Index
- Part 1: Introduction
- Part 2: Basic configuration files
- Part 3: Creating an unprivileged container on Slackware
- Part 4: Scripts overview
- Part 5: Natting example
- Part 6: Migrating to Slackware-current - LXC-6 - cgroup2
- Browse the scripts' folder
- Changelog
Let's see how to manage unprivileged containers also in Slackware-current (15.1 to be), which -at the time I'm writing- ships kernel 6.15.3, lxc-6.0.4 and libcgroups-3.2.0.
My attempts to use cgroup1 failed, but I managed to use cgroup2, even though limits settings are not working inside containers.
First of all, enable cgroup2 in /etc/default/cgroups
CGROUPS_VERSION=2
Disable the rc.cgconfig and rc.cgred at boot time:
chmod -x /etc/rc.d/rc.cgconfig /etc/rc.d/rc.cgred
I'm not sure that this is mandatory, but let's pass an option to the kernel in order to completely disable cgroup1 by adding the following to lilo.conf, elilo.conf or whatelse
append="cgroup_no_v1=all"
If you want to attempt to handle container's limits you should mount /sys/fs/cgroup properly by patching /etc/rc.d/rc.S at line 96:
- mount -t cgroup2 none /sys/fs/cgroup + mount -t cgroup2 -o rw,nosuid,nodev,noexec,relatime,nsdelegate none /sys/fs/cgroup
Replace the file /etc/lxc/lxc-common.conf in this way (all lxc.cgroup.* options are now lxc.cgroup2.*):
lxc.net.0.type = veth
lxc.net.0.flags = up
lxc.net.0.link = lxcbr0
lxc.net.0.name = eth0
lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx
lxc.tty.max = 1
lxc.pty.max = 1024
lxc.cgroup2.devices.deny = a
# /dev/null and zero
lxc.cgroup2.devices.allow = c 1:3 rwm
lxc.cgroup2.devices.allow = c 1:5 rwm
# consoles
lxc.cgroup2.devices.allow = c 5:1 rwm
lxc.cgroup2.devices.allow = c 5:0 rwm
lxc.cgroup2.devices.allow = c 4:0 rwm
lxc.cgroup2.devices.allow = c 4:1 rwm
# /dev/{,u}random
lxc.cgroup2.devices.allow = c 1:9 rwm
lxc.cgroup2.devices.allow = c 1:8 rwm
lxc.cgroup2.devices.allow = c 136:* rwm
lxc.cgroup2.devices.allow = c 5:2 rwm
# rtc
lxc.cgroup2.devices.allow = c 254:0 rwm
# we don't trust even the root user in the container, better safe than sorry.
# comment out only if you know what you're doing.
lxc.cap.drop = sys_module mknod mac_override mac_admin sys_time setfcap setpcap
# you can try also this alternative to the line above, whatever suits you better.
#lxc.cap.drop=sys_admin
# proc & sys, remove from /etc/fstab
lxc.mount.auto = proc:mixed sys:ro cgroup:rw
Now you have to install LXC from the main branch of the LXC git. In fact, there is a bug in latest lxc-6.0.4 that cause an error like this (you can see it by activating the debug) when trying to start an unprivileged container:
Permission denied - Failed to preserve net namespace
The issue has been discussed here and here. This is the commit that solved the bug. We have also a discussion in the linuxquestions/slackware forum here.
Download the source from their git and use Pat's slackbuild to rebuild the Slackware package.
Last issue (I posted a request here) is an error message in the lxc-ls -f command:
# sudo -u owner lxc-ls --fancy lxc-ls: ../src/lxc/utils.c: switch_to_ns: 900 Operation not permitted - Failed to set process 31274 to "net" of 3 lxc-ls: ../src/lxc/utils.c: switch_to_ns: 900 Operation not permitted - Failed to set process 31274 to "net" of 3 lxc-ls: ../src/lxc/utils.c: switch_to_ns: 900 Operation not permitted - Failed to set process 31274 to "net" of 3 NAME STATE AUTOSTART GROUPS IPV4 IPV6 UNPRIVILEGED container RUNNING 0 - 10.0.0.4 fd00:dead:beef::4 false
The containers works as expected. I suppressed the error messages by modyfing the wrapper scripts lxl and lxi in this way (search and replace where lxc-ls or lxc-info are present):
- sudo -u $user lxc-ls --fancy + sudo -u $user lxc-ls --fancy 2>/dev/null
Update: this last bug was fixed in LXC-6.0.5.
