LXC Unprivileged Containers (Ubuntu Xenial 16.04)

In Uncategorized on 24/12/2016 by pier0w

There are a couple tutorials about how to setup unprivileged containers in Ubuntu, but unfortunately both of them fail to mention all the steps required to actually get them working.


The first thing you must do after installing LXC and enabling unprivileged containers is to reboot linux. If you don’t reboot you will see this error.

lxc-start 20160311171257.911 ERROR lxc_cgfs - 
  cgfs.c:lxc_cgroupfs_create:1007 - Permission denied - Could not create 
  cgroup '/user/1000.user/c2.session/lxc' in '/sys/fs/cgroup/systemd'.
lxc-start 20160311171257.911 ERROR lxc_cgfs - cgfs.c:cgroup_rmdir:209 - 
  Permission denied - cgroup_rmdir: failed to delete 

Global Read and Execute Permissions for ~/.local/share

You must give you ~/.local and ~/.local/share directories global read and execute permissions.

chmod a+rx ~/.local ~/.local/share

Otherwise you will see the fowling errors.

lxc-start 20161224123344.174 ERROR lxc_start - 
    start.c:print_top_failing_dir:103 - Permission denied - 
    Could not access /home/spark/.local. Please grant it x access, 
    or add an ACL for the container root. 
lxc-start 20161224123344.174 ERROR lxc_sync - 
    sync.c:__sync_wait:57 - An error occurred in another process 
    (expected sequence number 3) 
lxc-start 20161224123344.175 ERROR lxc_start - 
    start.c:__lxc_start:1338 - Failed to spawn container "template".


Here is a script that will setup LXC  unprivileged containers correctly for Ubuntu Xenial 16.04.


# Install LXC
sudo apt-get install lxc

SUB_USER_ID1=`grep $USER /etc/subuid | awk -F':' '{print $2}'`
SUB_USER_ID2=`grep $USER /etc/subuid | awk -F':' '{print $3}'`
SUB_GROUP_ID1=`grep $USER /etc/subgid | awk -F':' '{print $2}'`
SUB_GROUP_ID2=`grep $USER /etc/subgid | awk -F':' '{print $3}'`

# Setup unprivileged container default settings
mkdir -p ~/.config/lxc
echo "lxc.id_map = u 0 ${SUB_USER_ID1} ${SUB_USER_ID2}" > \
echo "lxc.id_map = g 0 ${SUB_GROUP_ID1} ${SUB_GROUP_ID2}" >> \
echo " = veth" >> ~/.config/lxc/default.conf
echo " = lxcbr0" >> ~/.config/lxc/default.conf
echo "$USER veth lxcbr0 2" | sudo tee -a /etc/lxc/lxc-usernet

# Set the correct permissions for ~/.local/share
chmod a+rx ~/.local ~/.local/share

echo "Now reboot your machine."

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: