Unprivileged Container fails to Start

Hi,

I am able to create and run privileged containers on OpenWRT 19.07.2 and LXC 2.1.1

I am unable to run unprivileged containers. I am getting the following errors

lxc-start myalpine 20200410140608.707 ERROR    lxc_utils - utils.c:mkdir_p:257 - Permission denied - failed to create directory '/sys/fs/cgroup/lxc/myalpine'
lxc-start myalpine 20200410140608.707 ERROR    lxc_cgfs - cgroups/cgfs.c:lxc_cgroupfs_create:1022 - Permission denied - Could not create cgroup '/lxc/myalpine' in '/sys/fs/cgroup'.
lxc-start myalpine 20200410140608.710 ERROR    lxc_cgfs - cgroups/cgfs.c:cgroup_rmdir:209 - Permission denied - Failed to delete /sys/fs/cgroup//lxc
lxc-start myalpine 20200410140608.711 ERROR    lxc_cgfs - cgroups/cgfs.c:cgroup_rmdir:209 - Permission denied - Failed to delete /sys/fs/cgroup/
lxc-start myalpine 20200410140608.711 ERROR    lxc_start - start.c:lxc_spawn:1221 - Failed creating cgroups.

/proc/self/cgroup

cat /proc/self/cgroup
1:cpuset,cpu,cpuacct,blkio,memory,devices,freezer,net_cls,perf_event,pids,debug:/

I created the user strive using useradd command.

I get same output when i execute the command cat /proc/self/cgroup as root and strive users.

What am i missing? Any pointers to run unprivileged lxc containers in OpenWRT.

Thanks,
Strive

Look at Request for LXC support in MVEBU there is a tweak to add to /etc/init.d/lxc-auto which mount cgroups differently at bootup

~# cat /proc/self/cgroup
2:name=systemd:/
1:cpuset,cpu,cpuacct,blkio,memory,devices,freezer,net_cls,pids:/
0::/

the patch is :

diff --git a/utils/lxc/files/lxc-auto.init b/utils/lxc/files/lxc-auto.init
index 937f08269..dc293ecd3 100755
--- a/utils/lxc/files/lxc-auto.init
+++ b/utils/lxc/files/lxc-auto.init
@@ -58,3 +58,13 @@ stop() {
 	fi
 }
 
+### ZX: Create missing LXC resources (cgroup mount points)
+boot() {
+	if [ ! -d /sys/fs/cgroup/systemd ]; then
+		echo "Creating systemd cgroup..."
+		mkdir -p /sys/fs/cgroup/systemd
+		mount -t cgroup -o rw,nosuid,nodev,noexec,relatime,none,name=systemd cgroup /sys/fs/cgroup/systemd
+	fi
+
+	start
+}

I have seen you've posted the question at https://discuss.linuxcontainers.org/t/unprivileged-container-fails-to-start-in-openwrt/7376 (adding here for reference)

opkg install mount-utils

---8<---
→ /usr/init.d/cgroupfs-mount.init
root@NAS:~# cat cgroupfs-mount.init

#!/bin/sh /etc/rc.common

START=1

start() {
	# Procd mounts non-hierarchical cgroupfs so unmount first before cgroupfs-mount
	echo "Mounting cgroupfs hierarchy"
	if mountpoint -q /sys/fs/cgroup; then
		umount /sys/fs/cgroup/
	fi

	/usr/sbin/cgroupfs-mount
}

stop() {
	echo "Unmounting cgroupfs hierarchy"
	/usr/sbin/cgroupfs-umount
}


boot () {
	start
}

root@NAS:~#
---8<---
→ /usr/sbin/cgroupfs-mount

root@NAS:~# cat cgroupfs-mount

#!/bin/sh
# Copyright 2011 Canonical, Inc
#           2014 Tianon Gravi
# Author: Serge Hallyn <serge.hallyn@canonical.com>
#         Tianon Gravi <admwiggin@gmail.com>
set -e

# for simplicity this script provides no flexibility

# if cgroup is mounted by fstab, don't run
# don't get too smart - bail on any uncommented entry with 'cgroup' in it
if grep -v '^#' /etc/fstab | grep -q cgroup; then
	echo 'cgroups mounted from fstab, not mounting /sys/fs/cgroup'
	exit 0
fi

# kernel provides cgroups?
if [ ! -e /proc/cgroups ]; then
	exit 0
fi

# if we don't even have the directory we need, something else must be wrong
if [ ! -d /sys/fs/cgroup ]; then
	exit 0
fi

# mount /sys/fs/cgroup if not already done
if ! mountpoint -q /sys/fs/cgroup; then
	mount -t tmpfs -o uid=0,gid=0,mode=0755 cgroup /sys/fs/cgroup
fi

cd /sys/fs/cgroup

# get/mount list of enabled cgroup controllers
for sys in $(awk '!/^#/ { if ($4 == 1) print $1 }' /proc/cgroups); do
	mkdir -p $sys
	if ! mountpoint -q $sys; then
		if ! mount -n -t cgroup -o $sys cgroup $sys; then
			rmdir $sys || true
		fi
	fi
done

# example /proc/cgroups:
#  #subsys_name	hierarchy	num_cgroups	enabled
#  cpuset	2	3	1
#  cpu	3	3	1
#  cpuacct	4	3	1
#  memory	5	3	0
#  devices	6	3	1
#  freezer	7	3	1
#  blkio	8	3	1

# enable cgroups memory hierarchy, like systemd does (and lxc/docker desires)
# https://github.com/systemd/systemd/blob/v245/src/core/cgroup.c#L2983
# https://bugs.debian.org/940713
if [ -e /sys/fs/cgroup/memory/memory.use_hierarchy ]; then
	echo 1 > /sys/fs/cgroup/memory/memory.use_hierarchy
fi

exit 0

root@NAS:~#
---8<---
→ /usr/sbin/cgroupfs-umount
root@NAS:~# cat cgroupfs-umount

#!/bin/sh
# Copyright 2011 Canonical, Inc
#           2014 Tianon Gravi
# Author: Serge Hallyn <serge.hallyn@canonical.com>
#         Tianon Gravi <tianon@debian.org>
set -e

# we don't care to move tasks around gratuitously - just umount the cgroups

# if we don't even have the directory we need, something else must be wrong
if [ ! -d /sys/fs/cgroup ]; then
	exit 0
fi

# if /sys/fs/cgroup is not mounted, we don't bother
if ! mountpoint -q /sys/fs/cgroup; then
	exit 0
fi

cd /sys/fs/cgroup

for sys in *; do
	if mountpoint -q $sys; then
		umount $sys
	fi
	if [ -d $sys ]; then
		rmdir $sys || true
	fi
done

exit 0

---8<---
→ /etc/init.d/lxc-auto
root@NAS:~# cat lxc-auto

#!/bin/sh /etc/rc.common

. /lib/functions.sh

START=99
STOP=00

run_command() {
	local command="$1"
	$command
}

start_container() {
	local cfg="$1"
	local name

	config_get name "$cfg" name
	config_list_foreach "$cfg" command run_command
	if [ -n "$name" ]; then
		/usr/bin/lxc-start -n "$name"
	fi
}

max_timeout=0

stop_container() {
	local cfg="$1"
	local name timeout

	config_get name "$cfg" name
	config_get timeout "$cfg" timeout 300

	if [ "$max_timeout" -lt "$timeout" ]; then
		max_timeout=$timeout
	fi

	if [ -n "$name" ]; then
		if [ "$timeout" = "0" ]; then
			/usr/bin/lxc-stop -n "$name" &
		else
			/usr/bin/lxc-stop -n "$name" -t $timeout &
		fi
	fi
}

start() {
	config_load lxc-auto
	config_foreach start_container container
}

stop() {
	config_load lxc-auto
	config_foreach stop_container container
	# ensure e.g. shutdown doesn't occur before maximum timeout on
	# containers that are shutting down
	if [ $max_timeout -gt 0 ]; then
		sleep $max_timeout
	fi
}

### ZX: Create missing LXC resources (cgroup mount points)
boot() {
	if [ ! -d /sys/fs/cgroup/systemd ]; then
		echo "Creating systemd cgroup..."
		mkdir -p /sys/fs/cgroup/systemd
		mount -t cgroup -o rw,nosuid,nodev,noexec,relatime,none,name=systemd cgroup /sys/fs/cgroup/systemd
	fi

	start
}

root@NAS:~#