| Summary: | lxc container with user namespace and filesystem type file not start | ||
|---|---|---|---|
| Product: | [Community] Virtualization Tools | Reporter: | Arnaud Morel <arnofear4list> |
| Component: | libvirt | Assignee: | Libvirt Maintainers <libvirt-maint> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | unspecified | CC: | libvirt-maint, Molly.Jo.Bault |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
If you are running CentOS or RHEL you might find this interesting: https://github.com/lxc/lxc/issues/842 |
Description of problem: LXC container with user namespace and filesystem type file (raw|nbd) can't start, because the Libvirt pre-commands are executed under the UID/GID mapping. Version-Release number of selected component (if applicable): 2.4.0 and previous version How reproducible: Always Steps to Reproduce: 1. Create the raw file # qemu-img create -f raw /my/myctd1.raw 1G 2. Format the raw file # mkfs.ext4 -F /my/myctd1.raw 3. Set up the loop device # losetup /dev/loop0 /my/myctd1.raw 4. Mount the loop device # mount /dev/loop0 /mnt/myct 5. Copy a rootfs 6. Shift the UID/GID mapping on /mnt/myct 7. Umount the loop device # umount /mnt/myct # losetup -d /dev/loop0 8. Define the container as below <domain type='lxc'> <name>myct</name> <memory unit='KiB'>131072</memory> <vcpu placement='static'>1</vcpu> <os> <type arch='x86_64'>exe</type> <init>/bin/systemd</init> </os> <idmap> <uid start='0' target='70000' count='1001'/> <uid start='65534' target='71001' count='1'/> <gid start='0' target='70000' count='1001'/> <gid start='65534' target='71001' count='1'/> </idmap> <features> <privnet/> </features> <clock offset='utc'/> <on_poweroff>destroy</on_poweroff> <on_reboot>restart</on_reboot> <on_crash>destroy</on_crash> <devices> <emulator>/usr/lib/libvirt/libvirt_lxc</emulator> <filesystem type='file' accessmode='passthrough'> <driver type='loop' format='raw'/> <source file='/my/myctd1.raw'/> <target dir='/'/> </filesystem> <console type='pty'/> </devices> </domain> 9. Start the container # virsh -c lxc:/// start myct error: Failed to start domain myct error: internal error: guest failed to start: Failure in libvirt_lxc startup: Failed to create /var/run/libvirt/lxc/myct.root: Permission denied Actual results: error: Failed to start domain myct error: internal error: guest failed to start: Failure in libvirt_lxc startup: Failed to create /var/run/libvirt/lxc/myct.root: Permission denied Expected results: Domain myct started Additional info: Just for get the next errors ... # chmod o+w /var/run/libvirt/lxc/ # virsh -c lxc:/// start myct error: Failed to start domain myct error: internal error: guest failed to start: Failure in libvirt_lxc startup: Unable to open filesystem /dev/loop0: Permission denied # chmod o+rw /dev/loop0 # virsh -c lxc:/// start myct error: Failed to start domain myct error: internal error: guest failed to start: Failure in libvirt_lxc startup: Failed to mount device /dev/loop0 to /var/run/libvirt/lxc/myct.root as ext4: Operation not permitted