[libvirt-users] Problems with user namespaces

Jaka Hudoklin jakahudoklin at gmail.com
Thu Sep 5 19:15:07 UTC 2013


Hello!

I'm testing user namespaces and I have quite some problem getting them to
work.

First of all, I have user namespaces support enabled in kernel:

offlinehacker:~/ $ uname -r
3.10.10
offlinehacker:~/ $ ls /proc/self/ns/
ipc@  mnt@  net@  pid@  user@  uts@

I created simple ubuntu rootfs and when I start container without idmap, so
without user namespace mappings, it works just fine:

Libivrt config:

<domain type='lxc'>
  <name>helloworld</name>
  <memory>102400</memory>
  <os>
    <type>exe</type>
    <init>/bin/dash</init>
  </os>
  <!--<idmap>
    <uid start='0' target='499' count='10'/>
    <gid start='0' target='100' count='10'/>
  </idmap>-->
  <devices>
    <console type='pty'/>
    <filesystem type='mount'>
      <source dir='/home/offlinehacker/rootfs'/>
      <target dir='/'/>
    </filesystem>
  </devices>
</domain>

This is how my rootfs looks like:

offlinehacker:~/ $ ls -la rootfs
drwxr-xr-x 23 offlinehacker users          4096 sep  5 19:06 ./
drwxr-xr-x 59 offlinehacker users          4096 sep  5 19:06 ../
drwxr-xr-x  2 offlinehacker users          4096 avg 27 14:11 bin/
drwxr-xr-x  3 offlinehacker users          4096 avg 27 14:11 boot/
drwxr-xr-x  4 offlinehacker users          4096 avg 27 14:11 dev/
drwxr-xr-x 86 offlinehacker users          4096 sep  5 18:20 etc/
drwxr-xr-x  3 offlinehacker users          4096 avg 27 14:11 home/
lrwxrwxrwx  1 offlinehacker users            33 avg 27 14:10 initrd.img ->
/boot/initrd.img-3.2.0-52-virtual
drwxr-xr-x 18 offlinehacker users          4096 avg 27 14:10 lib/
drwxr-xr-x  2 offlinehacker users          4096 avg 27 14:10 lib64/
drwx------  2 offlinehacker users          4096 avg 27 14:11 lost+found/
drwxr-xr-x  2 offlinehacker users          4096 avg 27 14:09 media/
drwxr-xr-x  2 offlinehacker users          4096 apr 19  2012 mnt/
drwxr-xr-x  2 offlinehacker users          4096 avg 27 14:09 opt/
-rw-r--r--  1 offlinehacker vboxusers 231671365 avg 27 14:12
precise-server-cloudimg-amd64-root.tar.gz
drwxr-xr-x  2 offlinehacker users          4096 apr 19  2012 proc/
drwx------  2 offlinehacker users          4096 sep  3 23:47 root/
drwxr-xr-x  2 offlinehacker users          4096 avg 27 14:11 run/
drwxr-xr-x  2 offlinehacker users          4096 avg 27 14:11 sbin/
drwxr-xr-x  2 offlinehacker users          4096 mar  5  2012 selinux/
drwxr-xr-x  2 offlinehacker users          4096 avg 27 14:09 srv/
drwxr-xr-x  2 offlinehacker users          4096 apr 14  2012 sys/
drwxrwxrwt  2 offlinehacker users          4096 sep  4 01:39 tmp/
drwxr-xr-x 10 offlinehacker users          4096 avg 27 14:09 usr/
drwxr-xr-x 12 offlinehacker users          4096 sep  5 18:10 var/
lrwxrwxrwx  1 offlinehacker users            29 avg 27 14:10 vmlinuz ->
boot/vmlinuz-3.2.0-52-virtual

And this is who I am:
offlinehacker:~/ $ id
uid=499(offlinehacker) gid=67(libvirtd)
groups=100(users),1(wheel),57(networkmanager),67(libvirtd)

When I create the container with idmap uncommented I get the following
error:

offlinehacker:~/ $ virsh -c lxc:/// create helloworld.xml
error: Failed to create domain from helloworld.xml
error: internal error: guest failed to start: 2013-09-05 19:08:57.781+0000:
19036: debug

And these are the logs:
sep 05 19:08:52 laptop libvirtd[1542]: server=0x7fc8a60ddd60
client=0x7fc8a60e68d0 msg=0x7fc8a60e9380 rerr=0x7fc89a32cd40
args=0x7fc88800b4a0 ret=0x7fc88800a1c0
sep 05 19:08:52 laptop libvirtd[1542]: priv=0x7fc8a60e91f0 conn=(nil)
sep 05 19:08:52 laptop libvirtd[1542]: name=lxc:///
sep 05 19:08:57 laptop libvirtd[1542]: Cannot recv data: Connection reset
by peer
sep 05 19:08:58 laptop libvirtd[1542]: internal error: guest failed to
start: 2013-09-05 19:08:57.781+0000: 19036: debug

Looks like .oldroot, dev, proc and sys gets created with mapped
permissions(499:100), but container fails to start.

Any help or direction how to get this working would be appriciated,
Thanks, Jaka Hudoklin!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20130905/71c6f0bf/attachment.htm>


More information about the libvirt-users mailing list