sandbox doesn't work in LXD with security.nesting=true

[AkihiroSuda]

$ lxc storage create pool-dir dir
$ lxc launch ubuntu:19.04 ubuntu1904 -s pool-dir -c security.nesting=true

$ strace -f slirp4netns --configure --mtu=65520 --disable-host-loopback $(cat /tmp/pid) --enable-sandbox tap0
...
write(1, "* Recommended IP:  10.0.2.100\n", 30* Recommended IP:  10.0.2.100
) = 30
geteuid()                               = 1001
openat(AT_FDCWD, "/proc/3122/ns/user", O_RDONLY) = 3
setns(3, CLONE_NEWUSER)                 = 0
close(3)                                = 0
close(-1)                               = -1 EBADF (Bad file descriptor)
setresgid(-1, 0, -1)                    = 0
setresuid(-1, 0, -1)                    = 0
openat(AT_FDCWD, "/dev/urandom", O_RDONLY) = 3
read(3, "\357e]\207\35\203)\36@\253\273m\6\2415j", 16) = 16
close(3)                                = 0
futex(0x7f8c29790f68, FUTEX_WAKE_PRIVATE, 2147483647) = 0
brk(0x56140053e000)                     = 0x56140053e000
rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[PIPE], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7f8c2945ff60}, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, 8) = 0
unshare(CLONE_NEWNS)                    = 0
mount("", "/", 0x5614001c8d77, MS_PRIVATE, NULL) = 0
mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID|MS_NODEV|MS_NOEXEC, "size=1k") = 0
mkdir("/tmp/etc", 0755)                 = 0
mkdir("/tmp/old", 0755)                 = 0
mkdir("/tmp/run", 0755)                 = 0
mount("/etc", "/tmp/etc", 0x5614001c8d77, MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_BIND|MS_REC|MS_SLAVE, NULL) = 0
mount("/etc", "/tmp/etc", 0x5614001c8d77, MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_BIND, NULL) = 0
mount("/run", "/tmp/run", 0x5614001c8d77, MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_BIND|MS_REC|MS_SLAVE, NULL) = 0
mount("/run", "/tmp/run", 0x5614001c8d77, MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_BIND, NULL) = 0
chdir("/tmp")                           = 0
pivot_root(".", "old")                  = 0
chdir("/")                              = 0
umount2("/old", MNT_DETACH)             = 0
rmdir("/old")                           = 0
mount("tmpfs", "/", 0x5614001c827f, MS_RDONLY|MS_REMOUNT, "size=0k") = -1 EACCES (Permission denied)
write(2, "cannot mount tmpfs on /tmp\n", 27cannot mount tmpfs on /tmp
) = 27
write(2, "create_sandbox failed\n", 22create_sandbox failed
) = 22
write(2, "do_slirp is exiting\n", 20do_slirp is exiting
)   = 20
brk(0x56140052e000)                     = 0x56140052e000
write(2, "do_slirp failed\n", 16do_slirp failed
)       = 16
close(5)                                = 0
write(2, "parent failed\n", 14parent failed
)         = 14
exit_group(1)                           = ?
+++ exited with 1 +++

• slirp4netns: 0.4.1-1~ubuntu19.04~ppa4
• LXD: 3.18
• host: Ubuntu 19.04
• kernel: 5.0.0-29-generic

originally reported in containers/podman#4131 (comment)

[c-goes]

I tried running slirp4netns as user in LXD as described in https://github.com/rootless-containers/slirp4netns (Usage).
This worked without problems, so I can confirm this error is because of the --enable-sandbox option.

[AkihiroSuda]

TODO: test v0.4.2

[AkihiroSuda]

still not fixed in v0.4.2

[AkihiroSuda]

@giuseppe any chance to look into this? wondering we can get this fixed in the next release along with #160

[AkihiroSuda]

#163 (v0.4.3) should have fixed issue. Let us know if not.

[c-goes]

works great. thank you