Linux – How to Configure Unprivileged Containers

arch linuxlxc

I'm trying to set up unprivileged LXC containers and failing at every turn. I think I've followed every relevant step of the guide:

Normal users are allowed to create unprivileged containers:

$ sysctl kernel.unprivileged_userns_clone
kernel.unprivileged_userns_clone = 1

The control groups PAM module is enabled:

$ grep -F pam_cgfs.so /etc/pam.d/system-login
session optional pam_cgfs.so -c freezer,memory,name=systemd,unified

The UID and GID mappings are set up:

$ cat /etc/lxc/default.conf
lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up
lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx
$ cat /etc/subuid
root:100000:65536
$ cat /etc/subgid
root:100000:65536

The network is set up:

$ grep --invert-match --regexp='^#' --regexp='^$' /etc/default/lxc-net
USE_LXC_BRIDGE="true"
LXC_BRIDGE="lxcbr0"
LXC_ADDR="10.0.3.1"
LXC_NETMASK="255.255.255.0"
LXC_NETWORK="10.0.3.0/24"
LXC_DHCP_RANGE="10.0.3.2,10.0.3.254"
LXC_DHCP_MAX="253"

The services look fine:

$ systemctl status --lines=0 --no-pager lxc.service lxc-net.service 
● lxc.service - LXC Container Initialization and Autoboot Code
   Loaded: loaded (/usr/lib/systemd/system/lxc.service; disabled; vendor preset: disabled)
   Active: active (exited) since Fri 2019-03-08 15:31:47 NZDT; 40min ago
     Docs: man:lxc-autostart
           man:lxc
 Main PID: 4147 (code=exited, status=0/SUCCESS)
    Tasks: 0 (limit: 4915)
   Memory: 0B
   CGroup: /system.slice/lxc.service

● lxc-net.service - LXC network bridge setup
   Loaded: loaded (/usr/lib/systemd/system/lxc-net.service; enabled; vendor preset: disabled)
   Active: active (exited) since Fri 2019-03-08 15:31:45 NZDT; 40min ago
 Main PID: 4099 (code=exited, status=0/SUCCESS)
    Tasks: 1 (limit: 4915)
   Memory: 8.4M
   CGroup: /system.slice/lxc-net.service
           └─4121 dnsmasq -u dnsmasq --strict-order --bind-interfaces --pid-file=/run/lxc/dnsm…

The packages are up to date and I've just rebooted.

Even so, I can't create containers:

$ lxc-create -n test -t download
lxc-create: test: parse.c: lxc_file_for_each_line_mmap: 100 No such file or directory - Failed to open file "/home/user/.config/lxc/default.conf"
lxc-create: test: conf.c: chown_mapped_root: 3179 No uid mapping for container root
lxc-create: test: lxccontainer.c: do_storage_create: 1310 Error chowning "/home/user/.local/share/lxc/test/rootfs" to container root
lxc-create: test: conf.c: suggest_default_idmap: 4801 You do not have subuids or subgids allocated
lxc-create: test: conf.c: suggest_default_idmap: 4802 Unprivileged containers require subuids and subgids
lxc-create: test: lxccontainer.c: do_lxcapi_create: 1891 Failed to create (none) storage for test
lxc-create: test: tools/lxc_create.c: main: 327 Failed to create container test

Is there anything obviously wrong with this setup? There's no mention anywhere in the linked article about ~/.config/lxc/default.conf, and I don't understand why it says I haven't allocated subuids and subgids.

Additional info:

Running lxc-create as root works, but this is explicitly about creating containers as a normal user.
cp /etc/lxc/default.conf ~/.config/lxc/default.conf gets rid of the complaint about the configuration file, but results in this message instead:

lxc-create: playtime: conf.c: chown_mapped_root: 3279 lxc-usernsexec failed: No such file or directory – Failed to open ttyNo such file or directory – Failed to open tt

Best Answer

Is this a new project, or do you have a choice? Why not use LXD instead of LXC - much easier to use and you get to the same place. I started out with lxc and quickly made the switch because I was interested in running unprivileged containers which is not easy in LXC, but is the default in LXD.

Take a look here to start: https://discuss.linuxcontainers.org/t/comparing-lxd-vs-lxc/24

It's been a few months since I last installed/used it, but here are my notes on installation:

As LXD evolves quite rapidly, we recommend Ubuntu users use our PPA:

add-apt-repository ppa:ubuntu-lxc/lxd-stable

apt-get update

apt-get dist-upgrade

apt-get install lxd

The package creates a new “lxd” group which contains all users allowed to talk to lxd over the local unix socket. All members of the “admin” and “sudoers” groups are automatically added. If your user isn’t a member of one of these groups, you’ll need to manually add your user to the “lxd” group.

Because group membership is only applied at login, you then either need to close and re-open your user session or use the “newgrp lxd” command in the shell you’re going to interact with lxd from.

newgrp lxd

https://blog.ubuntu.com/2015/03/20/installing-lxd-and-the-command-line-tool 2018/10/22

To the best of my knowledge you can even run LXD in a virtual machine so you can give it a quick try without messing up whatever system you are working on.

Not exactly the answer to the question you asked, but I hope you find it a helpful alternative.

Unprivileged container owned and run by root

To rub that in again. An unprivileged LXC guest does not require to be run by an unprivileged user on the host.

Configuring your container with a subordinate UID/GID mapping like this:

lxc.id_map = u 0 100000 100000
lxc.id_map = g 0 100000 100000

where the user root on the host owns that given subordinate ID range, will allow you to confine guests even better.

However, there is one important additional advantage in such a scenario (and yes, I have verified that it works): you can auto-start your container at system startup.

Usually when scouring the web for information about LXC you will be told that it is not possible to autostart an unprivileged LXC guest. However, that is only true by default for those containers which are not in the system-wide storage for containers (usually something like /var/lib/lxc). If they are (which usually means they were created by root and are started by root), it's a whole different story.

lxc.start.auto = 1

will do the job quite nicely, once you put it into your container config.

Getting permissions and configuration right

I struggled with this myself a bit, so I'm adding a section here.

In addition to the configuration snippet included via lxc.include which usually goes by the name /usr/share/lxc/config/$distro.common.conf (where $distro is the name of a distro), you should check if there is also a /usr/share/lxc/config/$distro.userns.conf on your system and include that as well. E.g.:

lxc.include = /usr/share/lxc/config/ubuntu.common.conf
lxc.include = /usr/share/lxc/config/ubuntu.userns.conf

Furthermore add the subordinate ID mappings:

lxc.id_map = u 0 100000 65535
lxc.id_map = g 0 100000 65535

which means that the host UID 100000 is root inside the user namespace of the LXC guest.

Now make sure that the permissions are correct. If the name of your guest would be stored in the environment variable $lxcguest you'd run the following:

# Directory for the container
chown root:root $(lxc-config lxc.lxcpath)/$lxcguest
chmod ug=rwX,o=rX $(lxc-config lxc.lxcpath)/$lxcguest
# Container config
chown root:root $(lxc-config lxc.lxcpath)/$lxcguest/config
chmod u=rw,go=r $(lxc-config lxc.lxcpath)/$lxcguest/config
# Container rootfs
chown 100000:100000 $(lxc-config lxc.lxcpath)/$lxcguest/rootfs
chmod u=rwX,go=rX $(lxc-config lxc.lxcpath)/$lxcguest/rootfs

This should allow you to run the container after your first attempt may have given some permission-related errors.

What are benefits and downsides of unprivileged containers

Running unprivileged containers is the safest way to run containers in a production environment. Containers get bad publicity when it comes to security and one of the reasons is because some users have found that if a user gets root in a container then there is a possibility of gaining root on the host as well. Basically what an unprivileged container does is mask the userid from the host . With unprivileged containers, non root users can create containers and will have and appear in the container as root but will appear as userid 10000 for example on the host (whatever you map the userids as). I recently wrote a blog post on this based on Stephane Graber's blog series on LXC (One of the brilliant minds/lead developers of LXC and someone to definitely follow). I say again, extremely brilliant.

From my blog:

From the container:

lxc-attach -n ubuntu-unprived
root@ubuntu-unprived:/# ps -ef
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0 04:48 ?        00:00:00 /sbin/init
root       157     1  0 04:48 ?        00:00:00 upstart-udev-bridge --daemon
root       189     1  0 04:48 ?        00:00:00 /lib/systemd/systemd-udevd --daemon
root       244     1  0 04:48 ?        00:00:00 dhclient -1 -v -pf /run/dhclient.eth0.pid
syslog     290     1  0 04:48 ?        00:00:00 rsyslogd
root       343     1  0 04:48 tty4     00:00:00 /sbin/getty -8 38400 tty4
root       345     1  0 04:48 tty2     00:00:00 /sbin/getty -8 38400 tty2
root       346     1  0 04:48 tty3     00:00:00 /sbin/getty -8 38400 tty3
root       359     1  0 04:48 ?        00:00:00 cron
root       386     1  0 04:48 console  00:00:00 /sbin/getty -8 38400 console
root       389     1  0 04:48 tty1     00:00:00 /sbin/getty -8 38400 tty1
root       408     1  0 04:48 ?        00:00:00 upstart-socket-bridge --daemon
root       409     1  0 04:48 ?        00:00:00 upstart-file-bridge --daemon
root       431     0  0 05:06 ?        00:00:00 /bin/bash
root       434   431  0 05:06 ?        00:00:00 ps -ef

From the host:

lxc-info -Ssip --name ubuntu-unprived
State:          RUNNING
PID:            3104
IP:             10.1.0.107
CPU use:        2.27 seconds
BlkIO use:      680.00 KiB
Memory use:     7.24 MiB
Link:           vethJ1Y7TG
TX bytes:      7.30 KiB
RX bytes:      46.21 KiB
Total bytes:   53.51 KiB

ps -ef | grep 3104
100000    3104  3067  0 Nov11 ?        00:00:00 /sbin/init
100000    3330  3104  0 Nov11 ?        00:00:00 upstart-udev-bridge --daemon
100000    3362  3104  0 Nov11 ?        00:00:00 /lib/systemd/systemd-udevd --daemon
100000    3417  3104  0 Nov11 ?        00:00:00 dhclient -1 -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases eth0
100102    3463  3104  0 Nov11 ?        00:00:00 rsyslogd
100000    3516  3104  0 Nov11 pts/8    00:00:00 /sbin/getty -8 38400 tty4
100000    3518  3104  0 Nov11 pts/6    00:00:00 /sbin/getty -8 38400 tty2
100000    3519  3104  0 Nov11 pts/7    00:00:00 /sbin/getty -8 38400 tty3
100000    3532  3104  0 Nov11 ?        00:00:00 cron
100000    3559  3104  0 Nov11 pts/9    00:00:00 /sbin/getty -8 38400 console
100000    3562  3104  0 Nov11 pts/5    00:00:00 /sbin/getty -8 38400 tty1
100000    3581  3104  0 Nov11 ?        00:00:00 upstart-socket-bridge --daemon
100000    3582  3104  0 Nov11 ?        00:00:00 upstart-file-bridge --daemon
lxc       3780  1518  0 00:10 pts/4    00:00:00 grep --color=auto 3104

As you can see processes are running inside the container as root but are not appearing as root but as 100000 from the host.

So to sum up: Benefits - added security and added isolation for security. Downside - A little confusing to wrap your head around at first and not for the novice user.

Best Answer

add-apt-repository ppa:ubuntu-lxc/lxd-stable

apt-get update

apt-get dist-upgrade

apt-get install lxd

Related Solutions

An unprivileged LXC container

Unprivileged container owned and run by root

Getting permissions and configuration right

What are benefits and downsides of unprivileged containers

Related Question