Bug 1394200

Summary: lxc container with user namespace and filesystem type file not start
Product: [Community] Virtualization Tools Reporter: Arnaud Morel <arnofear4list>
Component: libvirtAssignee: Libvirt Maintainers <libvirt-maint>
Status: CLOSED DEFERRED QA Contact:
Severity: medium Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: berrange, libvirt-maint, Molly.Jo.Bault
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-12-17 12:39:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Arnaud Morel 2016-11-11 11:47:34 UTC 
Description of problem:
LXC container with user namespace and filesystem type file (raw|nbd) can't start, because the Libvirt pre-commands are executed under the UID/GID mapping.

Version-Release number of selected component (if applicable):
2.4.0 and previous version

How reproducible:
Always

Steps to Reproduce:
1. Create the raw file
# qemu-img create -f raw /my/myctd1.raw 1G

2. Format the raw file
# mkfs.ext4 -F /my/myctd1.raw

3. Set up the loop device
# losetup /dev/loop0 /my/myctd1.raw

4. Mount the loop device
# mount /dev/loop0 /mnt/myct

5. Copy a rootfs

6. Shift the UID/GID mapping on /mnt/myct

7. Umount the loop device
# umount /mnt/myct
# losetup -d /dev/loop0

8. Define the container as below
<domain type='lxc'>
  <name>myct</name>
  <memory unit='KiB'>131072</memory>
  <vcpu placement='static'>1</vcpu>
  <os>
    <type arch='x86_64'>exe</type>
    <init>/bin/systemd</init>
  </os>
  <idmap>
    <uid start='0' target='70000' count='1001'/>
    <uid start='65534' target='71001' count='1'/>
    <gid start='0' target='70000' count='1001'/>
    <gid start='65534' target='71001' count='1'/>
  </idmap>
  <features>
    <privnet/>
  </features>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>destroy</on_crash>
  <devices>
    <emulator>/usr/lib/libvirt/libvirt_lxc</emulator>
    <filesystem type='file' accessmode='passthrough'>
      <driver type='loop' format='raw'/>
      <source file='/my/myctd1.raw'/>
      <target dir='/'/>
    </filesystem>
    <console type='pty'/>
  </devices>
</domain>

9. Start the container
# virsh -c lxc:/// start myct
error: Failed to start domain myct
error: internal error: guest failed to start: Failure in libvirt_lxc startup: Failed to create /var/run/libvirt/lxc/myct.root: Permission denied

Actual results:
error: Failed to start domain myct
error: internal error: guest failed to start: Failure in libvirt_lxc startup: Failed to create /var/run/libvirt/lxc/myct.root: Permission denied

Expected results:
Domain myct started

Additional info:
Just for get the next errors ...

# chmod o+w /var/run/libvirt/lxc/
# virsh -c lxc:/// start myct
error: Failed to start domain myct
error: internal error: guest failed to start: Failure in libvirt_lxc startup: Unable to open filesystem /dev/loop0: Permission denied

# chmod o+rw /dev/loop0
# virsh -c lxc:/// start myct
error: Failed to start domain myct
error: internal error: guest failed to start: Failure in libvirt_lxc startup: Failed to mount device /dev/loop0 to /var/run/libvirt/lxc/myct.root as ext4: Operation not permitted
Comment 1 Molly Jo Bault 2017-03-23 22:51:30 UTC 
If you are running CentOS or RHEL you might find this interesting: https://github.com/lxc/lxc/issues/842
Comment 2 Daniel Berrangé 2024-12-17 12:39:19 UTC 
Thank you for reporting this issue to the libvirt project. Unfortunately we have been unable to resolve this issue due to insufficient maintainer capacity and it will now be closed. This is not a reflection on the possible validity of the issue, merely the lack of resources to investigate and address it, for which we apologise. If you none the less feel the issue is still important, you may choose to report it again at the new project issue tracker https://gitlab.com/libvirt/libvirt/-/issues The project also welcomes contribution from anyone who believes they can provide a solution.