> <type>exe</type>
> <init>/bin/dash</init>
> </os>
> <!--<idmap>
> <uid start='0' target='499' count='10'/>
> <gid start='0' target='100' count='10'/>
> </idmap>-->
> <devices>
> <console type='pty'/>
> <filesystem type='mount'>
> <source dir='/home/offlinehacker/rootfs'/>
> <target dir='/'/>
> </filesystem>
> </devices>
> </domain>
>
Your configuration looks good.
> This is how my rootfs looks like:
>
> offlinehacker:~/ $ ls -la rootfs
> drwxr-xr-x 23 offlinehacker users 4096 sep 5 19:06 ./
> drwxr-xr-x 59 offlinehacker users 4096 sep 5 19:06 ../
> drwxr-xr-x 2 offlinehacker users 4096 avg 27 14:11 bin/
> drwxr-xr-x 3 offlinehacker users 4096 avg 27 14:11 boot/
> drwxr-xr-x 4 offlinehacker users 4096 avg 27 14:11 dev/
> drwxr-xr-x 86 offlinehacker users 4096 sep 5 18:20 etc/
> drwxr-xr-x 3 offlinehacker users 4096 avg 27 14:11 home/
> lrwxrwxrwx 1 offlinehacker users 33 avg 27 14:10 initrd.img -> /boot/initrd.img-3.2.0-52-virtual
> drwxr-xr-x 18 offlinehacker users 4096 avg 27 14:10 lib/
> drwxr-xr-x 2 offlinehacker users 4096 avg 27 14:10 lib64/
> drwx------ 2 offlinehacker users 4096 avg 27 14:11 lost+found/
> drwxr-xr-x 2 offlinehacker users 4096 avg 27 14:09 media/
> drwxr-xr-x 2 offlinehacker users 4096 apr 19 2012 mnt/
> drwxr-xr-x 2 offlinehacker users 4096 avg 27 14:09 opt/
> -rw-r--r-- 1 offlinehacker vboxusers 231671365 avg 27 14:12 precise-server-cloudimg-amd64-root.tar.gz
> drwxr-xr-x 2 offlinehacker users 4096 apr 19 2012 proc/
> drwx------ 2 offlinehacker users 4096 sep 3 23:47 root/
> drwxr-xr-x 2 offlinehacker users 4096 avg 27 14:11 run/
> drwxr-xr-x 2 offlinehacker users 4096 avg 27 14:11 sbin/
> drwxr-xr-x 2 offlinehacker users 4096 mar 5 2012 selinux/
> drwxr-xr-x 2 offlinehacker users 4096 avg 27 14:09 srv/
> drwxr-xr-x 2 offlinehacker users 4096 apr 14 2012 sys/
> drwxrwxrwt 2 offlinehacker users 4096 sep 4 01:39 tmp/
> drwxr-xr-x 10 offlinehacker users 4096 avg 27 14:09 usr/
> drwxr-xr-x 12 offlinehacker users 4096 sep 5 18:10 var/
> lrwxrwxrwx 1 offlinehacker users 29 avg 27 14:10 vmlinuz -> boot/vmlinuz-3.2.0-52-virtual
>
> And this is who I am:
> offlinehacker:~/ $ id
> uid=499(offlinehacker) gid=67(libvirtd) groups=100(users),1(wheel),57(networkmanager),67(libvirtd)
Can this user exec //home/offlinehacker/rootfs/bin/dash successfully ?
>
> When I create the container with idmap uncommented I get the following error:
>
> offlinehacker:~/ $ virsh -c lxc:/// create helloworld.xml
> error: Failed to create domain from helloworld.xml
> error: internal error: guest failed to start: 2013-09-05 19:08:57.781+0000: 19036: debug
>
> And these are the logs:
> sep 05 19:08:52 laptop libvirtd[1542]: server=0x7fc8a60ddd60 client=0x7fc8a60e68d0 msg=0x7fc8a60e9380 rerr=0x7fc89a32cd40 args=0x7fc88800b4a0 ret=0x7fc88800a1c0
> sep 05 19:08:52 laptop libvirtd[1542]: priv=0x7fc8a60e91f0 conn=(nil)
> sep 05 19:08:52 laptop libvirtd[1542]: name=lxc:///
> sep 05 19:08:57 laptop libvirtd[1542]: Cannot recv data: Connection reset by peer
> sep 05 19:08:58 laptop libvirtd[1542]: internal error: guest failed to start: 2013-09-05 19:08:57.781+0000: 19036: debug
>
> Looks like .oldroot, dev, proc and sys gets created with mapped permissions(499:100), but container fails to start.
>
Please enable debug mode, I need more information.
http://libvirt.org/logging.html
Thansk
More information about the libvirt-users
mailing list