[lxc-users] Trying to create a lxc container for running Visual Studio Code

[Peter Carlsson]

Hello!

I am new to lxc and just signed up to this mailing list.

As root I have created a lxc container and installed code-insiders to
run Visual Studio Code inside the container.

After reading an article I added the following lines to the containers
config and verified that the UID/GID match host user UID/GID:

# Container's UID/GID 0-65535 are mapped to host's 100000-165535,
# but UID/GID 1000 on the container is mapped to host's UID/GID 1000.
lxc.idmap = u 0 100000 1000
lxc.idmap = g 0 100000 1000
lxc.idmap = u 1000 1000 1
lxc.idmap = g 1000 1000 1
lxc.idmap = u 1001 101001 64535
lxc.idmap = g 1001 101001 64535

When I try as user with UID 1000 to start the container I get:

lxc-start -n VisualStudioCode -F
lxc-start: VisualStudioCode: tools/lxc_start.c: main: 214 You lack access to /home/peter/.local/share/lxc

When I try as root to start the container I get:

lxc-start -n VisualStudioCode -F
lxc-start: VisualStudioCode: cgroups/cgfsng.c: mkdir_eexist_on_last: 1219 File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc/VisualStudioCode"
lxc-start: VisualStudioCode: cgroups/cgfsng.c: create_path_for_hierarchy: 1243 Failed to create cgroup "/sys/fs/cgroup/unified//lxc/VisualStudioCode"
lxc-start: VisualStudioCode: cgroups/cgfsng.c: cgfsng_payload_create: 1321 Failed to create cgroup "/sys/fs/cgroup/unified//lxc/VisualStudioCode"
lxc-start: VisualStudioCode: cgroups/cgfsng.c: mkdir_eexist_on_last: 1219 File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc/VisualStudioCode-1"
lxc-start: VisualStudioCode: cgroups/cgfsng.c: create_path_for_hierarchy: 1243 Failed to create cgroup "/sys/fs/cgroup/unified//lxc/VisualStudioCode-1"
lxc-start: VisualStudioCode: cgroups/cgfsng.c: cgfsng_payload_create: 1321 Failed to create cgroup "/sys/fs/cgroup/unified//lxc/VisualStudioCode-1"
lxc-start: VisualStudioCode: cgroups/cgfsng.c: mkdir_eexist_on_last: 1219 File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc/VisualStudioCode-2"
lxc-start: VisualStudioCode: cgroups/cgfsng.c: create_path_for_hierarchy: 1243 Failed to create cgroup "/sys/fs/cgroup/unified//lxc/VisualStudioCode-2"
lxc-start: VisualStudioCode: cgroups/cgfsng.c: cgfsng_payload_create: 1321 Failed to create cgroup "/sys/fs/cgroup/unified//lxc/VisualStudioCode-2"
lxc-start: VisualStudioCode: cgroups/cgfsng.c: mkdir_eexist_on_last: 1219 File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc/VisualStudioCode-3"
lxc-start: VisualStudioCode: cgroups/cgfsng.c: create_path_for_hierarchy: 1243 Failed to create cgroup "/sys/fs/cgroup/unified//lxc/VisualStudioCode-3"
lxc-start: VisualStudioCode: cgroups/cgfsng.c: cgfsng_payload_create: 1321 Failed to create cgroup "/sys/fs/cgroup/unified//lxc/VisualStudioCode-3"
lxc-start: VisualStudioCode: cgroups/cgfsng.c: mkdir_eexist_on_last: 1219 File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc/VisualStudioCode-4"
lxc-start: VisualStudioCode: cgroups/cgfsng.c: create_path_for_hierarchy: 1243 Failed to create cgroup "/sys/fs/cgroup/unified//lxc/VisualStudioCode-4"
lxc-start: VisualStudioCode: cgroups/cgfsng.c: cgfsng_payload_create: 1321 Failed to create cgroup "/sys/fs/cgroup/unified//lxc/VisualStudioCode-4"
lxc-start: VisualStudioCode: conf.c: lxc_map_ids: 3023 newuidmap failed to write mapping "newuidmap: uid range [0-1000) -> [100000-101000) not allowed": newuidmap 26576 0 100000 1000 1000 1000 1 1001 101001 64535
lxc-start: VisualStudioCode: start.c: lxc_spawn: 1720 Failed to set up id mapping.
lxc-start: VisualStudioCode: start.c: __lxc_start: 1951 Failed to spawn container "VisualStudioCode"
lxc-start: VisualStudioCode: conf.c: lxc_map_ids: 3023 newuidmap failed to write mapping "newuidmap: uid range [0-1000) -> [100000-101000) not allowed": newuidmap 26612 0 100000 1000 65536 0 1
lxc-start: VisualStudioCode: conf.c: userns_exec_1: 4391 Error setting up {g,u}id mappings for child process "26612"
lxc-start: VisualStudioCode: tools/lxc_start.c: main: 330 The container failed to start
lxc-start: VisualStudioCode: tools/lxc_start.c: main: 336 Additional information can be obtained by setting the --logfile and --logpriority options

I am running Debian Buster with lxc version 3.1.0.

Obviously I am doing something wrong in my configuration or how I use lxc.

Any help would be appreciated.

Best regards,
Peter Carlsson

[Serge E. Hallyn]

On Sun, Feb 07, 2021 at 11:19:57PM +0100, Peter Carlsson wrote:
> Hello!
>
> I am new to lxc and just signed up to this mailing list.
>
> As root I have created a lxc container and installed code-insiders to

How did you create it as root, exactly?

> run Visual Studio Code inside the container.
>
> After reading an article I added the following lines to the containers
> config and verified that the UID/GID match host user UID/GID:
>
> # Container's UID/GID 0-65535 are mapped to host's 100000-165535,
> # but UID/GID 1000 on the container is mapped to host's UID/GID 1000.
> lxc.idmap = u 0 100000 1000
> lxc.idmap = g 0 100000 1000
> lxc.idmap = u 1000 1000 1
> lxc.idmap = g 1000 1000 1
> lxc.idmap = u 1001 101001 64535
> lxc.idmap = g 1001 101001 64535
>
> When I try as user with UID 1000 to start the container I get:
>
> lxc-start -n VisualStudioCode -F
> lxc-start: VisualStudioCode: tools/lxc_start.c: main: 214 You lack access to /home/peter/.local/share/lxc

Check the ownership and permissions on each directory in the path /home/peter/.local/share/lxc
Give them all o+x so that your subuids can descend them.

>
> When I try as root to start the container I get:
>
> lxc-start -n VisualStudioCode -F
> lxc-start: VisualStudioCode: cgroups/cgfsng.c: mkdir_eexist_on_last: 1219 File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc/VisualStudioCode"
> lxc-start: VisualStudioCode: cgroups/cgfsng.c: create_path_for_hierarchy: 1243 Failed to create cgroup "/sys/fs/cgroup/unified//lxc/VisualStudioCode"
> lxc-start: VisualStudioCode: cgroups/cgfsng.c: cgfsng_payload_create: 1321 Failed to create cgroup "/sys/fs/cgroup/unified//lxc/VisualStudioCode"
> lxc-start: VisualStudioCode: cgroups/cgfsng.c: mkdir_eexist_on_last: 1219 File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc/VisualStudioCode-1"
> lxc-start: VisualStudioCode: cgroups/cgfsng.c: create_path_for_hierarchy: 1243 Failed to create cgroup "/sys/fs/cgroup/unified//lxc/VisualStudioCode-1"
> lxc-start: VisualStudioCode: cgroups/cgfsng.c: cgfsng_payload_create: 1321 Failed to create cgroup "/sys/fs/cgroup/unified//lxc/VisualStudioCode-1"
> lxc-start: VisualStudioCode: cgroups/cgfsng.c: mkdir_eexist_on_last: 1219 File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc/VisualStudioCode-2"
> lxc-start: VisualStudioCode: cgroups/cgfsng.c: create_path_for_hierarchy: 1243 Failed to create cgroup "/sys/fs/cgroup/unified//lxc/VisualStudioCode-2"
> lxc-start: VisualStudioCode: cgroups/cgfsng.c: cgfsng_payload_create: 1321 Failed to create cgroup "/sys/fs/cgroup/unified//lxc/VisualStudioCode-2"
> lxc-start: VisualStudioCode: cgroups/cgfsng.c: mkdir_eexist_on_last: 1219 File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc/VisualStudioCode-3"
> lxc-start: VisualStudioCode: cgroups/cgfsng.c: create_path_for_hierarchy: 1243 Failed to create cgroup "/sys/fs/cgroup/unified//lxc/VisualStudioCode-3"
> lxc-start: VisualStudioCode: cgroups/cgfsng.c: cgfsng_payload_create: 1321 Failed to create cgroup "/sys/fs/cgroup/unified//lxc/VisualStudioCode-3"
> lxc-start: VisualStudioCode: cgroups/cgfsng.c: mkdir_eexist_on_last: 1219 File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc/VisualStudioCode-4"
> lxc-start: VisualStudioCode: cgroups/cgfsng.c: create_path_for_hierarchy: 1243 Failed to create cgroup "/sys/fs/cgroup/unified//lxc/VisualStudioCode-4"
> lxc-start: VisualStudioCode: cgroups/cgfsng.c: cgfsng_payload_create: 1321 Failed to create cgroup "/sys/fs/cgroup/unified//lxc/VisualStudioCode-4"
> lxc-start: VisualStudioCode: conf.c: lxc_map_ids: 3023 newuidmap failed to write mapping "newuidmap: uid range [0-1000) -> [100000-101000) not allowed": newuidmap 26576 0 100000 1000 1000 1000 1 1001 101001 64535
> lxc-start: VisualStudioCode: start.c: lxc_spawn: 1720 Failed to set up id mapping.

This is probably because you'd need /etc/subid and /etc/subgid
mappings for the root user to use your ranges. But it's best
to get it running as non-root.

> lxc-start: VisualStudioCode: start.c: __lxc_start: 1951 Failed to spawn container "VisualStudioCode"
> lxc-start: VisualStudioCode: conf.c: lxc_map_ids: 3023 newuidmap failed to write mapping "newuidmap: uid range [0-1000) -> [100000-101000) not allowed": newuidmap 26612 0 100000 1000 65536 0 1
> lxc-start: VisualStudioCode: conf.c: userns_exec_1: 4391 Error setting up {g,u}id mappings for child process "26612"
> lxc-start: VisualStudioCode: tools/lxc_start.c: main: 330 The container failed to start
> lxc-start: VisualStudioCode: tools/lxc_start.c: main: 336 Additional information can be obtained by setting the --logfile and --logpriority options
>
> I am running Debian Buster with lxc version 3.1.0.
>
> Obviously I am doing something wrong in my configuration or how I use lxc.
>
> Any help would be appreciated.
>
> Best regards,
> Peter Carlsson

> _______________________________________________
> lxc-users mailing list
> lxc-...@lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

[Peter Carlsson]

On Tue, Feb 09, 2021 at 10:59:56PM -0600, Serge E. Hallyn wrote:
> On Sun, Feb 07, 2021 at 11:19:57PM +0100, Peter Carlsson wrote:
> > Hello!
> >
> > I am new to lxc and just signed up to this mailing list.
> >
> > As root I have created a lxc container and installed code-insiders to
>
> How did you create it as root, exactly?

lxc-create -t download -n VisualStudioCode -- -d debian -r buster -a amd64

> > run Visual Studio Code inside the container.
> >
> > After reading an article I added the following lines to the containers
> > config and verified that the UID/GID match host user UID/GID:
> >
> > # Container's UID/GID 0-65535 are mapped to host's 100000-165535,
> > # but UID/GID 1000 on the container is mapped to host's UID/GID 1000.
> > lxc.idmap = u 0 100000 1000
> > lxc.idmap = g 0 100000 1000
> > lxc.idmap = u 1000 1000 1
> > lxc.idmap = g 1000 1000 1
> > lxc.idmap = u 1001 101001 64535
> > lxc.idmap = g 1001 101001 64535
> >
> > When I try as user with UID 1000 to start the container I get:
> >
> > lxc-start -n VisualStudioCode -F
> > lxc-start: VisualStudioCode: tools/lxc_start.c: main: 214 You lack access to /home/peter/.local/share/lxc
>
> Check the ownership and permissions on each directory in the path /home/peter/.local/share/lxc
> Give them all o+x so that your subuids can descend them.

Both /home/peter/.local/share/lxc and /root/.local/share/lxc does not
exist.

> >
> > When I try as root to start the container I get:
> >
> > lxc-start -n VisualStudioCode -F
> > lxc-start: VisualStudioCode: cgroups/cgfsng.c: mkdir_eexist_on_last: 1219 File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc/VisualStudioCode"
> > lxc-start: VisualStudioCode: cgroups/cgfsng.c: create_path_for_hierarchy: 1243 Failed to create cgroup "/sys/fs/cgroup/unified//lxc/VisualStudioCode"
> > lxc-start: VisualStudioCode: cgroups/cgfsng.c: cgfsng_payload_create: 1321 Failed to create cgroup "/sys/fs/cgroup/unified//lxc/VisualStudioCode"
> > lxc-start: VisualStudioCode: cgroups/cgfsng.c: mkdir_eexist_on_last: 1219 File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc/VisualStudioCode-1"
> > lxc-start: VisualStudioCode: cgroups/cgfsng.c: create_path_for_hierarchy: 1243 Failed to create cgroup "/sys/fs/cgroup/unified//lxc/VisualStudioCode-1"
> > lxc-start: VisualStudioCode: cgroups/cgfsng.c: cgfsng_payload_create: 1321 Failed to create cgroup "/sys/fs/cgroup/unified//lxc/VisualStudioCode-1"
> > lxc-start: VisualStudioCode: cgroups/cgfsng.c: mkdir_eexist_on_last: 1219 File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc/VisualStudioCode-2"
> > lxc-start: VisualStudioCode: cgroups/cgfsng.c: create_path_for_hierarchy: 1243 Failed to create cgroup "/sys/fs/cgroup/unified//lxc/VisualStudioCode-2"
> > lxc-start: VisualStudioCode: cgroups/cgfsng.c: cgfsng_payload_create: 1321 Failed to create cgroup "/sys/fs/cgroup/unified//lxc/VisualStudioCode-2"
> > lxc-start: VisualStudioCode: cgroups/cgfsng.c: mkdir_eexist_on_last: 1219 File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc/VisualStudioCode-3"
> > lxc-start: VisualStudioCode: cgroups/cgfsng.c: create_path_for_hierarchy: 1243 Failed to create cgroup "/sys/fs/cgroup/unified//lxc/VisualStudioCode-3"
> > lxc-start: VisualStudioCode: cgroups/cgfsng.c: cgfsng_payload_create: 1321 Failed to create cgroup "/sys/fs/cgroup/unified//lxc/VisualStudioCode-3"
> > lxc-start: VisualStudioCode: cgroups/cgfsng.c: mkdir_eexist_on_last: 1219 File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc/VisualStudioCode-4"
> > lxc-start: VisualStudioCode: cgroups/cgfsng.c: create_path_for_hierarchy: 1243 Failed to create cgroup "/sys/fs/cgroup/unified//lxc/VisualStudioCode-4"
> > lxc-start: VisualStudioCode: cgroups/cgfsng.c: cgfsng_payload_create: 1321 Failed to create cgroup "/sys/fs/cgroup/unified//lxc/VisualStudioCode-4"
> > lxc-start: VisualStudioCode: conf.c: lxc_map_ids: 3023 newuidmap failed to write mapping "newuidmap: uid range [0-1000) -> [100000-101000) not allowed": newuidmap 26576 0 100000 1000 1000 1000 1 1001 101001 64535
> > lxc-start: VisualStudioCode: start.c: lxc_spawn: 1720 Failed to set up id mapping.
>
> This is probably because you'd need /etc/subid and /etc/subgid
> mappings for the root user to use your ranges. But it's best
> to get it running as non-root.

Those files does not even exist. Should I create them manually or are
they part of the lxc installation?

I also notice that in the output above there are two / in the paths
after unified. Is that only in the output or is it an error?

> > lxc-start: VisualStudioCode: start.c: __lxc_start: 1951 Failed to spawn container "VisualStudioCode"
> > lxc-start: VisualStudioCode: conf.c: lxc_map_ids: 3023 newuidmap failed to write mapping "newuidmap: uid range [0-1000) -> [100000-101000) not allowed": newuidmap 26612 0 100000 1000 65536 0 1
> > lxc-start: VisualStudioCode: conf.c: userns_exec_1: 4391 Error setting up {g,u}id mappings for child process "26612"
> > lxc-start: VisualStudioCode: tools/lxc_start.c: main: 330 The container failed to start
> > lxc-start: VisualStudioCode: tools/lxc_start.c: main: 336 Additional information can be obtained by setting the --logfile and --logpriority options
> >
> > I am running Debian Buster with lxc version 3.1.0.
> >
> > Obviously I am doing something wrong in my configuration or how I use lxc.
> >
> > Any help would be appreciated.
> >
> > Best regards,
> > Peter Carlsson

Thanks for your help!

/Peter

[Serge E. Hallyn]

On Wed, Feb 10, 2021 at 12:10:18PM +0100, Peter Carlsson wrote:
> On Tue, Feb 09, 2021 at 10:59:56PM -0600, Serge E. Hallyn wrote:
> > On Sun, Feb 07, 2021 at 11:19:57PM +0100, Peter Carlsson wrote:
> > > Hello!
> > >
> > > I am new to lxc and just signed up to this mailing list.
> > >
> > > As root I have created a lxc container and installed code-insiders to
> >
> > How did you create it as root, exactly?
>
> lxc-create -t download -n VisualStudioCode -- -d debian -r buster -a amd64

If you did that as root, it should create the container under
/var/lib/lxc/VisualStudioCode .

> > > run Visual Studio Code inside the container.
> > >
> > > After reading an article I added the following lines to the containers
> > > config and verified that the UID/GID match host user UID/GID:

So you added this to /var/lib/lxc/VisualStudioCode/config ?

> > > # Container's UID/GID 0-65535 are mapped to host's 100000-165535,
> > > # but UID/GID 1000 on the container is mapped to host's UID/GID 1000.
> > > lxc.idmap = u 0 100000 1000
> > > lxc.idmap = g 0 100000 1000
> > > lxc.idmap = u 1000 1000 1
> > > lxc.idmap = g 1000 1000 1
> > > lxc.idmap = u 1001 101001 64535
> > > lxc.idmap = g 1001 101001 64535
> > >
> > > When I try as user with UID 1000 to start the container I get:
> > >
> > > lxc-start -n VisualStudioCode -F
> > > lxc-start: VisualStudioCode: tools/lxc_start.c: main: 214 You lack access to /home/peter/.local/share/lxc
> > Check the ownership and permissions on each directory in the path /home/peter/.local/share/lxc
> > Give them all o+x so that your subuids can descend them.
>
> Both /home/peter/.local/share/lxc and /root/.local/share/lxc does not
> exist.

If you want to run the container unprivileged, and you should, then
the easiest way is to create the container unprivileged from the
start, that is, as your non-root user.

> > > When I try as root to start the container I get:
> > >
> > > lxc-start -n VisualStudioCode -F
> > > lxc-start: VisualStudioCode: cgroups/cgfsng.c: mkdir_eexist_on_last: 1219 File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc/VisualStudioCode"
> > > lxc-start: VisualStudioCode: cgroups/cgfsng.c: create_path_for_hierarchy: 1243 Failed to create cgroup "/sys/fs/cgroup/unified//lxc/VisualStudioCode"
> > > lxc-start: VisualStudioCode: cgroups/cgfsng.c: cgfsng_payload_create: 1321 Failed to create cgroup "/sys/fs/cgroup/unified//lxc/VisualStudioCode"
> > > lxc-start: VisualStudioCode: cgroups/cgfsng.c: mkdir_eexist_on_last: 1219 File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc/VisualStudioCode-1"
> > > lxc-start: VisualStudioCode: cgroups/cgfsng.c: create_path_for_hierarchy: 1243 Failed to create cgroup "/sys/fs/cgroup/unified//lxc/VisualStudioCode-1"
> > > lxc-start: VisualStudioCode: cgroups/cgfsng.c: cgfsng_payload_create: 1321 Failed to create cgroup "/sys/fs/cgroup/unified//lxc/VisualStudioCode-1"
> > > lxc-start: VisualStudioCode: cgroups/cgfsng.c: mkdir_eexist_on_last: 1219 File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc/VisualStudioCode-2"
> > > lxc-start: VisualStudioCode: cgroups/cgfsng.c: create_path_for_hierarchy: 1243 Failed to create cgroup "/sys/fs/cgroup/unified//lxc/VisualStudioCode-2"
> > > lxc-start: VisualStudioCode: cgroups/cgfsng.c: cgfsng_payload_create: 1321 Failed to create cgroup "/sys/fs/cgroup/unified//lxc/VisualStudioCode-2"
> > > lxc-start: VisualStudioCode: cgroups/cgfsng.c: mkdir_eexist_on_last: 1219 File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc/VisualStudioCode-3"
> > > lxc-start: VisualStudioCode: cgroups/cgfsng.c: create_path_for_hierarchy: 1243 Failed to create cgroup "/sys/fs/cgroup/unified//lxc/VisualStudioCode-3"
> > > lxc-start: VisualStudioCode: cgroups/cgfsng.c: cgfsng_payload_create: 1321 Failed to create cgroup "/sys/fs/cgroup/unified//lxc/VisualStudioCode-3"
> > > lxc-start: VisualStudioCode: cgroups/cgfsng.c: mkdir_eexist_on_last: 1219 File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc/VisualStudioCode-4"
> > > lxc-start: VisualStudioCode: cgroups/cgfsng.c: create_path_for_hierarchy: 1243 Failed to create cgroup "/sys/fs/cgroup/unified//lxc/VisualStudioCode-4"
> > > lxc-start: VisualStudioCode: cgroups/cgfsng.c: cgfsng_payload_create: 1321 Failed to create cgroup "/sys/fs/cgroup/unified//lxc/VisualStudioCode-4"
> > > lxc-start: VisualStudioCode: conf.c: lxc_map_ids: 3023 newuidmap failed to write mapping "newuidmap: uid range [0-1000) -> [100000-101000) not allowed": newuidmap 26576 0 100000 1000 1000 1000 1 1001 101001 64535
> > > lxc-start: VisualStudioCode: start.c: lxc_spawn: 1720 Failed to set up id mapping.
> >
> > This is probably because you'd need /etc/subid and /etc/subgid
> > mappings for the root user to use your ranges. But it's best
> > to get it running as non-root.
>
> Those files does not even exist. Should I create them manually or are
> they part of the lxc installation?

Try running

sudo usermod -v 100000-200000 -w 100000-200000 peter

does that result in /etc/subuid and /etc/subgid containing something
like

peter:100000:100000

?

> I also notice that in the output above there are two / in the paths
> after unified. Is that only in the output or is it an error?

_Probably_ an error in lxc's output.

> > > lxc-start: VisualStudioCode: start.c: __lxc_start: 1951 Failed to spawn container "VisualStudioCode"
> > > lxc-start: VisualStudioCode: conf.c: lxc_map_ids: 3023 newuidmap failed to write mapping "newuidmap: uid range [0-1000) -> [100000-101000) not allowed": newuidmap 26612 0 100000 1000 65536 0 1
> > > lxc-start: VisualStudioCode: conf.c: userns_exec_1: 4391 Error setting up {g,u}id mappings for child process "26612"
> > > lxc-start: VisualStudioCode: tools/lxc_start.c: main: 330 The container failed to start
> > > lxc-start: VisualStudioCode: tools/lxc_start.c: main: 336 Additional information can be obtained by setting the --logfile and --logpriority options
> > >
> > > I am running Debian Buster with lxc version 3.1.0.
> > >
> > > Obviously I am doing something wrong in my configuration or how I use lxc.
> > >
> > > Any help would be appreciated.
> > >
> > > Best regards,
> > > Peter Carlsson
>
> Thanks for your help!
>
> /Peter

[Peter Carlsson]

On Wed, Feb 10, 2021 at 07:08:09AM -0600, Serge E. Hallyn wrote:

Hello again!

Thanks for your help.

I decided to start fresh and create the container as unprivileged. I
therefor deleted the old thread.

Here is basically what I did:

As root:

usermod -v 100000-200000 -w 100000-200000 peter

cat /etc/subuid
peter:100000:100001
cat /etc/subgid
peter:100000:100001

nano /etc/sysctl.conf
# Added by Peter Carlsson 2021-02-10 for lxc
kernel.unprivileged_userns_clone=1

nano /etc/default/lxc-net
#USE_LXC_BRIDGE="true"

nano /etc/lxc/default.conf
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up

lxc.apparmor.profile = generated
lxc.apparmor.allow_nesting = 1

As user peter:

mkdir /home/peter/.config/lxc
nano /home/peter/.config/lxc/default.conf
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up

lxc.apparmor.profile = generated
lxc.apparmor.allow_nesting = 1

lxc.idmap = u 0 100000 100001
lxc.idmap = g 0 100000 100001

Don't know if this was necessary but I ran this after reading a link found on Google

lxc-usernsexec

lxc-create -t download -n VisualStudioCode -- -d debian -r buster -a amd64

lxc-start -n VisualStudioCode -F

lxc-start: VisualStudioCode: network.c: lxc_create_network_unpriv_exec: 2178 lxc-user-nic failed to configure requested network: No such file or directory - Failed to open "/etc/lxc/lxc-usernet"
cmd/lxc_user_nic.c: 1296: main: Quota reached
lxc-start: VisualStudioCode: start.c: lxc_spawn: 1777 Failed to create the configured network

lxc-start: VisualStudioCode: start.c: __lxc_start: 1951 Failed to spawn container "VisualStudioCode"

lxc-start: VisualStudioCode: tools/lxc_start.c: main: 330 The container failed to start
lxc-start: VisualStudioCode: tools/lxc_start.c: main: 336 Additional information can be obtained by setting the --logfile and --logpriority options

What should I put in /etc/lxc/lxc-usernet?

Do you see something else I have missed or should have done differently?

Note that I had the network working for the container created by root.

Best regards,
Peter Carlsson

[Serge E. Hallyn]

This all looks good.

> Don't know if this was necessary but I ran this after reading a link found on Google
>
> lxc-usernsexec

Sorry I'm not following here. lxc-usernsexec without any arguments
will put you in a shell in a user namespace. I assume you exited that
before going on with lxc-create, right?

> lxc-create -t download -n VisualStudioCode -- -d debian -r buster -a amd64
>
> lxc-start -n VisualStudioCode -F
>
> lxc-start: VisualStudioCode: network.c: lxc_create_network_unpriv_exec: 2178 lxc-user-nic failed to configure requested network: No such file or directory - Failed to open "/etc/lxc/lxc-usernet"
> cmd/lxc_user_nic.c: 1296: main: Quota reached
> lxc-start: VisualStudioCode: start.c: lxc_spawn: 1777 Failed to create the configured network
> lxc-start: VisualStudioCode: start.c: __lxc_start: 1951 Failed to spawn container "VisualStudioCode"
> lxc-start: VisualStudioCode: tools/lxc_start.c: main: 330 The container failed to start
> lxc-start: VisualStudioCode: tools/lxc_start.c: main: 336 Additional information can be obtained by setting the --logfile and --logpriority options
>
> What should I put in /etc/lxc/lxc-usernet?

cat << EOF | sudo tee /etc/lxc/lxc-usernet
# USERNAME TYPE BRIDGE COUNT
peter veth lxcbr0 10

> Do you see something else I have missed or should have done differently?

Not offhand. But do make sure that lxc-net is running, i.e. make sure
that 'brctl show' shows lxcbr0

> Note that I had the network working for the container created by root.
>
> Best regards,
> Peter Carlsson

[Peter Carlsson]

Never mind. To try to solve my problems I googled and tried out
different advices but this was something I don't think I did anything
successful with.

> > lxc-create -t download -n VisualStudioCode -- -d debian -r buster -a amd64
> >
> > lxc-start -n VisualStudioCode -F
> >
> > lxc-start: VisualStudioCode: network.c: lxc_create_network_unpriv_exec: 2178 lxc-user-nic failed to configure requested network: No such file or directory - Failed to open "/etc/lxc/lxc-usernet"
> > cmd/lxc_user_nic.c: 1296: main: Quota reached
> > lxc-start: VisualStudioCode: start.c: lxc_spawn: 1777 Failed to create the configured network
> > lxc-start: VisualStudioCode: start.c: __lxc_start: 1951 Failed to spawn container "VisualStudioCode"
> > lxc-start: VisualStudioCode: tools/lxc_start.c: main: 330 The container failed to start
> > lxc-start: VisualStudioCode: tools/lxc_start.c: main: 336 Additional information can be obtained by setting the --logfile and --logpriority options
> >
> > What should I put in /etc/lxc/lxc-usernet?
>
> cat << EOF | sudo tee /etc/lxc/lxc-usernet
> # USERNAME TYPE BRIDGE COUNT
> peter veth lxcbr0 10
>
> > Do you see something else I have missed or should have done differently?
>
> Not offhand. But do make sure that lxc-net is running, i.e. make sure
> that 'brctl show' shows lxcbr0
>
> > Note that I had the network working for the container created by root.

Now I have also done these things and had some progress:

systemctl enable lxc-net
systemctl start lxc-net

nano /etc/lxc/lxc-usernet

# USERNAME TYPE BRIDGE COUNT
peter veth lxcbr0 10

chmod 755 /home/peter/.local/share/
chmod 755 /home/peter/.local/share/lxc/

lxc-start -n VisualStudioCode -F
Failed to mount cgroup at /sys/fs/cgroup/systemd: Permission denied
[!!!!!!] Failed to mount API filesystems.
Exiting PID 1...

For me it is not obvious what my next step should be. Any help would be

[Serge E. Hallyn]

serge@sl /etc/pam.d$ dpkg -l | grep cgfs
ii libpam-cgfs 1:4.0.3+master~20200706-1105-0ubuntu1~eoan amd64 PAM module for managing cgroups for LXC

Do you have something like this? If so, then /etc/pam.d/common-session should have
a line like

common-session:session optional pam_cgfs.so -c freezer,memory,name=systemd

which is what should delegate the cgroups you need to create containers.

-serge

[Peter Carlsson]

dpkg -l libpam-cgfs
ii libpam-cgfs 1:3.1.0+really3.0.3-8 i386 PAM module for managing cgroups for LXC

My /etc/pam.d/common-session already had a similar line (the last one)
but I added your suggestion as well.

# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session optional pam_winbind.so
session optional pam_systemd.so

session optional pam_cgfs.so -c freezer,memory,name=systemd

# end of pam-auth-update config

# Added by Peter Carlsson 2021-02-12 for lxc

common-session:session optional pam_cgfs.so -c freezer,memory,name=systemd

I also ran pam-auth-update as suggested in the file but I still get:

lxc-start -n VisualStudioCode -F
Failed to mount cgroup at /sys/fs/cgroup/systemd: Permission denied
[!!!!!!] Failed to mount API filesystems.
Exiting PID 1...

Thanks for all your help!

Best regards,
Peter Carlsson

[Peter Carlsson]

I decided to remove the line from /etc/pam.d/common-session again since
I think I the line you were suggesting was already in the file.

But still the same error message.

Do you see any errors in the permissions below? I want to be sure before
I change permissions in system folders.

# ls -l /sys/fs/cgroup/systemd/
totalt 0
-rw-r--r-- 1 root root 0 feb 15 23:29 cgroup.clone_children
-rw-r--r-- 1 root root 0 feb 17 22:30 cgroup.procs
-r--r--r-- 1 root root 0 feb 15 23:29 cgroup.sane_behavior
drwxr-xr-x 2 root root 0 feb 15 23:29 docker
drwxr-xr-x 2 root root 0 feb 15 23:29 init.scope
drwxr-xr-x 8 root root 0 feb 15 23:29 lxc
-rw-r--r-- 1 root root 0 feb 15 23:29 notify_on_release
-rw-r--r-- 1 root root 0 feb 15 23:29 release_agent
drwxr-xr-x 151 root root 0 feb 17 22:09 system.slice
-rw-r--r-- 1 root root 0 feb 15 23:29 tasks
drwxr-xr-x 9 root root 0 feb 15 23:29 user
drwxr-xr-x 3 root root 0 feb 17 21:24 user.slice

# ls -l /sys/fs/cgroup/systemd/lxc/
totalt 0
-rw-r--r-- 1 root root 0 feb 15 23:29 cgroup.clone_children
-rw-r--r-- 1 root root 0 feb 15 23:29 cgroup.procs
-rw-r--r-- 1 root root 0 feb 15 23:29 notify_on_release
-rw-r--r-- 1 root root 0 feb 15 23:29 tasks
drwxr-xr-x 2 root root 0 feb 15 23:29 VisualStudioCode
drwxr-xr-x 2 root root 0 feb 15 23:29 VisualStudioCode-1
drwxr-xr-x 2 root root 0 feb 15 23:29 VisualStudioCode-2
drwxr-xr-x 2 root root 0 feb 15 23:29 VisualStudioCode-3
drwxr-xr-x 2 root root 0 feb 15 23:29 VisualStudioCode-4
drwxr-xr-x 2 root root 0 feb 15 23:29 VisualStudioCode-5

Best regards,
Peter Carlsson

[Serge E. Hallyn]

(Sorry for the delay)

> I decided to remove the line from /etc/pam.d/common-session again since
> I think I the line you were suggesting was already in the file.

Yeah you don't want it twice.

On my laptop, my unprivileged container has:

cat /proc/3773/cgroup
12:net_cls,net_prio:/
11:pids:/user.slice/user-1000.slice/session-2.scope
10:hugetlb:/
9:memory:/user.slice/user-1000.slice/session-2.scope
8:cpu,cpuacct:/user.slice
7:blkio:/user.slice
6:freezer:/user/serge/0/lxc.payload.mail
5:rdma:/
4:perf_event:/
3:cpuset:/
2:devices:/user.slice
1:name=systemd:/user.slice/user-1000.slice/session-2.scope/lxc.payload.mail/init.scope
0::/user.slice/user-1000.slice/session-2.scope

So the systemd cgroup is

/user.slice/user-1000.slice/session-2.scope/lxc.payload.mail/init.scope

where the first part

/user.slice/user-1000.slice/session-2.scope

was inherited from my login shell, and

serge@sl ~$ ls -l /sys/fs/cgroup/systemd/user.slice/user-1000.slice/session-2.scope/
total 0
-rw-r--r-- 1 root root 0 Feb 17 23:16 cgroup.clone_children
-rw-r--r-- 1 root root 0 Feb 17 23:16 cgroup.procs
drwxr-xr-x 2 serge serge 0 Feb 1 08:32 lxc.monitor.mail
drwxrwxr-x 5 serge 100000 0 Feb 1 08:32 lxc.payload.mail
drwxr-xr-x 2 serge serge 0 Feb 9 22:13 lxc.pivot
-rw-r--r-- 1 root root 0 Feb 17 23:16 notify_on_release
-rw-r--r-- 1 root root 0 Feb 17 23:16 tasks

-serge

[Peter Carlsson]

No problem. I really appreciate all your help!

> > I decided to remove the line from /etc/pam.d/common-session again since
> > I think I the line you were suggesting was already in the file.
>
> Yeah you don't want it twice.
>
> > But still the same error message.
>

I finally got it working by changing the permissions!

ls -l /sys/fs/cgroup/systemd/user.slice/user-1000.slice/session-17.scope/
totalt 0
-rw-r--r-- 1 root root 0 feb 18 16:11 cgroup.clone_children
-rw-r--r-- 1 root root 0 feb 18 16:11 cgroup.procs
drwxr-x--- 2 peter peter 0 feb 17 22:23 lxc
-rw-r--r-- 1 root root 0 feb 18 16:11 notify_on_release
-rw-r--r-- 1 root root 0 feb 18 16:11 tasks

chown peter:100000 /sys/fs/cgroup/systemd/user.slice/user-1000.slice/session-17.scope/lxc

ls -l /sys/fs/cgroup/systemd/user.slice/user-1000.slice/session-17.scope/
totalt 0
-rw-r--r-- 1 root root 0 feb 18 16:11 cgroup.clone_children
-rw-r--r-- 1 root root 0 feb 18 16:11 cgroup.procs
drwxr-x--- 2 peter 100000 0 feb 17 22:23 lxc
-rw-r--r-- 1 root root 0 feb 18 16:11 notify_on_release
-rw-r--r-- 1 root root 0 feb 18 16:11 tasks

Do you think this problem was caused by not having the correct settings
when I initially created the container or could I have prevented this in
any way?

Just to encounter the next problem... But maybe that has not so much to
do about lxc specifically.

I want to run Visual Studio Code inside the lxc container.

After I have done a lxc-attach and installed Visual Studio Code and all
dependencies I run this command:

code-insiders --user-data-dir /home/peter

Nothing shows and my guess is that I somehow need to tell the lxc
container to export the visual presentation to the host?

/Peter

[Serge E. Hallyn]

Oh. Yes, it's possible. This points to a limitation in how we are
doing the cgroup handling - it should be perfectly fine for you to
create several unprivileged containers with disjoint subids. But
this suggests that the second such container would fail.

@Christian ^ I haven't tested, but we may want to think about this.
If it is a problem, maybe we should use acls.

> Just to encounter the next problem... But maybe that has not so much to
> do about lxc specifically.
>
> I want to run Visual Studio Code inside the lxc container.
>
> After I have done a lxc-attach and installed Visual Studio Code and all
> dependencies I run this command:
>
> code-insiders --user-data-dir /home/peter
>
> Nothing shows and my guess is that I somehow need to tell the lxc
> container to export the visual presentation to the host?

Yes, exactly. A good example from Stéphane is here:

https://stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/

-serge

[Peter Carlsson]

After creating some missing directories and adjusted the privilegies I
got this working too!