Bug 1394200 - lxc container with user namespace and filesystem type file not start
Summary: lxc container with user namespace and filesystem type file not start
Keywords:
Status: NEW
Alias: None
Product: Virtualization Tools
Classification: Community
Component: libvirt
Version: unspecified
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Libvirt Maintainers
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-11 11:47 UTC by Arnaud Morel
Modified: 2018-07-18 15:06 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Arnaud Morel 2016-11-11 11:47:34 UTC 
Description of problem:
LXC container with user namespace and filesystem type file (raw|nbd) can't start, because the Libvirt pre-commands are executed under the UID/GID mapping.

Version-Release number of selected component (if applicable):
2.4.0 and previous version

How reproducible:
Always

Steps to Reproduce:
1. Create the raw file
# qemu-img create -f raw /my/myctd1.raw 1G

2. Format the raw file
# mkfs.ext4 -F /my/myctd1.raw

3. Set up the loop device
# losetup /dev/loop0 /my/myctd1.raw

4. Mount the loop device
# mount /dev/loop0 /mnt/myct

5. Copy a rootfs

6. Shift the UID/GID mapping on /mnt/myct

7. Umount the loop device
# umount /mnt/myct
# losetup -d /dev/loop0

8. Define the container as below
<domain type='lxc'>
  <name>myct</name>
  <memory unit='KiB'>131072</memory>
  <vcpu placement='static'>1</vcpu>
  <os>
    <type arch='x86_64'>exe</type>
    <init>/bin/systemd</init>
  </os>
  <idmap>
    <uid start='0' target='70000' count='1001'/>
    <uid start='65534' target='71001' count='1'/>
    <gid start='0' target='70000' count='1001'/>
    <gid start='65534' target='71001' count='1'/>
  </idmap>
  <features>
    <privnet/>
  </features>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>destroy</on_crash>
  <devices>
    <emulator>/usr/lib/libvirt/libvirt_lxc</emulator>
    <filesystem type='file' accessmode='passthrough'>
      <driver type='loop' format='raw'/>
      <source file='/my/myctd1.raw'/>
      <target dir='/'/>
    </filesystem>
    <console type='pty'/>
  </devices>
</domain>

9. Start the container
# virsh -c lxc:/// start myct
error: Failed to start domain myct
error: internal error: guest failed to start: Failure in libvirt_lxc startup: Failed to create /var/run/libvirt/lxc/myct.root: Permission denied

Actual results:
error: Failed to start domain myct
error: internal error: guest failed to start: Failure in libvirt_lxc startup: Failed to create /var/run/libvirt/lxc/myct.root: Permission denied

Expected results:
Domain myct started

Additional info:
Just for get the next errors ...

# chmod o+w /var/run/libvirt/lxc/
# virsh -c lxc:/// start myct
error: Failed to start domain myct
error: internal error: guest failed to start: Failure in libvirt_lxc startup: Unable to open filesystem /dev/loop0: Permission denied

# chmod o+rw /dev/loop0
# virsh -c lxc:/// start myct
error: Failed to start domain myct
error: internal error: guest failed to start: Failure in libvirt_lxc startup: Failed to mount device /dev/loop0 to /var/run/libvirt/lxc/myct.root as ext4: Operation not permitted
Comment 1 Molly Jo Bault 2017-03-23 22:51:30 UTC 
If you are running CentOS or RHEL you might find this interesting: https://github.com/lxc/lxc/issues/842
Note You need to log in before you can comment on or make changes to this bug.