Is it possible at all to run lxc containers on PureOS
I am struggling to make lxc containers work on PureOS
The funny thing is I can get it work fine when using Boxes VM and Ubuntu.
In the Ubuntu VM i can run the containers easily.
Librem13v4 running PureOS amber with all updates. Iām trying to get LXC unprivileged containers working.
Iāve gotten this far:
user@system:~$ lxc-start -n busybox -F
lxc-start: busybox: lsm/apparmor.c: make_apparmor_namespace: 761 Permission denied - Error creating AppArmor namespace: /sys/kernel/security/apparmor/policy/namespaces/lxc-busybox_<-home-user-.local-share-lxc>
lxc-start: busybox: lsm/apparmor.c: apparmor_prepare: 980 Failed to load generated AppArmor profile
lxc-start: busybox: start.c: lxc_init: 899 Failed to initialize LSM
lxc-start: busybox: start.c: __lxc_start: 1917 Failed to initialize container "busybox"
lxc-start: busybox: tools/lxc_start.c: main: 330 The container failed to start
lxc-start: busybox: tools/lxc_start.c: main: 336 Additional information can be obtained by setting the --logfile and --logpriority options
To get this far I had to overcome two obstacles:
user@system:~$ lxc-create -t download -n debian
lxc-create: debian: conf.c: chown_mapped_root: 3250 lxc-usernsexec failed: No such file or directory - Failed to open ttyNo such file or directory - Failed to open ttyOperation not permitted - Failed to unshare mount and user namespac
lxc-create: debian: tools/lxc_create.c: main: 327 Failed to create container debian
This had to be solved as described here by:
user@system:~$ sudo sysctl kernel.unprivileged_userns_clone=1
and
user@system:~$ lxc-create -t download -n debian
Setting up the GPG keyring
ERROR: Unable to fetch GPG key from keyserver
lxc-create: debian: lxccontainer.c: create_run_template: 1617 Failed to create container from template
lxc-create: debian: tools/lxc_create.c: main: 327 Failed to create container debian
The issue is described here and I solved it by
user@system:~$ export DOWNLOAD_KEYSERVER=āipv4.pool.sks-keyservers.netā
user@system:~$ lxc-create -t download -n debian
1 Like
BTW: Same situation on a Debian Buster 10.1 in a KVM virtual machine.
O.k. Iāve gotten a bit farer:
user@system:~$ cat .config/lxc/lxc.conf
lxc.lxcpath = /home/cvogel/.lxc/
user@system:~$ cat .config/lxc/default.conf
lxc.net.0.type = empty
# lxc.apparmor.profile = generated
# lxc.apparmor.allow_nesting = 1
lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536
user@system:~$ ls -ld .lxc
drwxr-xr-x 3 user user 4096 Okt 3 22:28 .lxc
user@system:~$ lxc-create -t busybox -n busybox
user@system:~$ lxc-ls
busybox
user@system:~$ lxc-start -n busybox -F
lxc-start: busybox: utils.c: safe_mount: 1179 No such file or directory - Failed to mount "/dev/ram0" onto "/usr/lib/x86_64-linux-gnu/lxc/rootfs/dev/ram0"
lxc-start: busybox: conf.c: lxc_setup_ttys: 932 File exists - Failed to create "/dev/tty1"
udhcpc: SIOCGIFINDEX: No such device
Please press Enter to activate this console.
BusyBox v1.30.1 (Debian 1:1.30.1-4) built-in shell (ash)
Enter 'help' for a list of built-in commands.
/ # whoami
root
/ # pwd
/
/ # halt
The system is going down NOW!
Sent SIGTERM to all processes
Sent SIGKILL to all processes
Requesting system halt
user@system:~$
Iām not really sure, yet, if it is a good idea not to make the apparmor profile work. But as I understand it the unprivileged container is confined by the rights of the unprivileged user and a container started as root should be confined by apparmor.
The unprivileged user canāt confine by using a āgeneratedā apparmor profile, because she is not allowed to change apparmor settings.
To ādouble protectā against breaking out of the container one would have to activate the profile for the container as root and start the container as an unprivileged user?
Did I get that right?