[pkg-lxc-devel] Bug#993391: Bug#993391: lxc: Unprivileged lxc example from README.Debian.gz gives AppArmor error "Failed to mount proc"

Pierre-Elliott Bécue peb at debian.org
Wed Sep 1 23:17:16 BST 2021 

Control: severity -1 normal

Hi,

I don't like to make judgemental calls when I try to help our users, but
here I'll still make a guess. I guess that you actually did not read
carefully README.Debian.gz and therefore did not follow these
instructions carefully.

pk <pkoroau at gmail.com> writes:

> Thank you for answering. kernel.unprivileged_userns_clone = 1 on my
> machine and on the Live DVD. All instructions of the README.Debian.gz
> were followed.
>
> To rule out machine-specific misconfiguration, this log is from the
> Live DVD, Debian 11.0 AMD64 Standard:
>
>
>
> Warning: Permanently added '[localhost]:12346' (ECDSA) to the list of
> known hosts.
> user at localhost's password:
> Linux debian 5.10.0-8-amd64 #1 SMP Debian 5.10.46-4 (2021-08-03) x86_64
>
> The programs included with the Debian GNU/Linux system are free software;
> the exact distribution terms for each program are described in the
> individual files in /usr/share/doc/*/copyright.
>
> Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
> permitted by applicable law.
> user at debian:~$ sudo su -l
> root at debian:~# apt-get update ; apt-get install lxc
> [snip]

What's in there apart from apt-get output?

> root at debian:~# sysctl kernel.unprivileged_userns_clone
> kernel.unprivileged_userns_clone = 1
> root at debian:~# grep user /etc/subuid /etc/subgid
> /etc/subuid:user:100000:65536
> /etc/subgid:user:100000:65536
> root at debian:~#
> logout
> user at debian:~$ mkdir -p .local/share/lxc
> user at debian:~$ chmod +x . .local .local/share
> user at debian:~$
> user at debian:~$ cat > test_config
>   lxc.idmap = u 0 100000 65536
>   lxc.idmap = g 0 100000 65536
>   lxc.mount.auto = proc:mixed sys:ro cgroup:mixed
>   lxc.apparmor.profile = unconfined

This is not in the README, and you actually don't seem to have created
any container yet. Furthermore, your configuration actually doesn't
mention any rootfs or block device to pivot on!

Here is what I get doing something like what you pasted here.

.-(0:03:50)-(~)--------------------------------------------------------------------------(peb at xxxxx)-
`--[130]-> lxc-ls -f
NAME                   STATE   AUTOSTART GROUPS IPV4 IPV6 UNPRIVILEGED 
autopkgtest-lxc-xwkkud STOPPED 0         -      -    -    true         
autopkgtest-unstable   STOPPED 0         -      -    -    true         

As you see I only have two containers. I'll try to start a container
named "blah" which does not exist. I wrote a blah.cfg containing roughly
the same config as you just adapted for my subuids.

.-(0:03:51)-(~)--------------------------------------------------------------------------(peb at xxxxx)-
`---> cat blah.cfg                        
lxc.idmap = u 0 1214112 65536
lxc.idmap = g 0 1214112 65536
lxc.mount.auto = proc:mixed sys:ro cgroup:mixed
lxc.apparmor.profile = unconfined

Here I'll use your command, but note that README.Debian.gz states we
have lxc-unpriv-start which makes things quite more elegant.

-(0:04:40)-(~)--------------------------------------------------------------------------(peb at xxxxx)-
`--[1]-> systemd-run --user --scope -p "Delegate=yes" /usr/bin/lxc-start -o /dev/stdout -f blah.cfg blah
Running scope as unit: run-r34581cfe965441428e3520ecb8c0bb7b.scope
lxc-start blah 20210901220449.759 ERROR    utils - utils.c:safe_mount:1204 - Permission denied - Failed to mount "proc" onto "/proc"
lxc-start blah 20210901220449.759 ERROR    conf - conf.c:lxc_mount_auto_mounts:681 - Permission denied - Failed to mount "proc" on "/proc" with flags 14
lxc-start blah 20210901220449.759 ERROR    conf - conf.c:lxc_setup:3330 - Failed to setup first automatic mounts
lxc-start blah 20210901220449.759 ERROR    start - start.c:do_start:1218 - Failed to setup container "blah"
lxc-start blah 20210901220449.759 ERROR    sync - sync.c:__sync_wait:36 - An error occurred in another process (expected sequence number 5)
lxc-start blah 20210901220449.759 ERROR    lxccontainer - lxccontainer.c:wait_on_daemonized_start:859 - Received container state "ABORTING" instead of "RUNNING"
lxc-start blah 20210901220449.759 ERROR    start - start.c:__lxc_start:1999 - Failed to spawn container "blah"
[and it goes on]

With of course the Apparmor denial in dmesg.

I guess the reason is that lxc having no rootfs or block device to pivot
on tries to mount proc on "/proc" (maybe because it concatenates
$rootfs+"/proc", whith $rootfs being "" here?), ie on the host's /proc,
or anyway on something you don't have a right to mount on.

Of course with a created container and a real config, things are going
smoothly.

Considering what I gathered, I would recommend you take the time to
actually read the documentation properly and try to follow it.

If you fail to have a running container, please do provide a full log of
what you did step by step, and which part of README.Debian.gz it were
covered by what you did, in your opinion.

With best regards,

--
PEB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 853 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-lxc-devel/attachments/20210902/db10f2b1/attachment.sig>

More information about the Pkg-lxc-devel mailing list