[ISSUE] users running unprivileged lxc container no worky no more.

[ISSUE] users running unprivileged lxc container no worky no more.

[egrain]

[-- Attachment #1: Type: text/plain, Size: 2414 bytes --]

New issue by egrain on void-packages repository

https://github.com/void-linux/void-packages/issues/38682

Description:
### Is this a new report?

Yes

### System Info

5.18.17_1 #1 SMP PREEMPT_DYNAMIC Fri Aug 12 13:53:18 UTC 2022 x86_64 GNU/Linux musl.

### Package(s) Affected

lxc-5.0.1_1

### Does a report exist for this bug with the project's home (upstream) and/or another distro?

_No response_

### Expected behaviour

It working like it did before the update. All I did was XBoxPlayStation-install -Su and init 6. 

### Actual behaviour

lxc-start: alpina: ../src/lxc/network.c: lxc_create_network_unpriv_exec: 2990 lxc-user-nic failed to configure requested network: ../src/lxc/cmd/lxc_user_nic.c: 802: create_db_dir - Permission denied - Failed to create /run/lxc

../src/lxc/cmd/lxc_user_nic.c: 1125: main: Failed to create directory for db file
lxc-start: alpina: ../src/lxc/start.c: lxc_spawn: 1840 Failed to create the network
lxc-start: alpina: ../src/lxc/start.c: __lxc_start: 2107 Failed to spawn container "alpina"
lxc-start: alpina: ../src/lxc/tools/lxc_start.c: main: 306 The container failed to start
lxc-start: alpina: ../src/lxc/tools/lxc_start.c: main: 311 Additional information can be obtained by setting the --logfile and --logpriority options

and if i mkdir /run/lxc, chown lxcuser /run/lxc i get this:

lxc-start: alpina: ../src/lxc/network.c: lxc_create_network_unpriv_exec: 2990 lxc-user-nic failed to configure requested network: ../src/lxc/cmd/lxc_user_nic.c: 474: instantiate_veth - Operation not permitted - Failed to create veth1003_cv7j-veth1003_cv7jp

../src/lxc/cmd/lxc_user_nic.c: 529: create_nic: Error creating veth tunnel
../src/lxc/cmd/lxc_user_nic.c: 720: get_nic_if_avail: Failed to create new nic
../src/lxc/cmd/lxc_user_nic.c: 1206: main: Quota reached
lxc-start: alpina: ../src/lxc/start.c: lxc_spawn: 1840 Failed to create the network
lxc-start: alpina: ../src/lxc/start.c: __lxc_start: 2107 Failed to spawn container "alpina"
lxc-start: alpina: ../src/lxc/tools/lxc_start.c: main: 306 The container failed to start
lxc-start: alpina: ../src/lxc/tools/lxc_start.c: main: 311 Additional information can be obtained by setting the --logfile and --logpriority options



### Steps to reproduce

Have a working lxc user + container.
Update the system.
Reboot.
Try and start it with: lxc-start -n nameofyourcontainer -F

Thanks for reading.

Re: users running unprivileged lxc container no worky no more.

[CameronNemo]

[-- Attachment #1: Type: text/plain, Size: 798 bytes --]

New comment by CameronNemo on void-packages repository

https://github.com/void-linux/void-packages/issues/38682#issuecomment-1217066107

Comment:
> ../src/lxc/cmd/lxc_user_nic.c: 720: get_nic_if_avail: Failed to create new nic
> ../src/lxc/cmd/lxc_user_nic.c: 1206: main: Quota reached

From the [lxc-user-nic manpage](https://man.voidlinux.org/lxc-user-nic):

```
lxc-user-nic is a setuid-root program with which unprivileged users may
manage network interfaces for use by a lxc container.

It will consult the configuration file /etc/lxc/lxc-usernet to
determine the number of interfaces which the calling user is allowed to
create, and which bridge they may attach them to.
```

What is the contents of that file? See also [lxc-usernet(5)](https://man.voidlinux.org/lxc-usernet).

Re: users running unprivileged lxc container no worky no more.

[egrain]

[-- Attachment #1: Type: text/plain, Size: 1124 bytes --]

New comment by egrain on void-packages repository

https://github.com/void-linux/void-packages/issues/38682#issuecomment-1217079670

Comment:
As I said I haven't changed anything. The file is the same it was before the system upgrade:
lexie veth skib 1

Also I think that doesn't touch the first issue with the /run/lxc permissions. But of course I prefer to solve things my own self, so i turned it up to 11 (50 actually) before I asked in the void channel, but still no cigar.

Also since I'm guessing you'll ask for this next:
9: skib: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether 56:d4:0f:45:0e:f1 brd ff:ff:ff:ff:ff:ff
    inet 10.0.3.1/30 scope global skib
       valid_lft forever preferred_lft forever
    inet6 fe80::54d4:fff:fe45:ef1/64 scope link 
       valid_lft forever preferred_lft forever

but i have a script for creating it and i didn't change that either. I upgraded and rebooted the box quite a few times and it always worked. I really don't think I did anything wrong, ... otherwise I wouldn't have reported it obviously.

Re: users running unprivileged lxc container no worky no more.

[CameronNemo]

[-- Attachment #1: Type: text/plain, Size: 216 bytes --]

New comment by CameronNemo on void-packages repository

https://github.com/void-linux/void-packages/issues/38682#issuecomment-1217114765

Comment:
Maybe this will fix it:

   chmod +s /usr/libexec/lxc/lxc-user-nic

Re: users running unprivileged lxc container no worky no more.

[CameronNemo]

[-- Attachment #1: Type: text/plain, Size: 212 bytes --]

New comment by CameronNemo on void-packages repository

https://github.com/void-linux/void-packages/issues/38682#issuecomment-1217114765

Comment:
Maybe this will fix it: `chmod +s /usr/libexec/lxc/lxc-user-nic`

Re: users running unprivileged lxc container no worky no more.

[CameronNemo]

[-- Attachment #1: Type: text/plain, Size: 213 bytes --]

New comment by CameronNemo on void-packages repository

https://github.com/void-linux/void-packages/issues/38682#issuecomment-1217114765

Comment:
Maybe this will fix it: `chmod o+s /usr/libexec/lxc/lxc-user-nic`

Re: users running unprivileged lxc container no worky no more.

[CameronNemo]

[-- Attachment #1: Type: text/plain, Size: 213 bytes --]

New comment by CameronNemo on void-packages repository

https://github.com/void-linux/void-packages/issues/38682#issuecomment-1217114765

Comment:
Maybe this will fix it: `chmod u+s /usr/libexec/lxc/lxc-user-nic`

Re: users running unprivileged lxc container no worky no more.

[egrain]

[-- Attachment #1: Type: text/plain, Size: 269 bytes --]

New comment by egrain on void-packages repository

https://github.com/void-linux/void-packages/issues/38682#issuecomment-1217125836

Comment:
That works, but that can't be right. Root created the file so I would be running it as root. I don't think that's a good idea.

Re: users running unprivileged lxc container no worky no more.

[CameronNemo]

[-- Attachment #1: Type: text/plain, Size: 270 bytes --]

New comment by CameronNemo on void-packages repository

https://github.com/void-linux/void-packages/issues/38682#issuecomment-1217129847

Comment:
@egrain that is exactly how networking works for unprivileged LXC containers. Re-read my first comment / read the manpage.

Re: users running unprivileged lxc container no worky no more.

[egrain]

[-- Attachment #1: Type: text/plain, Size: 202 bytes --]

New comment by egrain on void-packages repository

https://github.com/void-linux/void-packages/issues/38682#issuecomment-1217132653

Comment:
Why did it change the permission though? I for sure didn't.

Re: users running unprivileged lxc container no worky no more.

[CameronNemo]

[-- Attachment #1: Type: text/plain, Size: 383 bytes --]

New comment by CameronNemo on void-packages repository

https://github.com/void-linux/void-packages/issues/38682#issuecomment-1217135722

Comment:
Upstream migrated from autotools to meson. Autotools was setting the bit before, now meson does not set it as setuid so we have to set it manually. That is my best guess. Sorry I broke your use case, hopefully the fix gets merged soon.

Re: users running unprivileged lxc container no worky no more.

[egrain]

[-- Attachment #1: Type: text/plain, Size: 244 bytes --]

New comment by egrain on void-packages repository

https://github.com/void-linux/void-packages/issues/38682#issuecomment-1217136864

Comment:
No need to apologize. Learned something in the process. All good. Keep up the good work and all that.

Re: users running unprivileged lxc container no worky no more.

[eli-schwartz]

[-- Attachment #1: Type: text/plain, Size: 495 bytes --]

New comment by eli-schwartz on void-packages repository

https://github.com/void-linux/void-packages/issues/38682#issuecomment-1217313363

Comment:
> Upstream migrated from autotools to meson. Autotools was setting the bit before, now meson does not set it as setuid so we have to set it manually. That is my best guess.

That's interesting because it's actually set in Meson's permissions:
https://github.com/lxc/lxc/blob/1df8895204244384c468a809f2da5cae2bc44c57/src/lxc/cmd/meson.build#L99

Re: users running unprivileged lxc container no worky no more.

[eli-schwartz]

[-- Attachment #1: Type: text/plain, Size: 194 bytes --]

New comment by eli-schwartz on void-packages repository

https://github.com/void-linux/void-packages/issues/38682#issuecomment-1217399023

Comment:
I discovered the issue, and it's a Meson bug.

Re: users running unprivileged lxc container no worky no more.

[eli-schwartz]

[-- Attachment #1: Type: text/plain, Size: 506 bytes --]

New comment by eli-schwartz on void-packages repository

https://github.com/void-linux/void-packages/issues/38682#issuecomment-1217402048

Comment:
Note the issue is kind of fun, because Void installs stuff as non-root, but mapped to root via userns, so the kernel doesn't give out its "you are root, so you're exempt from setuid wiping" thing.

And Meson's own testsuite didn't catch that, because our test for the setuid functionality working, didn't include a binary with a build rpath to be deleted.

Re: users running unprivileged lxc container no worky no more.

[egrain]

[-- Attachment #1: Type: text/plain, Size: 189 bytes --]

New comment by egrain on void-packages repository

https://github.com/void-linux/void-packages/issues/38682#issuecomment-1217680118

Comment:
Well if it's a fun issue who am I to complain?

Re: [ISSUE] [CLOSED] users running unprivileged lxc container no worky no more.

[paper42]

[-- Attachment #1: Type: text/plain, Size: 2417 bytes --]

Closed issue by egrain on void-packages repository

https://github.com/void-linux/void-packages/issues/38682

Description:
### Is this a new report?

Yes

### System Info

5.18.17_1 #1 SMP PREEMPT_DYNAMIC Fri Aug 12 13:53:18 UTC 2022 x86_64 GNU/Linux musl.

### Package(s) Affected

lxc-5.0.1_1

### Does a report exist for this bug with the project's home (upstream) and/or another distro?

_No response_

### Expected behaviour

It working like it did before the update. All I did was XBoxPlayStation-install -Su and init 6. 

### Actual behaviour

lxc-start: alpina: ../src/lxc/network.c: lxc_create_network_unpriv_exec: 2990 lxc-user-nic failed to configure requested network: ../src/lxc/cmd/lxc_user_nic.c: 802: create_db_dir - Permission denied - Failed to create /run/lxc

../src/lxc/cmd/lxc_user_nic.c: 1125: main: Failed to create directory for db file
lxc-start: alpina: ../src/lxc/start.c: lxc_spawn: 1840 Failed to create the network
lxc-start: alpina: ../src/lxc/start.c: __lxc_start: 2107 Failed to spawn container "alpina"
lxc-start: alpina: ../src/lxc/tools/lxc_start.c: main: 306 The container failed to start
lxc-start: alpina: ../src/lxc/tools/lxc_start.c: main: 311 Additional information can be obtained by setting the --logfile and --logpriority options

and if i mkdir /run/lxc, chown lxcuser /run/lxc i get this:

lxc-start: alpina: ../src/lxc/network.c: lxc_create_network_unpriv_exec: 2990 lxc-user-nic failed to configure requested network: ../src/lxc/cmd/lxc_user_nic.c: 474: instantiate_veth - Operation not permitted - Failed to create veth1003_cv7j-veth1003_cv7jp

../src/lxc/cmd/lxc_user_nic.c: 529: create_nic: Error creating veth tunnel
../src/lxc/cmd/lxc_user_nic.c: 720: get_nic_if_avail: Failed to create new nic
../src/lxc/cmd/lxc_user_nic.c: 1206: main: Quota reached
lxc-start: alpina: ../src/lxc/start.c: lxc_spawn: 1840 Failed to create the network
lxc-start: alpina: ../src/lxc/start.c: __lxc_start: 2107 Failed to spawn container "alpina"
lxc-start: alpina: ../src/lxc/tools/lxc_start.c: main: 306 The container failed to start
lxc-start: alpina: ../src/lxc/tools/lxc_start.c: main: 311 Additional information can be obtained by setting the --logfile and --logpriority options



### Steps to reproduce

Have a working lxc user + container.
Update the system.
Reboot.
Try and start it with: lxc-start -n nameofyourcontainer -F

Thanks for reading.