Unprivileged containers in Debian sid

When building OpenXT I was in need of an LXC container to use as a build machine.  I wanted to start looking at unprivileged containers and it took a while to get it working.  There are still some limitations in what I got working but it took long enough that I figured I would blog what I did to remind me and assist others.

Some versions in use (will need to use the experimental repo)

  • lxc 1.0.7-1
  • systemd 219-4
  • uidmap 4.2-3

The main issue I hit with unprivileged containers is the incorrect setup of the cgroups at boot.  A quick look shows the following:

aikidoka@buildPC:~$ cat /proc/self/cgroup
8:cpuset:/
7:net_cls,net_prio:/
6:perf_event:/
5:cpu,cpuacct:/
4:blkio:/
3:devices:/user.slice
2:freezer:/
1:name=systemd:/user.slice/user-1000.slice/session-1.scope

This should look more like:

aikidoka@buildPC:~$ cat /proc/self/cgroup
8:cpuset:/aikidoka
7:net_cls,net_prio:/aikidoka
6:perf_event:/aikidoka
5:cpu,cpuacct:/aikidoka
4:blkio:/aikidoka
3:devices:/aikidoka
2:freezer:/aikidoka
1:name=systemd:/aikidoka

After some searching I was able to find a script that could fix this for the currently open shell.

#!/bin/bash --

for d in /sys/fs/cgroup/*; do
 f=$(basename $d)
 echo "looking at $f"
 if [ "$f" = "cpuset" ]; then
 echo 1 | sudo tee -a $d/cgroup.clone_children;
 elif [ "$f" = "memory" ]; then
 echo 1 | sudo tee -a $d/memory.use_hierarchy;
 fi
 sudo mkdir -p $d/$USER
 sudo chown -R $USER $d/$USER
 echo $PPID > $d/$USER/tasks
done

Each time a terminal is opened and you want to create or start an unprivileged container, run the script first.

I do not want to redo all the great stuff Stéphane Graber has written, so I recommend following his guide with the above information in mind.  The one catch is that this still does not allow you to run a container where the containerized OS utilizes systemd.  For example, I could run wheezy inside without an issue but could not start a sid container.  Lxcfs was created to allow this but it also was going to require some more investigation.  I will probably give that a try on my new build machine after finally switching it over to ArchLinux.

About Adam Oliver

Adam Oliver has been working in the IT field for over 10 years and is a Sales Engineer for Citrix Systems, Inc. Follow Adam on twitter at http://twitter.com/theadamoliver. Find out more about Citrix at www.citrix.com.
This entry was posted in LXC and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *