Has anyone managed to install Lxc containers on PureOS?

Is it possible at all to run lxc containers on PureOS

I am struggling to make lxc containers work on PureOS

The funny thing is I can get it work fine when using Boxes VM and Ubuntu.

In the Ubuntu VM i can run the containers easily.

Librem13v4 running PureOS amber with all updates. I’m trying to get LXC unprivileged containers working.

I’ve gotten this far:

user@system:~$ lxc-start -n busybox -F
lxc-start: busybox: lsm/apparmor.c: make_apparmor_namespace: 761 Permission denied - Error creating AppArmor namespace: /sys/kernel/security/apparmor/policy/namespaces/lxc-busybox_<-home-user-.local-share-lxc>
                                                                                                       lxc-start: busybox: lsm/apparmor.c: apparmor_prepare: 980 Failed to load generated AppArmor profile
                                                                                          lxc-start: busybox: start.c: lxc_init: 899 Failed to initialize LSM
                                             lxc-start: busybox: start.c: __lxc_start: 1917 Failed to initialize container "busybox"
lxc-start: busybox: tools/lxc_start.c: main: 330 The container failed to start
lxc-start: busybox: tools/lxc_start.c: main: 336 Additional information can be obtained by setting the --logfile and --logpriority options

To get this far I had to overcome two obstacles:

user@system:~$ lxc-create -t download -n debian
lxc-create: debian: conf.c: chown_mapped_root: 3250 lxc-usernsexec failed: No such file or directory - Failed to open ttyNo such file or directory - Failed to open ttyOperation not permitted - Failed to unshare mount and user namespac
lxc-create: debian: tools/lxc_create.c: main: 327 Failed to create container debian

This had to be solved as described here by:

user@system:~$ sudo sysctl kernel.unprivileged_userns_clone=1


user@system:~$ lxc-create -t download -n debian
Setting up the GPG keyring
ERROR: Unable to fetch GPG key from keyserver
lxc-create: debian: lxccontainer.c: create_run_template: 1617 Failed to create container from template
lxc-create: debian: tools/lxc_create.c: main: 327 Failed to create container debian

The issue is described here and I solved it by

user@system:~$ export DOWNLOAD_KEYSERVER=“ipv4.pool.sks-keyservers.net
user@system:~$ lxc-create -t download -n debian

1 Like

BTW: Same situation on a Debian Buster 10.1 in a KVM virtual machine.

O.k. I’ve gotten a bit farer:

user@system:~$ cat .config/lxc/lxc.conf 
lxc.lxcpath = /home/cvogel/.lxc/
user@system:~$ cat .config/lxc/default.conf 
lxc.net.0.type = empty
# lxc.apparmor.profile = generated
# lxc.apparmor.allow_nesting = 1
lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536
user@system:~$ ls -ld .lxc
drwxr-xr-x 3 user user 4096 Okt  3 22:28 .lxc
user@system:~$ lxc-create -t busybox -n busybox
user@system:~$ lxc-ls
user@system:~$ lxc-start -n busybox -F
lxc-start: busybox: utils.c: safe_mount: 1179 No such file or directory - Failed to mount "/dev/ram0" onto "/usr/lib/x86_64-linux-gnu/lxc/rootfs/dev/ram0"
                                          lxc-start: busybox: conf.c: lxc_setup_ttys: 932 File exists - Failed to create "/dev/tty1"
                    udhcpc: SIOCGIFINDEX: No such device

Please press Enter to activate this console.

BusyBox v1.30.1 (Debian 1:1.30.1-4) built-in shell (ash)
Enter 'help' for a list of built-in commands.

/ # whoami
/ # pwd
/ # halt
The system is going down NOW!
Sent SIGTERM to all processes
Sent SIGKILL to all processes
Requesting system halt

I’m not really sure, yet, if it is a good idea not to make the apparmor profile work. But as I understand it the unprivileged container is confined by the rights of the unprivileged user and a container started as root should be confined by apparmor.

The unprivileged user can’t confine by using a ‘generated’ apparmor profile, because she is not allowed to change apparmor settings.

To “double protect” against breaking out of the container one would have to activate the profile for the container as root and start the container as an unprivileged user?

Did I get that right?