Unprivileged LXC and grsecurity kernel
- 1 month 2 weeks ago
Hello. Excuse me, please, but it seems that there is some kind of incompatibility between grsec kernel variants and the use of unprivileged LXC containers... Or maybe I do something wrong.
I try to create such container with command
# lxc-create -B btrfs -f /etc/lxc/default.conf -n alpine_1 -t download -- -d alpine -r 3.4 -a i386
/etc/lxc/default.confI have created and changed to something like:
# Alpine fix from /etc/lxc/lxc.conf lxc.cgroup.use = @kernel ... # Mapping lxc.id_map = u 0 100000 65536 lxc.id_map = g 0 100000 65536
The root user has a subuid and subgid range.
But I receive an error:
newuidmap: Target process 2106 is owned by a different user: uid:0 pw_uid:0 st_uid:0, gid:0 pw_gid:0 st_gid:30 error mapping child setgid: Invalid argument lxc-create: lxccontainer.c: create_run_template: 1290 container creation template for ... failed lxc-create: tools/lxc_create.c: main: 318 Error creating container
Maybe, this github issue is related to the problem...
It works with vanilla kernel on Alpine Linux, also it works on Arch Linux with grsec kernel from their repo (their version is built without
I just hope - is there some workaround without kernel rebuild? Sorry.
Alpine Linux v3.5, kernel: