有没有办法在 lxc 特权容器中用普通用户运行 podman?

140 天前
 wniming

有这个需求是因为有时会把一台 linux 服务器(服务器 A)的硬盘全部拆下来装到另一台 linux 服务器(服务器 B )上临时使用(比如服务器 A 的有些硬件坏了要送去售后),又不想影响服务器 B 现有的功能,所以想到在服务器 B 上手动把服务器 A 的文件系统树 mount 到特定的目录,然后用特权 lxc 容器来运行服务器 A 的所有服务(直接指定特权 lxc 容器的 rootfs path 为自己手动挂载的服务器 A 的文件系统树),这种做法是可以做到服务器 A 的大部分服务都能在特权 lxc 容器内运行的(甚至包括用 libvirt 管理的虚拟机),但是服务器 A 上的用非特权 podman 运行的服务无法在特权 lxc 容器内运行,下面有个简单的例子:

d@server:~$ podman run -it --rm fedora:42
Error: crun: mount `proc` to `proc`: Operation not permitted: OCI permission denied

其实也不仅仅是 podman ,非特权的 docker 和非特权的 lxc 也都无法在特权 lxc 容器内运行。

估计很少有人有类似的需求,不过我确实很想这么用,自己研究大半天了没解决,希望有 v 友知道这个要怎么实现。

2967 次点击
所在节点    Linux
26 条回复
wniming
140 天前
在特权 lxc 容器内用普通用户运行 unshare 也有一样的问题:

d@develop:~$ unshare -fp -r --mount-proc id
unshare: mount /proc failed: Operation not permitted
d@develop:~$

这条命令如果是在普通的环境下以普通用户运行就不会报错
geekvcn
140 天前
明显是权限问题,直接问 AI 省事,我建议你直通硬盘然后用 KVM 过渡吧区别不大你也就临时用,抽空搭建高可用集群吧,我是没见过非跨机房或者非数据量大用你这种拆硬盘转移服务的。

lxc 之类的容器技术并没有办法完整模拟所有软硬件环境,很多涉及到内核和权限其他乱七八糟的改动不如直接 KVM 省事,比如改个 ssh 端口都多两步操作,改内核参数要改宿主机,有硬件需求的还要挂贼多/dev 目录。我是新搭建的服务很多用 lxc ,因为性能好,我的服务对硬件环境和隔离度要求也不高,内核参数我也能随便改
wniming
140 天前
@geekvcn 问 chatgpt 好几个相关的问题了,chatgpt 给的解决办法都试了都不管用,直通硬盘无法满足我的使用需求,因为服务器 A 还部署了几个 pve 虚拟机,如果现在服务器 A 的系统作为虚拟机运行的话,pve 虚拟机就只能作为嵌套虚拟机运行,然后再在 PVE 里启动虚拟机的话就是两层嵌套了,会有很多问题,另外我这是家用环境,搭建高可用集群有些太浪费了。

虽然是临时用,但我感觉以后还会有其他场景需要在 lxc 特权容器里跑非特权的容器,比如装双系统时,原来可能是一个 fedora 系统,后来又装了一个 ubuntu 系统,我就想在这种情况下用 lxc 特权容器运行原来的 fedora 系统,这样可以不用把原来 fedora 系统上的非特权 podman 服务重新部署到 ubuntu 系统里。
choury
140 天前
strace -f -v -y unshare -fp -r --mount-proc id
结果贴出来,看哪步报错了
defunct9
140 天前
很想这么用,那就基本得自己找答案了。换我就做台 kvm 在 a 上面。坏了在 b 上面导入启动即可
wniming
140 天前
@choury

1 execve("/usr/bin/unshare", ["unshare", "-fp", "-r", "--mount-proc", "id"], ["SHELL=/bin/bash", "HISTCONTROL=ignoredups", "HISTSIZE=1000000", "HOSTNAME=develop", "DOTNET_ROOT=/usr/lib64/dotnet", "EDITOR=/usr/bin/vim", "PWD=/root", "LOGNAME=root", "XDG_SESSION_TYPE=tty", "MOTD_SHOWN=pam", "HOME=/root", "LANG=en_US.UTF-8", "LS_COLORS=rs=0:di=01;34:ln=01;35"..., "SSH_CONNECTION=192.168.1.4 44936"..., "DOTNET_BUNDLE_EXTRACT_BASE_DIR=/"..., "XDG_SESSION_CLASS=user", "TERM=xterm-256color", "LESSOPEN=||/usr/bin/lesspipe.sh "..., "USER=root", "SHLVL=1", "XDG_SESSION_ID=51", "XDG_RUNTIME_DIR=/run/user/0", "SSH_CLIENT=192.168.1.4 44936 22", "DEBUGINFOD_URLS=https://debuginf"..., "PATH=/root/.local/bin:/root/bin:"..., "DBUS_SESSION_BUS_ADDRESS=unix:pa"..., "MAIL=/var/spool/mail/root", "SSH_TTY=/dev/pts/5", "_=/usr/bin/strace"]) = 0
2 brk(NULL) = 0x563c88fa2000
3 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
4 openat(AT_FDCWD</root>, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3</etc/ld.so.cache>
5 fstat(3</etc/ld.so.cache>, {st_dev=makedev(0, 0x23), st_ino=267401, st_mode=S_IFREG|0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=152, st_size=77547, st_atime=1746105600 /* 2025-05-01T21:20:00.444181044+0800 */, st_atime_nsec=444181044, st_mtime=1743769564 /* 2025-04-04T20:26:04.548840860+0800 */, st_mtime_nsec=548840860, st_ctime=1743769564 /* 2025-04-04T20:26:04.554840931+0800 */, st_ctime_nsec=554840931}) = 0
6 mmap(NULL, 77547, PROT_READ, MAP_PRIVATE, 3</etc/ld.so.cache>, 0) = 0x7f421cfde000
7 close(3</etc/ld.so.cache>) = 0
8 openat(AT_FDCWD</root>, "/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3</usr/lib64/libc.so.6>
9 read(3</usr/lib64/libc.so.6>, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`\242\2\0\0\0\0\0"..., 832) = 832
10 pread64(3</usr/lib64/libc.so.6>, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
11 fstat(3</usr/lib64/libc.so.6>, {st_dev=makedev(0, 0x23), st_ino=6043, st_mode=S_IFREG|0755, st_nlink=2, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=4840, st_size=2476880, st_atime=1746105600 /* 2025-05-01T21:20:00.444181044+0800 */, st_atime_nsec=444181044, st_mtime=1711411200 /* 2024-03-26T08:00:00+0800 */, st_mtime_nsec=0, st_ctime=1743420560 /* 2025-03-31T19:29:20.263820625+0800 */, st_ctime_nsec=263820625}) = 0
12 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f421cfdc000
13 pread64(3</usr/lib64/libc.so.6>, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
14 mmap(NULL, 2018160, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3</usr/lib64/libc.so.6>, 0) = 0x7f421cdef000
15 mmap(0x7f421ce17000, 1478656, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3</usr/lib64/libc.so.6>, 0x28000) = 0x7f421ce17000
16 mmap(0x7f421cf80000, 319488, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3</usr/lib64/libc.so.6>, 0x191000) = 0x7f421cf80000
17 mmap(0x7f421cfce000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3</usr/lib64/libc.so.6>, 0x1de000) = 0x7f421cfce000
18 mmap(0x7f421cfd4000, 31600, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f421cfd4000
19 close(3</usr/lib64/libc.so.6>) = 0
20 mmap(NULL, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f421cdec000
21 arch_prctl(ARCH_SET_FS, 0x7f421cdec740) = 0
22 set_tid_address(0x7f421cdeca10) = 588
23 set_robust_list(0x7f421cdeca20, 24) = 0
24 rseq(0x7f421cded060, 0x20, 0, 0x53053053) = 0
25 mprotect(0x7f421cfce000, 16384, PROT_READ) = 0
26 mprotect(0x563c4c2d5000, 4096, PROT_READ) = 0
27 mprotect(0x7f421d029000, 8192, PROT_READ) = 0
28 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
29 munmap(0x7f421cfde000, 77547) = 0
30 geteuid() = 0
31 getegid() = 0
32 getrandom("\x38\xe8\xe1\x07\x28\xd2\xe4\x05", 8, GRND_NONBLOCK) = 8
33 brk(NULL) = 0x563c88fa2000
34 brk(0x563c88fc3000) = 0x563c88fc3000
35 openat(AT_FDCWD</root>, "/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
36 openat(AT_FDCWD</root>, "/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 3</usr/share/locale/locale.alias>
37 fstat(3</usr/share/locale/locale.alias>, {st_dev=makedev(0, 0x23), st_ino=94532, st_mode=S_IFREG|0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=8, st_size=2998, st_atime=1746105600 /* 2025-05-01T21:20:00.467181100+0800 */, st_atime_nsec=467181100, st_mtime=1711411200 /* 2024-03-26T08:00:00+0800 */, st_mtime_nsec=0, st_ctime=1743420563 /* 2025-03-31T19:29:23.343507507+0800 */, st_ctime_nsec=343507507}) = 0
38 read(3</usr/share/locale/locale.alias>, "# Locale name alias data base.\n#"..., 4096) = 2998
39 read(3</usr/share/locale/locale.alias>, "", 4096) = 0
40 close(3</usr/share/locale/locale.alias>) = 0
41 openat(AT_FDCWD</root>, "/usr/lib/locale/en_US.UTF-8/LC_IDENTIFICATION", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
42 openat(AT_FDCWD</root>, "/usr/lib/locale/en_US.utf8/LC_IDENTIFICATION", O_RDONLY|O_CLOEXEC) = 3</usr/lib/locale/en_US.utf8/LC_IDENTIFICATION>
43 fstat(3</usr/lib/locale/en_US.utf8/LC_IDENTIFICATION>, {st_dev=makedev(0, 0x23), st_ino=14203, st_mode=S_IFREG|0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=8, st_size=369, st_atime=1746105600 /* 2025-05-01T21:20:00.467181100+0800 */, st_atime_nsec=467181100, st_mtime=1711411200 /* 2024-03-26T08:00:00+0800 */, st_mtime_nsec=0, st_ctime=1743420554 /* 2025-03-31T19:29:14.601267600+0800 */, st_ctime_nsec=601267600}) = 0
44 mmap(NULL, 369, PROT_READ, MAP_PRIVATE, 3</usr/lib/locale/en_US.utf8/LC_IDENTIFICATION>, 0) = 0x7f421cff0000
45 close(3</usr/lib/locale/en_US.utf8/LC_IDENTIFICATION>) = 0
46 openat(AT_FDCWD</root>, "/usr/lib64/gconv/gconv-modules.cache", O_RDONLY|O_CLOEXEC) = 3</usr/lib64/gconv/gconv-modules.cache>
47 fstat(3</usr/lib64/gconv/gconv-modules.cache>, {st_dev=makedev(0, 0x23), st_ino=67780, st_mode=S_IFREG|0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=56, st_size=27012, st_atime=1746105600 /* 2025-05-01T21:20:00.467181100+0800 */, st_atime_nsec=467181100, st_mtime=1717949668 /* 2024-06-10T00:14:28.217806304+0800 */, st_mtime_nsec=217806304, st_ctime=1743420560 /* 2025-03-31T19:29:20.263011985+0800 */, st_ctime_nsec=263011985}) = 0
48 mmap(NULL, 27012, PROT_READ, MAP_SHARED, 3</usr/lib64/gconv/gconv-modules.cache>, 0) = 0x7f421cfe9000
49 close(3</usr/lib64/gconv/gconv-modules.cache>) = 0
50 futex(0x7f421cfd372c, FUTEX_WAKE_PRIVATE, 2147483647) = 0
wniming
140 天前
51 openat(AT_FDCWD</root>, "/usr/lib/locale/en_US.UTF-8/LC_MEASUREMENT", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
52 openat(AT_FDCWD</root>, "/usr/lib/locale/en_US.utf8/LC_MEASUREMENT", O_RDONLY|O_CLOEXEC) = 3</usr/lib/locale/en_US.utf8/LC_MEASUREMENT>
53 fstat(3</usr/lib/locale/en_US.utf8/LC_MEASUREMENT>, {st_dev=makedev(0, 0x23), st_ino=14204, st_mode=S_IFREG|0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=8, st_size=23, st_atime=1746105600 /* 2025-05-01T21:20:00.467181100+0800 */, st_atime_nsec=467181100, st_mtime=1711411200 /* 2024-03-26T08:00:00+0800 */, st_mtime_nsec=0, st_ctime=1743420554 /* 2025-03-31T19:29:14.601297172+0800 */, st_ctime_nsec=601297172}) = 0
54 mmap(NULL, 23, PROT_READ, MAP_PRIVATE, 3</usr/lib/locale/en_US.utf8/LC_MEASUREMENT>, 0) = 0x7f421cfe8000
55 close(3</usr/lib/locale/en_US.utf8/LC_MEASUREMENT>) = 0
56 openat(AT_FDCWD</root>, "/usr/lib/locale/en_US.UTF-8/LC_TELEPHONE", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
57 openat(AT_FDCWD</root>, "/usr/lib/locale/en_US.utf8/LC_TELEPHONE", O_RDONLY|O_CLOEXEC) = 3</usr/lib/locale/en_US.utf8/LC_TELEPHONE>
58 fstat(3</usr/lib/locale/en_US.utf8/LC_TELEPHONE>, {st_dev=makedev(0, 0x23), st_ino=14207, st_mode=S_IFREG|0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=8, st_size=59, st_atime=1746105600 /* 2025-05-01T21:20:00.467181100+0800 */, st_atime_nsec=467181100, st_mtime=1711411200 /* 2024-03-26T08:00:00+0800 */, st_mtime_nsec=0, st_ctime=1743420554 /* 2025-03-31T19:29:14.601402154+0800 */, st_ctime_nsec=601402154}) = 0
59 mmap(NULL, 59, PROT_READ, MAP_PRIVATE, 3</usr/lib/locale/en_US.utf8/LC_TELEPHONE>, 0) = 0x7f421cfe7000
60 close(3</usr/lib/locale/en_US.utf8/LC_TELEPHONE>) = 0
61 openat(AT_FDCWD</root>, "/usr/lib/locale/en_US.UTF-8/LC_ADDRESS", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
62 openat(AT_FDCWD</root>, "/usr/lib/locale/en_US.utf8/LC_ADDRESS", O_RDONLY|O_CLOEXEC) = 3</usr/lib/locale/en_US.utf8/LC_ADDRESS>
63 fstat(3</usr/lib/locale/en_US.utf8/LC_ADDRESS>, {st_dev=makedev(0, 0x23), st_ino=14201, st_mode=S_IFREG|0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=8, st_size=167, st_atime=1746105600 /* 2025-05-01T21:20:00.467181100+0800 */, st_atime_nsec=467181100, st_mtime=1711411200 /* 2024-03-26T08:00:00+0800 */, st_mtime_nsec=0, st_ctime=1743420554 /* 2025-03-31T19:29:14.601215527+0800 */, st_ctime_nsec=601215527}) = 0
64 mmap(NULL, 167, PROT_READ, MAP_PRIVATE, 3</usr/lib/locale/en_US.utf8/LC_ADDRESS>, 0) = 0x7f421cfe6000
65 close(3</usr/lib/locale/en_US.utf8/LC_ADDRESS>) = 0
66 openat(AT_FDCWD</root>, "/usr/lib/locale/en_US.UTF-8/LC_NAME", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
67 openat(AT_FDCWD</root>, "/usr/lib/locale/en_US.utf8/LC_NAME", O_RDONLY|O_CLOEXEC) = 3</usr/lib/locale/en_US.utf8/LC_NAME>
68 fstat(3</usr/lib/locale/en_US.utf8/LC_NAME>, {st_dev=makedev(0, 0x23), st_ino=13955, st_mode=S_IFREG|0644, st_nlink=6, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=8, st_size=77, st_atime=1746105600 /* 2025-05-01T21:20:00.467181100+0800 */, st_atime_nsec=467181100, st_mtime=1711411200 /* 2024-03-26T08:00:00+0800 */, st_mtime_nsec=0, st_ctime=1743420554 /* 2025-03-31T19:29:14.602598571+0800 */, st_ctime_nsec=602598571}) = 0
69 mmap(NULL, 77, PROT_READ, MAP_PRIVATE, 3</usr/lib/locale/en_US.utf8/LC_NAME>, 0) = 0x7f421cfe5000
70 close(3</usr/lib/locale/en_US.utf8/LC_NAME>) = 0
71 openat(AT_FDCWD</root>, "/usr/lib/locale/en_US.UTF-8/LC_PAPER", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
72 openat(AT_FDCWD</root>, "/usr/lib/locale/en_US.utf8/LC_PAPER", O_RDONLY|O_CLOEXEC) = 3</usr/lib/locale/en_US.utf8/LC_PAPER>
73 fstat(3</usr/lib/locale/en_US.utf8/LC_PAPER>, {st_dev=makedev(0, 0x23), st_ino=14016, st_mode=S_IFREG|0644, st_nlink=3, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=8, st_size=34, st_atime=1746105600 /* 2025-05-01T21:20:00.467181100+0800 */, st_atime_nsec=467181100, st_mtime=1711411200 /* 2024-03-26T08:00:00+0800 */, st_mtime_nsec=0, st_ctime=1743420554 /* 2025-03-31T19:29:14.601168802+0800 */, st_ctime_nsec=601168802}) = 0
74 mmap(NULL, 34, PROT_READ, MAP_PRIVATE, 3</usr/lib/locale/en_US.utf8/LC_PAPER>, 0) = 0x7f421cfe4000
75 close(3</usr/lib/locale/en_US.utf8/LC_PAPER>) = 0
76 openat(AT_FDCWD</root>, "/usr/lib/locale/en_US.UTF-8/LC_MESSAGES", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
77 openat(AT_FDCWD</root>, "/usr/lib/locale/en_US.utf8/LC_MESSAGES", O_RDONLY|O_CLOEXEC) = 3</usr/lib/locale/en_US.utf8/LC_MESSAGES>
78 fstat(3</usr/lib/locale/en_US.utf8/LC_MESSAGES>, {st_dev=makedev(0, 0x23), st_ino=14205, st_mode=S_IFDIR|0755, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=0, st_size=30, st_atime=1745686865 /* 2025-04-27T01:01:05.345684012+0800 */, st_atime_nsec=345684012, st_mtime=1717949668 /* 2024-06-10T00:14:28.151908372+0800 */, st_mtime_nsec=151908372, st_ctime=1743420554 /* 2025-03-31T19:29:14.601339950+0800 */, st_ctime_nsec=601339950}) = 0
79 close(3</usr/lib/locale/en_US.utf8/LC_MESSAGES>) = 0
80 openat(AT_FDCWD</root>, "/usr/lib/locale/en_US.utf8/LC_MESSAGES/SYS_LC_MESSAGES", O_RDONLY|O_CLOEXEC) = 3</usr/lib/locale/en_US.utf8/LC_MESSAGES/SYS_LC_MESSAGES>
81 fstat(3</usr/lib/locale/en_US.utf8/LC_MESSAGES/SYS_LC_MESSAGES>, {st_dev=makedev(0, 0x23), st_ino=13950, st_mode=S_IFREG|0644, st_nlink=16, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=8, st_size=57, st_atime=1746105600 /* 2025-05-01T21:20:00.467181100+0800 */, st_atime_nsec=467181100, st_mtime=1711411200 /* 2024-03-26T08:00:00+0800 */, st_mtime_nsec=0, st_ctime=1743420554 /* 2025-03-31T19:29:14.603617639+0800 */, st_ctime_nsec=603617639}) = 0
82 mmap(NULL, 57, PROT_READ, MAP_PRIVATE, 3</usr/lib/locale/en_US.utf8/LC_MESSAGES/SYS_LC_MESSAGES>, 0) = 0x7f421cfe3000
83 close(3</usr/lib/locale/en_US.utf8/LC_MESSAGES/SYS_LC_MESSAGES>) = 0
84 openat(AT_FDCWD</root>, "/usr/lib/locale/en_US.UTF-8/LC_MONETARY", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
85 openat(AT_FDCWD</root>, "/usr/lib/locale/en_US.utf8/LC_MONETARY", O_RDONLY|O_CLOEXEC) = 3</usr/lib/locale/en_US.utf8/LC_MONETARY>
86 fstat(3</usr/lib/locale/en_US.utf8/LC_MONETARY>, {st_dev=makedev(0, 0x23), st_ino=14206, st_mode=S_IFREG|0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=8, st_size=286, st_atime=1746105600 /* 2025-05-01T21:20:00.467181100+0800 */, st_atime_nsec=467181100, st_mtime=1711411200 /* 2024-03-26T08:00:00+0800 */, st_mtime_nsec=0, st_ctime=1743420554 /* 2025-03-31T19:29:14.601372289+0800 */, st_ctime_nsec=601372289}) = 0
87 mmap(NULL, 286, PROT_READ, MAP_PRIVATE, 3</usr/lib/locale/en_US.utf8/LC_MONETARY>, 0) = 0x7f421cfe2000
88 close(3</usr/lib/locale/en_US.utf8/LC_MONETARY>) = 0
89 openat(AT_FDCWD</root>, "/usr/lib/locale/en_US.UTF-8/LC_COLLATE", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
90 openat(AT_FDCWD</root>, "/usr/lib/locale/en_US.utf8/LC_COLLATE", O_RDONLY|O_CLOEXEC) = 3</usr/lib/locale/en_US.utf8/LC_COLLATE>
91 fstat(3</usr/lib/locale/en_US.utf8/LC_COLLATE>, {st_dev=makedev(0, 0x23), st_ino=13953, st_mode=S_IFREG|0644, st_nlink=18, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=5056, st_size=2586930, st_atime=1746105600 /* 2025-05-01T21:20:00.467181100+0800 */, st_atime_nsec=467181100, st_mtime=1711411200 /* 2024-03-26T08:00:00+0800 */, st_mtime_nsec=0, st_ctime=1743420554 /* 2025-03-31T19:29:14.603421654+0800 */, st_ctime_nsec=603421654}) = 0
92 mmap(NULL, 2586930, PROT_READ, MAP_PRIVATE, 3</usr/lib/locale/en_US.utf8/LC_COLLATE>, 0) = 0x7f421ca00000
93 close(3</usr/lib/locale/en_US.utf8/LC_COLLATE>) = 0
94 openat(AT_FDCWD</root>, "/usr/lib/locale/en_US.UTF-8/LC_TIME", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
95 openat(AT_FDCWD</root>, "/usr/lib/locale/en_US.utf8/LC_TIME", O_RDONLY|O_CLOEXEC) = 3</usr/lib/locale/en_US.utf8/LC_TIME>
96 fstat(3</usr/lib/locale/en_US.utf8/LC_TIME>, {st_dev=makedev(0, 0x23), st_ino=14208, st_mode=S_IFREG|0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=8, st_size=3284, st_atime=1746105600 /* 2025-05-01T21:20:00.467181100+0800 */, st_atime_nsec=467181100, st_mtime=1711411200 /* 2024-03-26T08:00:00+0800 */, st_mtime_nsec=0, st_ctime=1743420554 /* 2025-03-31T19:29:14.601438957+0800 */, st_ctime_nsec=601438957}) = 0
97 mmap(NULL, 3284, PROT_READ, MAP_PRIVATE, 3</usr/lib/locale/en_US.utf8/LC_TIME>, 0) = 0x7f421cfe1000
98 close(3</usr/lib/locale/en_US.utf8/LC_TIME>) = 0
99 openat(AT_FDCWD</root>, "/usr/lib/locale/en_US.UTF-8/LC_NUMERIC", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
100 openat(AT_FDCWD</root>, "/usr/lib/locale/en_US.utf8/LC_NUMERIC", O_RDONLY|O_CLOEXEC) = 3</usr/lib/locale/en_US.utf8/LC_NUMERIC>
wniming
140 天前
101 fstat(3</usr/lib/locale/en_US.utf8/LC_NUMERIC>, {st_dev=makedev(0, 0x23), st_ino=13956, st_mode=S_IFREG|0644, st_nlink=17, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=8, st_size=54, st_atime=1746105600 /* 2025-05-01T21:20:00.467181100+0800 */, st_atime_nsec=467181100, st_mtime=1711411200 /* 2024-03-26T08:00:00+0800 */, st_mtime_nsec=0, st_ctime=1743420554 /* 2025-03-31T19:29:14.603472279+0800 */, st_ctime_nsec=603472279}) = 0
102 mmap(NULL, 54, PROT_READ, MAP_PRIVATE, 3</usr/lib/locale/en_US.utf8/LC_NUMERIC>, 0) = 0x7f421cfe0000
103 close(3</usr/lib/locale/en_US.utf8/LC_NUMERIC>) = 0
104 openat(AT_FDCWD</root>, "/usr/lib/locale/en_US.UTF-8/LC_CTYPE", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
105 openat(AT_FDCWD</root>, "/usr/lib/locale/en_US.utf8/LC_CTYPE", O_RDONLY|O_CLOEXEC) = 3</usr/lib/locale/C.utf8/LC_CTYPE>
106 fstat(3</usr/lib/locale/C.utf8/LC_CTYPE>, {st_dev=makedev(0, 0x23), st_ino=14249, st_mode=S_IFREG|0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=712, st_size=360460, st_atime=1746105600 /* 2025-05-01T21:20:00.467181100+0800 */, st_atime_nsec=467181100, st_mtime=1711411200 /* 2024-03-26T08:00:00+0800 */, st_mtime_nsec=0, st_ctime=1743420554 /* 2025-03-31T19:29:14.603950488+0800 */, st_ctime_nsec=603950488}) = 0
107 mmap(NULL, 360460, PROT_READ, MAP_PRIVATE, 3</usr/lib/locale/C.utf8/LC_CTYPE>, 0) = 0x7f421cd93000
108 close(3</usr/lib/locale/C.utf8/LC_CTYPE>) = 0
109 rt_sigaction(SIGCHLD, {sa_handler=SIG_DFL, sa_mask=[CHLD], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7f421ce2f710}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
110 unshare(CLONE_NEWNS|CLONE_NEWUSER|CLONE_NEWPID) = 0
111 rt_sigprocmask(SIG_BLOCK, [INT TERM], [], 8) = 0
112 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f421cdeca10) = 589
113 wait4(589, strace: Process 589 attached
114 <unfinished ...>
115 [pid 589] set_robust_list(0x7f421cdeca20, 24) = 0
116 [pid 589] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
117 [pid 589] openat(AT_FDCWD</root>, "/proc/self/uid_map", O_WRONLY) = 3</proc/589/uid_map>
118 [pid 589] write(3</proc/589/uid_map>, "0 0 1", 5) = 5
119 [pid 589] close(3</proc/589/uid_map>) = 0
120 [pid 589] openat(AT_FDCWD</root>, "/proc/self/setgroups", O_WRONLY) = 3</proc/589/setgroups>
121 [pid 589] write(3</proc/589/setgroups>, "deny", 4) = 4
122 [pid 589] close(3</proc/589/setgroups>) = 0
123 [pid 589] openat(AT_FDCWD</root>, "/proc/self/gid_map", O_WRONLY) = 3</proc/589/gid_map>
124 [pid 589] write(3</proc/589/gid_map>, "0 0 1", 5) = 5
125 [pid 589] close(3</proc/589/gid_map>) = 0
126 [pid 589] mount("none", "/", NULL, MS_REC|MS_PRIVATE, NULL) = 0
127 [pid 589] mount("proc", "/proc", "proc", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL) = -1 EPERM (Operation not permitted)
128 [pid 589] openat(AT_FDCWD</root>, "/usr/share/locale/en_US.UTF-8/LC_MESSAGES/util-linux.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
129 [pid 589] openat(AT_FDCWD</root>, "/usr/share/locale/en_US.utf8/LC_MESSAGES/util-linux.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
130 [pid 589] openat(AT_FDCWD</root>, "/usr/share/locale/en_US/LC_MESSAGES/util-linux.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
131 [pid 589] openat(AT_FDCWD</root>, "/usr/share/locale/en.UTF-8/LC_MESSAGES/util-linux.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
132 [pid 589] openat(AT_FDCWD</root>, "/usr/share/locale/en.utf8/LC_MESSAGES/util-linux.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
133 [pid 589] openat(AT_FDCWD</root>, "/usr/share/locale/en/LC_MESSAGES/util-linux.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
134 [pid 589] write(2</root/txt>, "unshare: ", 9unshare: ) = 9
135 [pid 589] write(2</root/txt>, "mount /proc failed", 18mount /proc failed) = 18
136 [pid 589] openat(AT_FDCWD</root>, "/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
137 [pid 589] openat(AT_FDCWD</root>, "/usr/share/locale/en_US.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
138 [pid 589] openat(AT_FDCWD</root>, "/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
139 [pid 589] openat(AT_FDCWD</root>, "/usr/share/locale/en.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
140 [pid 589] openat(AT_FDCWD</root>, "/usr/share/locale/en.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
141 [pid 589] openat(AT_FDCWD</root>, "/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
142 [pid 589] write(2</root/txt>, ": Operation not permitted\n", 26: Operation not permitted
143 ) = 26
144 [pid 589] dup(1</dev/pts/5>) = 3</dev/pts/5>
145 [pid 589] close(3</dev/pts/5>) = 0
146 [pid 589] dup(2</root/txt>) = 3</root/txt>
147 [pid 589] close(3</root/txt>) = 0
148 [pid 589] exit_group(1) = ?
149 [pid 589] +++ exited with 1 +++
150 <... wait4 resumed>[{WIFEXITED(s) && WEXITSTATUS(s) == 1}], 0, NULL) = 589
151 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=589, si_uid=0, si_status=1, si_utime=0, si_stime=0} ---
152 dup(1</dev/pts/5>) = 3</dev/pts/5>
153 close(3</dev/pts/5>) = 0
154 dup(2</root/txt>) = 3</root/txt>
155 close(3</root/txt>) = 0
156 exit_group(1) = ?
157 +++ exited with 1 +++
choury
140 天前
看起来是没有权限,cat /proc/self/status | grep Cap 看下有没有 cap 吧
wniming
140 天前
@choury #9

在 lxc 特权容器里用 root 和普通用户执行 cat /proc/self/status | grep Cap 的输出如下:

d@develop:~$ su
root@develop:/home/d#
root@develop:/home/d# cat /proc/self/status | grep Cap
CapInh: 0000000000000000
CapPrm: 000001fcfdfcffff
CapEff: 000001fcfdfcffff
CapBnd: 000001fcfdfcffff
CapAmb: 0000000000000000
root@develop:/home/d#
root@develop:/home/d#
exit
d@develop:~$
d@develop:~$ cat /proc/self/status | grep Cap
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 000001fcfdfcffff
CapAmb: 0000000000000000
d@develop:~$
d@develop:~$

CapBnd 这个确实和普通环境下不一样,普通环境下是 000001ffffffffff
choury
140 天前
这肯定就不对啊,我自己开个容器,cap 都是 000001ffffffffff
root@home-pc:/# ps -elf
F S UID PID PPID C PRI NI ADDR SZ WCHAN STIME TTY TIME CMD
4 S root 1 0 0 80 0 - 1083 do_wai 14:43 pts/0 00:00:00 /bin/bash
0 R root 2 1 0 80 0 - 1611 - 14:43 pts/0 00:00:00 ps -elf
root@home-pc:/# id
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
root@home-pc:/# cat /proc/self/status | grep Cap
CapInh: 0000000000000000
CapPrm: 000001ffffffffff
CapEff: 000001ffffffffff
CapBnd: 000001ffffffffff
CapAmb: 0000000000000000
yinmin
140 天前
lxc 下面的 linux 容器是默认不支持 rootless podman ,除非你给 lxc 下面 linux 容器 privileged 权限才行,这个安全性降低的太厉害,得不偿失。
pagxir
140 天前
特权 lxc 可以运行非特权的 lxc ,那个 lxc.autofs 需要配置成 cgroup:full-force
wniming
139 天前
@choury #11 不知道你是怎么开容器的,我刚才给 lxc 的配置加了一行

lxc.cap.drop =

现在 lxc 特权容器里的几个 Cap 也都跟正常环境下的一样了,不过还是不行,一样的报错。

我总感觉这个问题跟用户命名空间有关,因为我在 lxc 特权容器里用 root 用户运行 unshare -fp -r --mount-proc id 有和用普通用户运行一样的报错,但把 -r 参数去掉就正常了:

root@develop:~#
root@develop:~# unshare -fp -r --mount-proc id
unshare: mount /proc failed: Operation not permitted
root@develop:~#
root@develop:~# unshare -fp --mount-proc id
uid=0(root) gid=0(root) groups=0(root)
root@develop:~#
wniming
139 天前
@pagxir man lxc.container.conf 没有 lxc.autofs 这个选项,不过有个类似的,我添加了如下配置:

lxc.mount.auto = cgroup-full:rw:force

不过还是一样的报错
yinmin
139 天前
特权容器一般指赋予 privileged 的容器。root podman 一般不称“特权 podman”,而称“root 权限 podman”; rootless podman 称“非 root 权限 podman”或者“普通用户模式 podman”,以免与 privileged 概念混淆。
wniming
139 天前
@yinmin 在我的使用场景下完全不考虑安全性,而且目前我就是在特权 lxc 容器里做的尝试,不确定你说的这个 privileged 权限 指的是什么。
wniming
139 天前
@yinmin 刚刷新帖子看到你的新回复
yinmin
139 天前
试试这个: https://forum.proxmox.com/threads/podman-in-rootless-mode-on-lxc-container.141790/
dode
135 天前
使用新硬盘安装 esxi 虚拟机系统,直通这两个系统硬盘,直接开启虚拟机

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/1129319

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX