<div dir="ltr"><div>Docker starts lxc in the following way:</div><div><br></div>lxc-start -n 97a0813ce28954250aaa807567c9053e3e443a8651791e9c591572b0850095af /.dockerinit -driver lxc -g 172.17.42.1 -i <a href="http://172.17.0.2/16">172.17.0.2/16</a> -mtu 1500 -- /bin/true<br>
<div><br></div><div>strace of lxc-start: <a href="https://gist.github.com/farcaller/6fd5b23952675aed894d">https://gist.github.com/farcaller/6fd5b23952675aed894d</a></div><div><br></div><div>it doesn't seem to run ./dockerinit in case of failure.</div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Jun 3, 2014 at 8:14 PM, Serge Hallyn <span dir="ltr"><<a href="mailto:serge.hallyn@ubuntu.com" target="_blank">serge.hallyn@ubuntu.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">Quoting Vladimir Pouzanov (<a href="mailto:farcaller@gmail.com">farcaller@gmail.com</a>):<br>
> This bug happens with docker, but I don't see any traction on my issue over<br>
> there so trying to escalate further. The original bug report is here:<br>
> <a href="https://github.com/dotcloud/docker/issues/4556" target="_blank">https://github.com/dotcloud/docker/issues/4556</a>, here are all the<br>
> interesting details.<br>
><br>
> I'm running an armv7 box (wandboard) with 3.14.4-1-ARCH kernel. I cannot<br>
> reliably use docker (with lxc driver, or with native driver) as it crashes<br>
> often (on the last docker/lxc/kernel combo I get 41 out of 100 failures<br>
> with native docker and 23 out of 100 with lxc).<br>
><br>
> The lxc version is 1.0.3, docker is 0.11.1.<br>
><br>
> From docker side the error looks like:<br>
> finalize namespace drop capabilities operation not permitted<br>
><br>
> (generated by docker capabilities module,<br>
> <a href="https://github.com/dotcloud/docker/blob/master/pkg/libcontainer/security/capabilities/capabilities.go#L32" target="_blank">https://github.com/dotcloud/docker/blob/master/pkg/libcontainer/security/capabilities/capabilities.go#L32</a><br>
> )<br>
><br>
> lxc-start just silently returns 1 and I didn't manage to get any reasonable<br>
> log output from it.<br>
<br>
</div>How did you use lxc-start exactly?<br>
<div class=""><br>
> I managed to look a bit deeper into kernel side of things on what is<br>
> failing exactly, and the offending syscall seems to be:<br>
><br>
> <a href="https://github.com/torvalds/linux/blob/master/kernel/capability.c#L240" target="_blank">https://github.com/torvalds/linux/blob/master/kernel/capability.c#L240</a><br>
><br>
> where pid is always 1 and task_pid_vnr(current) is 7, sometimes 6, rarely 1<br>
> (the good case).<br>
<br>
</div>You'll probably want to get init to run under strace so you can figure out<br>
why current is pid 7 instead of 1. What binary is it actually that's doing<br>
the capset?<br>
<div class=""><br>
> Any ideas on what could be going wrong? What other info can I provide to<br>
> track this bug down?<br>
><br>
> --<br>
> Sincerely,<br>
> Vladimir "Farcaller" Pouzanov<br>
> <a href="http://farcaller.net/" target="_blank">http://farcaller.net/</a><br>
<br>
</div>> _______________________________________________<br>
> lxc-users mailing list<br>
> <a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a><br>
> <a href="http://lists.linuxcontainers.org/listinfo/lxc-users" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a><br>
<br>
_______________________________________________<br>
lxc-users mailing list<br>
<a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a><br>
<a href="http://lists.linuxcontainers.org/listinfo/lxc-users" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a></blockquote></div><br><br clear="all"><div><br></div>-- <br>Sincerely,<br>Vladimir "Farcaller" Pouzanov<br>
<a href="http://farcaller.net/">http://farcaller.net/</a>
</div>