kernels 3.7x, 3.8x
Trying to setup LXC following various guides on the Internet (current openSUSE docs might work but have finally crossed into the land of far out of date).
User Namespace missing
In the following, am less concerned with the cgroup issue, am still researching but it seems that there are several possible <practical> solutions, the most likely is to manually mount the required cgroup (is a recognized upstream issue).
--- Namespaces ---
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: missing
Network namespace: enabled
Multiple /dev/pts instances: enabled
--- Control groups ---
Cgroup clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: missing
Cgroup cpuset: enabled
--- Misc ---
Veth pair device: enabled
File capabilities: enabled
Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig
Doublechecking “user” is not listed in the following
# ls /proc/self/ns
ipc net uts
Researching, found this bug posted to RH bugzilla
Gentoo seems to recommend re-compiling the kernel
The RH bug report in particular looks worrisome, seems no certain decision has been made even now how to address the issue since there is a ZFS incompatibility issue with providing or setting a flag to enable functionality. Since a decision can’t even be made how to resolve I’m not expecting an early resolution (at least kernel 3.10.x, maybe later)
So, specific questions to anyone with LXC experience and who understands how namespaces are used…
What is the scope of the requirement? I’m guessing that this is required only to launch a namespace without root permissions. If so, then I can live with launching LXC containers using root permissions only until this is addressed.
Are there other options which might exist which avoid or address this issue? Seems this issue likely only appeared with kernel 3.x, I’m not excited about deploying a machine with a 2.6.x kernel just to avoid this problem. And, I’m also not excited about attempting to compile my own custom kernel to enable this functionality.
If anyone can suggest a different approach even if untested,