LXC unprivileged container: No uid mapping for container root

Dear all,

I have got privileged LXC containers up and running on OpenWRT. I did not find any documentation on how to get unprivileged LXC containers working on OpenWRT. Can you give me some pointers/hints? I have created the user in the system but I am stuck on the next steps.

This is what I have so far:

1. Created unpriviledged user
2. Added kernel.unprivileged_userns_clone=1 to sysctl
3. Created /etc/subgid und /etc/subuid with root:100000:65536
4. Added to /etc/lxc/lxc.conf

lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536

However, I get the following error message when I try to create a container with lxc-create -n test -t download as unprivileged user.

alex@OpenWrt:~$ lxc-create -n test -t download
lxc-create: test: conf.c: chown_mapped_root: 2853 No uid mapping for container root
lxc-create: test: lxccontainer.c: do_storage_create: 1193 Error chowning /home/alex/.local/share/lxc/test/rootfs to container root
lxc-create: test: conf.c: suggest_default_idmap: 4148 You do not have subuids or subgids allocated
lxc-create: test: conf.c: suggest_default_idmap: 4149 Unprivileged containers require subuids and subgids
lxc-create: test: lxccontainer.c: do_lxcapi_create: 1695 Error creating backing store type (none) for test
lxc-create: test: tools/lxc_create.c: main: 329 Error creating container test

Here is the output from LXC-checkconfig:

alex@OpenWrt:~$ lxc-checkconfig
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
--- Control groups ---
Cgroups: enabled
Cgroup v1 mount points:
/sys/fs/cgroup
Cgroup v2 mount points:
Cgroup v1 systemd controller: /usr/bin/lxc-checkconfig: line 169: printf \033[1;31m: not found
Cgroup v1 freezer controller: /usr/bin/lxc-checkconfig: line 176: printf \033[1;31m: not found
Cgroup v1 clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled
--- Misc ---
Veth pair device: enabled, loaded
Macvlan: enabled, not loaded
Vlan: enabled, not loaded
Bridges: enabled, not loaded
Advanced netfilter: enabled, not loaded
CONFIG_NF_NAT_IPV4: enabled, loaded
CONFIG_NF_NAT_IPV6: enabled, not loaded
CONFIG_IP_NF_TARGET_MASQUERADE: enabled, loaded
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled, not loadedCONFIG_NETFILTER_XT_MATCH_COMMENT: enabled, loaded
FUSE (for use with lxcfs): enabled, loaded
--- Checkpoint/Restore ---
checkpoint restore: enabled
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: missing
CONFIG_INET_DIAG: missing
CONFIG_PACKET_DIAG: missing
CONFIG_NETLINK_DIAG: missing
File capabilities: enabled

Any idea?

Thank you,
Alex

I am also facing same issue.

Did you find any solution for this porblem.

need some settings, if use root user too launch a LXC unprivileged container, there is a sample:

lxc-create --name n6ku22 --template download -- --dist ubuntu --release kinetic --arch amd64
echo "root:100000:65536" >> /etc/subgid
echo "root:100000:65536" >> /etc/subuid
chown -h -R 100000:100000 /srv/lxc/n6ku22

then add these line in /srv/lxc/n6ku22/config

lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536

from now, base config is complete. But can't launch container,may be get error like this:

lxc_mount_auto_mounts:810 - Operation not permitted - Failed to mount "proc"

so remount /proc and /sys width relatime is need, do

/usr/bin/mount -t sys sys -o remount,rw,nosuid,nodev,noexec,relatime /sys
/usr/bin/mount -t proc proc -o remount,rw,nosuid,nodev,noexec,relatime /proc

then you can launch container.

If you want use none root user, you can adduser and chmod -R 755 of lxc rootfs dir.

The solution is here OpenWrt ARM64 QUICK LXC HOWTO/GUIDE (LMS in Debian System in LXC Container) - #41 by Cheddoleum

Sorry for the necro post, but I kept stumbling across this post while trying to find the solution from the link again.