无法在 ubuntu 16.04 上重现默认 lxc uid/gid 映射?

tag-icon tag-icon permissions lxc
无法在 ubuntu 16.04 上重现默认 lxc uid/gid 映射?

我试图理解它lxc.id_map的工作原理,但我的问题是,我甚至无法重现默认设置 UID 映射。似乎无论lxc.id_map我设置什么,它总是会返回错误“无法设置 ID 映射。”。

我使用所有默认设置对全新安装的 16.04 64 位版本进行了下列测试。

我以非 root 用户身份创建了一个新的容器:

lxc launch images:ubuntu/xenial/amd64 u1

似乎容器以 root uid=165536 启动:

ggyimesi@lxctest:~$ ps aux | grep init
root         1  0.2  0.1 119756  6076 ?        Ss   20:43   0:01 /sbin/init splash
165536    5628  0.0  0.1  37008  5120 ?        Ss   20:50   0:00 /sbin/init
ggyimesi  5951  0.0  0.0  21292  1032 pts/17   S+   20:57   0:00 grep --color=auto init

因此我停止了容器并编辑了配置,lxc config edit u1添加lxc.id_map如下行:

architecture: x86_64
config:
  raw.lxc: |
    lxc.id_map = u 0 165536 65536
    lxc.id_map = g 0 165536 65536
  volatile.base_image: bff1ac73dada477000de5efbbd84ca12b0761fd4100f13ee39f9345553edb2f3
  volatile.eth0.hwaddr: 00:16:3e:e9:ea:b0
  volatile.idmap.base: "0"
  volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":165536,"Nsid":0,"Maprange":65536},{"Isuid":false,"Isgid":true,"Hostid":165536,"Nsid":0,"Maprange":65536}]'
  volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":165536,"Nsid":0,"Maprange":65536},{"Isuid":false,"Isgid":true,"Hostid":165536,"Nsid":0,"Maprange":65536}]'
  volatile.last_state.power: RUNNING
devices:
  root:
    path: /
    type: disk
ephemeral: false
profiles:
- default

现在容器启动失败:

ggyimesi@lxctest:~$ lxc start u1
error: Error calling 'lxd forkstart u1 /var/lib/lxd/containers /var/log/lxd/u1/lxc.conf': err='exit status 1'
  lxc 20170309200441.616 ERROR lxc_cgfsng - cgroups/cgfsng.c:create_path_for_hierarchy:1306 - Path "/sys/fs/cgroup/systemd//lxc/u1" already existed.
  lxc 20170309200441.616 ERROR lxc_cgfsng - cgroups/cgfsng.c:cgfsng_create:1363 - No such file or directory - Failed to create /sys/fs/cgroup/systemd//lxc/u1: No such file or directory
  lxc 20170309200441.759 ERROR lxc_start - start.c:lxc_spawn:1171 - Failed to set up id mapping.
  lxc 20170309200441.119 ERROR lxc_start - start.c:__lxc_start:1346 - Failed to spawn container "u1".
  lxc 20170309200441.643 ERROR lxc_conf - conf.c:run_buffer:405 - Script exited with status 1.
  lxc 20170309200441.643 ERROR lxc_start - start.c:lxc_fini:546 - Failed to run lxc.hook.post-stop for container "u1".
  lxc 20170309200441.645 ERROR lxc_conf - conf.c:userns_exec_1:4453 - Error setting up child mappings
  lxc 20170309200441.645 ERROR lxc_cgfsng - cgroups/cgfsng.c:recursive_destroy:1270 - Error destroying /sys/fs/cgroup/systemd//lxc/u1-1
  lxc 20170309200441.649 ERROR lxc_conf - conf.c:userns_exec_1:4453 - Error setting up child mappings
  lxc 20170309200441.649 ERROR lxc_cgfsng - cgroups/cgfsng.c:recursive_destroy:1270 - Error destroying /sys/fs/cgroup/net_cls//lxc/u1-1
  lxc 20170309200441.652 ERROR lxc_conf - conf.c:userns_exec_1:4453 - Error setting up child mappings
  lxc 20170309200441.652 ERROR lxc_cgfsng - cgroups/cgfsng.c:recursive_destroy:1270 - Error destroying /sys/fs/cgroup/perf_event//lxc/u1-1
  lxc 20170309200441.654 ERROR lxc_conf - conf.c:userns_exec_1:4453 - Error setting up child mappings
  lxc 20170309200441.654 ERROR lxc_cgfsng - cgroups/cgfsng.c:recursive_destroy:1270 - Error destroying /sys/fs/cgroup/cpu//lxc/u1-1
  lxc 20170309200441.655 ERROR lxc_conf - conf.c:userns_exec_1:4453 - Error setting up child mappings
  lxc 20170309200441.656 ERROR lxc_cgfsng - cgroups/cgfsng.c:recursive_destroy:1270 - Error destroying /sys/fs/cgroup/devices//lxc/u1-1
  lxc 20170309200441.657 ERROR lxc_conf - conf.c:userns_exec_1:4453 - Error setting up child mappings
  lxc 20170309200441.657 ERROR lxc_cgfsng - cgroups/cgfsng.c:recursive_destroy:1270 - Error destroying /sys/fs/cgroup/blkio//lxc/u1-1
  lxc 20170309200441.659 ERROR lxc_conf - conf.c:userns_exec_1:4453 - Error setting up child mappings
  lxc 20170309200441.659 ERROR lxc_cgfsng - cgroups/cgfsng.c:recursive_destroy:1270 - Error destroying /sys/fs/cgroup/hugetlb//lxc/u1-1
  lxc 20170309200441.661 ERROR lxc_conf - conf.c:userns_exec_1:4453 - Error setting up child mappings
  lxc 20170309200441.661 ERROR lxc_cgfsng - cgroups/cgfsng.c:recursive_destroy:1270 - Error destroying /sys/fs/cgroup/pids//lxc/u1-1
  lxc 20170309200441.662 ERROR lxc_conf - conf.c:userns_exec_1:4453 - Error setting up child mappings
  lxc 20170309200441.662 ERROR lxc_cgfsng - cgroups/cgfsng.c:recursive_destroy:1270 - Error destroying /sys/fs/cgroup/cpuset//lxc/u1-1
  lxc 20170309200441.664 ERROR lxc_conf - conf.c:userns_exec_1:4453 - Error setting up child mappings
  lxc 20170309200441.664 ERROR lxc_cgfsng - cgroups/cgfsng.c:recursive_destroy:1270 - Error destroying /sys/fs/cgroup/memory//lxc/u1-1
  lxc 20170309200441.666 ERROR lxc_conf - conf.c:userns_exec_1:4453 - Error setting up child mappings
  lxc 20170309200441.666 ERROR lxc_cgfsng - cgroups/cgfsng.c:recursive_destroy:1270 - Error destroying /sys/fs/cgroup/freezer//lxc/u1-1

Try `lxc info --show-log u1` for more info

也许我遗漏了什么,但这不应该是默认设置吗?也就是说,容器应该像以前一样启动?lxc.id_map从配置中删除这些行可以使容器启动时没有任何错误。

有人能指出我为什么上述配置不起作用的正确方向吗?

相关内容