Has anyone managed to install Lxc containers on PureOS?

Is it possible at all to run lxc containers on PureOS

I am struggling to make lxc containers work on PureOS

The funny thing is I can get it work fine when using Boxes VM and Ubuntu.

In the Ubuntu VM i can run the containers easily.

Librem13v4 running PureOS amber with all updates. Iā€™m trying to get LXC unprivileged containers working.

Iā€™ve gotten this far:

user@system:~$ lxc-start -n busybox -F
lxc-start: busybox: lsm/apparmor.c: make_apparmor_namespace: 761 Permission denied - Error creating AppArmor namespace: /sys/kernel/security/apparmor/policy/namespaces/lxc-busybox_<-home-user-.local-share-lxc>
                                                                                                       lxc-start: busybox: lsm/apparmor.c: apparmor_prepare: 980 Failed to load generated AppArmor profile
                                                                                          lxc-start: busybox: start.c: lxc_init: 899 Failed to initialize LSM
                                             lxc-start: busybox: start.c: __lxc_start: 1917 Failed to initialize container "busybox"
lxc-start: busybox: tools/lxc_start.c: main: 330 The container failed to start
lxc-start: busybox: tools/lxc_start.c: main: 336 Additional information can be obtained by setting the --logfile and --logpriority options

To get this far I had to overcome two obstacles:

user@system:~$ lxc-create -t download -n debian
lxc-create: debian: conf.c: chown_mapped_root: 3250 lxc-usernsexec failed: No such file or directory - Failed to open ttyNo such file or directory - Failed to open ttyOperation not permitted - Failed to unshare mount and user namespac
lxc-create: debian: tools/lxc_create.c: main: 327 Failed to create container debian

This had to be solved as described here by:

user@system:~$ sudo sysctl kernel.unprivileged_userns_clone=1

and

user@system:~$ lxc-create -t download -n debian
Setting up the GPG keyring
ERROR: Unable to fetch GPG key from keyserver
lxc-create: debian: lxccontainer.c: create_run_template: 1617 Failed to create container from template
lxc-create: debian: tools/lxc_create.c: main: 327 Failed to create container debian

The issue is described here and I solved it by

user@system:~$ export DOWNLOAD_KEYSERVER=ā€œipv4.pool.sks-keyservers.netā€
user@system:~$ lxc-create -t download -n debian

1 Like

BTW: Same situation on a Debian Buster 10.1 in a KVM virtual machine.

O.k. Iā€™ve gotten a bit farer:

user@system:~$ cat .config/lxc/lxc.conf 
lxc.lxcpath = /home/cvogel/.lxc/
user@system:~$ cat .config/lxc/default.conf 
lxc.net.0.type = empty
# lxc.apparmor.profile = generated
# lxc.apparmor.allow_nesting = 1
lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536
user@system:~$ ls -ld .lxc
drwxr-xr-x 3 user user 4096 Okt  3 22:28 .lxc
user@system:~$ lxc-create -t busybox -n busybox
user@system:~$ lxc-ls
busybox 
user@system:~$ lxc-start -n busybox -F
lxc-start: busybox: utils.c: safe_mount: 1179 No such file or directory - Failed to mount "/dev/ram0" onto "/usr/lib/x86_64-linux-gnu/lxc/rootfs/dev/ram0"
                                          lxc-start: busybox: conf.c: lxc_setup_ttys: 932 File exists - Failed to create "/dev/tty1"
                    udhcpc: SIOCGIFINDEX: No such device

Please press Enter to activate this console.


BusyBox v1.30.1 (Debian 1:1.30.1-4) built-in shell (ash)
Enter 'help' for a list of built-in commands.

/ # whoami
root
/ # pwd
/
/ # halt
The system is going down NOW!
Sent SIGTERM to all processes
Sent SIGKILL to all processes
Requesting system halt
user@system:~$ 

Iā€™m not really sure, yet, if it is a good idea not to make the apparmor profile work. But as I understand it the unprivileged container is confined by the rights of the unprivileged user and a container started as root should be confined by apparmor.

The unprivileged user canā€™t confine by using a ā€˜generatedā€™ apparmor profile, because she is not allowed to change apparmor settings.

To ā€œdouble protectā€ against breaking out of the container one would have to activate the profile for the container as root and start the container as an unprivileged user?

Did I get that right?