Unprivileged containers fail to start on lxc-1.1.2 (it works on 1.0.7). This is most likely bug in upstream (https://github.com/lxc/lxc/issues/482), but for the record… Reproducible: Always Steps to Reproduce: 1. emerge -av =sys-apps/shadow-4.2* # needed for running unprivileged container 2. echo 'root:100000:65537' >> /etc/subuid; echo 'root:100000:65537' >> /etc/subgid 3. echo -e 'lxc.id_map = u 0 100000 65536\nlxc.id_map = g 0 100000 65536\nlxc.network.type = none' > test.conf 4. lxc-create -t download -n test -f test.conf -- -d gentoo -r current -a amd64 5. lxc-start -n test -F Actual Results: lxc-start: conf.c: lxc_mount_auto_mounts: 819 Operation not permitted - error mounting sysfs on /var/lib/lxc/rootfs/sys flags 14 lxc-start: conf.c: lxc_setup: 3833 failed to setup the automatic mounts for 'test' lxc-start: start.c: do_start: 699 failed to setup the container lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2 lxc-start: start.c: __lxc_start: 1164 failed to spawn 'test' lxc-start: lxc_start.c: main: 344 The container failed to start. lxc-start: lxc_start.c: main: 348 Additional information can be obtained by setting the --logfile and --logpriority options. Expected Results: Container should start. $ uname -srmpio Linux 4.0.8-hardened-intel-v5 x86_64 Intel(R) Xeon(R) CPU E5-2620 v3 @ 2.40GHz GenuineIntel GNU/Linux
Not much to do I suppose apart from waiting for a fix upstream
Uh, well, this eventually isn’t a bug in LXC. Full story here: https://github.com/lxc/lxc/issues/482#issuecomment-137612553 Conclusions: * lxc.network.type=none doesn’t mean what you think and you definitely want 'empty' instead! * If you run hardened kernel, disable CONFIG_GRKERNSEC_SYSFS_RESTRICT.
