creating unprivileged lxc container in Buster
Hello all
I have a problem setting up unprivileged lxc container in Debian Buster.
I try to follow recommendations from Debian wiki[1]
1. https://wiki.debian.org/LXC#Unprivileged_container
I created special lxcuser to own unprivileged containers
$ cat /etc/s*id|grep lxcuser
lxcuser:296608:65536
lxcuser:296608:65536
$ cat .config/lxc/default.conf
lxc.idmap = u 0 296608 65536
lxc.idmap = g 0 296608 65536
lxc.apparmor.profile = unconfined
lxc.apparmor.allow_nesting = 0
lxc.mount.auto = proc:mixed sys:ro cgroup:mixed
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up
lxc.net.0.hwaddr = 00:16:3f:xx:xx:xx
# sysctl kernel.unprivileged_userns_clone
kernel.unprivileged_userns_clone = 1
# sudo setfacl -m u:296608:x /home/lxcuser /home/lxcuser/.local /home/lxcuser/.local/share
But when I try to create container, i get an error
$ lxc-create -n cname -t debian -- -r buster
lxc-create: cname: conf.c: chown_mapped_root: 3250 lxc-usernsexec failed: Permission denied - Failed to open tt
lxc-create: cname: tools/lxc_create.c: main: 327 Failed to create container cname
No wonder, as lxc-usernsexec is not working too:
$ lxc-usernsexec
Failed to find subuid or subgid allocation
Do I miss something?
--
Best regards, Sergey Spiridonov
Reply to: