Systemd-nspawn ubuntu container

BeatScherrer · August 1, 2024, 8:10pm

I’m am trying to get a ubuntu container working with systemd-nspawn. I created the ubuntu container as follows:

debootstrap --include=systemd,dbus,systemd-container --variant=buildd --arch=amd64 jammy /var/lib/machines/jammy http://ch.archive.ubuntu.com/ubuntu/

and try to run the container with:

  sudo SYSTEMD_LOG_LEVEL=debug systemd-nspawn -D "/var/lib/machines/jammy" \
                      --setenv=PATH=/usr/local/sbin:/usr/sbin:/usr/bin:/sbin:/bin \
                      --bind-user=myuser \
                      --private-users=pick \
                      --private-users-ownership=auto \
                      --user=myuser

I get the following output by the debug log:

Setting RLIMIT_CPU to infinity.
Setting RLIMIT_FSIZE to infinity.
Setting RLIMIT_DATA to infinity.
Setting RLIMIT_STACK to 8388608:infinity.
Setting RLIMIT_CORE to 0:infinity.
Setting RLIMIT_RSS to infinity.
Setting RLIMIT_NPROC to 253823.
Setting RLIMIT_NOFILE to 1024:524288.
Setting RLIMIT_MEMLOCK to 8388608.
Setting RLIMIT_AS to infinity.
Setting RLIMIT_LOCKS to infinity.
Setting RLIMIT_SIGPENDING to 253823.
Setting RLIMIT_MSGQUEUE to 819200.
Setting RLIMIT_NICE to 0.
Setting RLIMIT_RTPRIO to 0.
Setting RLIMIT_RTTIME to infinity.
Settings are trusted: yes
Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy
Spawning container jammy on /var/lib/machines/jammy.
Press Ctrl-] three times within 1s to kill container.
Outer child is initializing.
Changing mount propagation / (MS_REC|MS_SLAVE "")
Selected user namespace base 459079680 and range 65536.
Bind-mounting /var/lib/machines/jammy on /var/lib/machines/jammy (MS_BIND|MS_REC "")...
Changing mount propagation /var/lib/machines/jammy (MS_REC|MS_PRIVATE "")
varlink: Setting state idle-client
/run/systemd/userdb/io.systemd.DynamicUser: Sending message: {"method":"io.systemd.UserDatabase.GetUserRecord","parameters":{"userName":"myuser","service":"io.systemd.DynamicUser"}}
/run/systemd/userdb/io.systemd.DynamicUser: Changing state idle-client → awaiting-reply
varlink: Setting state idle-client
/run/systemd/userdb/io.systemd.Machine: Sending message: {"method":"io.systemd.UserDatabase.GetUserRecord","parameters":{"userName":"myuser","service":"io.systemd.Machine"}}
/run/systemd/userdb/io.systemd.Machine: Changing state idle-client → awaiting-reply
/run/systemd/userdb/io.systemd.DynamicUser: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound","parameters":{}}
/run/systemd/userdb/io.systemd.DynamicUser: Changing state awaiting-reply → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/io.systemd.DynamicUser: Changing state processing-reply → idle-client
/run/systemd/userdb/io.systemd.Machine: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound","parameters":{}}
/run/systemd/userdb/io.systemd.Machine: Changing state awaiting-reply → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/io.systemd.Machine: Changing state processing-reply → idle-client
varlink: Setting state idle-client
/run/systemd/userdb/io.systemd.DynamicUser: Sending message: {"method":"io.systemd.UserDatabase.GetGroupRecord","parameters":{"gid":1000,"service":"io.systemd.DynamicUser"}}
/run/systemd/userdb/io.systemd.DynamicUser: Changing state idle-client → awaiting-reply
varlink: Setting state idle-client
/run/systemd/userdb/io.systemd.Machine: Sending message: {"method":"io.systemd.UserDatabase.GetGroupRecord","parameters":{"gid":1000,"service":"io.systemd.Machine"}}
/run/systemd/userdb/io.systemd.Machine: Changing state idle-client → awaiting-reply
/run/systemd/userdb/io.systemd.DynamicUser: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound","parameters":{}}
/run/systemd/userdb/io.systemd.DynamicUser: Changing state awaiting-reply → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/io.systemd.DynamicUser: Changing state processing-reply → idle-client
/run/systemd/userdb/io.systemd.Machine: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound","parameters":{}}
/run/systemd/userdb/io.systemd.Machine: Changing state awaiting-reply → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/io.systemd.Machine: Changing state processing-reply → idle-client
Failed to do shadow lookup for group myuser, ignoring: No such process
Successfully forked off '(sd-mkuserns)' as PID 299402.
Umounting /var/lib/machines/jammy...
Failed to unmount /var/lib/machines/jammy: Device or resource busy
Failed to set up ID mapped mounts: Device or resource busy
Short read while reading cgroup mode (0 bytes). The child is most likely dead.

it seems to me that there is an issue with the user/group lookup. Does anyone has a similar working setup or any suggestion on where to continue debugging this?

An alternative would be to create the user in the container and just bind the home directory.

mightyiam · August 2, 2024, 8:33am

Doesn’t this seem suspicious?

BeatScherrer · August 5, 2024, 12:30pm

seems to be this issue #29226 discussed on github