Description of problem: LXC container with user namespace and filesystem type file (raw|nbd) can't start, because the Libvirt pre-commands are executed under the UID/GID mapping. Version-Release number of selected component (if applicable): 2.4.0 and previous version How reproducible: Always Steps to Reproduce: 1. Create the raw file # qemu-img create -f raw /my/myctd1.raw 1G 2. Format the raw file # mkfs.ext4 -F /my/myctd1.raw 3. Set up the loop device # losetup /dev/loop0 /my/myctd1.raw 4. Mount the loop device # mount /dev/loop0 /mnt/myct 5. Copy a rootfs 6. Shift the UID/GID mapping on /mnt/myct 7. Umount the loop device # umount /mnt/myct # losetup -d /dev/loop0 8. Define the container as below <domain type='lxc'> <name>myct</name> <memory unit='KiB'>131072</memory> <vcpu placement='static'>1</vcpu> <os> <type arch='x86_64'>exe</type> <init>/bin/systemd</init> </os> <idmap> <uid start='0' target='70000' count='1001'/> <uid start='65534' target='71001' count='1'/> <gid start='0' target='70000' count='1001'/> <gid start='65534' target='71001' count='1'/> </idmap> <features> <privnet/> </features> <clock offset='utc'/> <on_poweroff>destroy</on_poweroff> <on_reboot>restart</on_reboot> <on_crash>destroy</on_crash> <devices> <emulator>/usr/lib/libvirt/libvirt_lxc</emulator> <filesystem type='file' accessmode='passthrough'> <driver type='loop' format='raw'/> <source file='/my/myctd1.raw'/> <target dir='/'/> </filesystem> <console type='pty'/> </devices> </domain> 9. Start the container # virsh -c lxc:/// start myct error: Failed to start domain myct error: internal error: guest failed to start: Failure in libvirt_lxc startup: Failed to create /var/run/libvirt/lxc/myct.root: Permission denied Actual results: error: Failed to start domain myct error: internal error: guest failed to start: Failure in libvirt_lxc startup: Failed to create /var/run/libvirt/lxc/myct.root: Permission denied Expected results: Domain myct started Additional info: Just for get the next errors ... # chmod o+w /var/run/libvirt/lxc/ # virsh -c lxc:/// start myct error: Failed to start domain myct error: internal error: guest failed to start: Failure in libvirt_lxc startup: Unable to open filesystem /dev/loop0: Permission denied # chmod o+rw /dev/loop0 # virsh -c lxc:/// start myct error: Failed to start domain myct error: internal error: guest failed to start: Failure in libvirt_lxc startup: Failed to mount device /dev/loop0 to /var/run/libvirt/lxc/myct.root as ext4: Operation not permitted
If you are running CentOS or RHEL you might find this interesting: https://github.com/lxc/lxc/issues/842
Thank you for reporting this issue to the libvirt project. Unfortunately we have been unable to resolve this issue due to insufficient maintainer capacity and it will now be closed. This is not a reflection on the possible validity of the issue, merely the lack of resources to investigate and address it, for which we apologise. If you none the less feel the issue is still important, you may choose to report it again at the new project issue tracker https://gitlab.com/libvirt/libvirt/-/issues The project also welcomes contribution from anyone who believes they can provide a solution.