[pkg-lxc-devel] Bug#993391: Bug#993391: lxc: Unprivileged lxc example from README.Debian.gz gives AppArmor error "Failed to mount proc"

Pierre-Elliott Bécue peb at debian.org
Thu Sep 2 20:16:57 BST 2021 

Hi,

pk <pkoroau at gmail.com> writes:

> Hello,
>
> I copy-pasted configuration and commands from
> /usr/share/doc/lxc/README.Debian.gz under "Unprivileged containers".
> Are you talking about another file?
> https://salsa.debian.org/lxc-team/lxc/-/blob/7d692c266c63fced9417042ae904cc2a280b96d8/debian/README.Debian

The configuration in that file is 

  lxc.include = /etc/lxc/default.conf
  lxc.idmap = u 0 100000 65536
  lxc.idmap = g 0 100000 65536
  lxc.mount.auto = proc:mixed sys:ro cgroup:mixed
  lxc.apparmor.profile = unconfined

and goes to ~/.config/lxc/default.conf

You removed at least the lxc.include statement, and actually tried
something of your own, in particular not creating a default config for
your user and a container afterwards.

> lxc.rootfs defaults to the system root / per lxc.container.conf(5).

Which is not acceptable for an *unprivileged* container, which is the
case you brought here. The reason why Apparmor intervenes instead of
letting either init crash upon startup (because not being able to
manipulate the filesystem) or things explode is because
lxc.apparmor.profile doesn't apply to lxc-start call, but to only to the
lxc child process.

> Creation is unnecessary, it is just a convenience to avoid -f and does
> not affect the container runtime. My (still privileged) lxc setup
> works perfectly with -f without ever creating any containers.

Creation is necessary as you need a valid rootfs to work, and a valid
rootfs for an unprivileged container has to fit the usernamespace which
will be created upon startup of the container. "/" is not a valid rootfs
for an unprivileged container as the uid mappings are totally out of
line. You therefore need to at least create one container using
lxc-create or manually create a rootfs using mmdebstrap or whatever fits
best.

> I pasted full logs above.

You pasted truncated logs, and actually did not follow the README.

> Please try to be respectful and helpful, do not reproduce on a
> configured machine, and leave bug triaging to the lxc experts.

Being one of the LXC maintainers, I'm totally entitled to triage your
bug report, especially since what you claim being a bug does not look
like one. I won't reply to your assumption about my expertise.

Please follow the README properly and if that fails please come back
with full logs.

With best regards,
--
PEB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 853 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-lxc-devel/attachments/20210902/b2a7f17c/attachment-0001.sig>

More information about the Pkg-lxc-devel mailing list