<div dir="ltr">Ok, sorry for brining this up here, this is actually a problem in docker, it doesn't matter if lxc is used to bootstrap the namespace, the failure is inside dockerinit.</div><div class="gmail_extra"><br>
<br><div class="gmail_quote">On Wed, Jun 4, 2014 at 12:46 AM, Serge Hallyn <span dir="ltr"><<a href="mailto:serge.hallyn@ubuntu.com" target="_blank">serge.hallyn@ubuntu.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Sorry, I meant wrapping .dockerinit itself. But perhaps the best place<br>
to start is to just create and run a regular container, to make sure<br>
you're not having some arm/kernel/other bug:<br>
<br>
sudo lxc-create -t download -n u1 -- -d ubuntu -r trusty -a amd64<br>
sudo lxc-start -n u1<br>
<span class="HOEnZb"><font color="#888888"><br>
-serge<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
Quoting Vladimir Pouzanov (<a href="mailto:farcaller@gmail.com">farcaller@gmail.com</a>):<br>
> Docker starts lxc in the following way:<br>
><br>
> lxc-start -n<br>
> 97a0813ce28954250aaa807567c9053e3e443a8651791e9c591572b0850095af<br>
> /.dockerinit -driver lxc -g 172.17.42.1 -i <a href="http://172.17.0.2/16" target="_blank">172.17.0.2/16</a> -mtu 1500 --<br>
> /bin/true<br>
><br>
> strace of lxc-start: <a href="https://gist.github.com/farcaller/6fd5b23952675aed894d" target="_blank">https://gist.github.com/farcaller/6fd5b23952675aed894d</a><br>
><br>
> it doesn't seem to run ./dockerinit in case of failure.<br>
><br>
><br>
> On Tue, Jun 3, 2014 at 8:14 PM, Serge Hallyn <<a href="mailto:serge.hallyn@ubuntu.com">serge.hallyn@ubuntu.com</a>><br>
> wrote:<br>
><br>
> > Quoting Vladimir Pouzanov (<a href="mailto:farcaller@gmail.com">farcaller@gmail.com</a>):<br>
> > > This bug happens with docker, but I don't see any traction on my issue<br>
> > over<br>
> > > there so trying to escalate further. The original bug report is here:<br>
> > > <a href="https://github.com/dotcloud/docker/issues/4556" target="_blank">https://github.com/dotcloud/docker/issues/4556</a>, here are all the<br>
> > > interesting details.<br>
> > ><br>
> > > I'm running an armv7 box (wandboard) with 3.14.4-1-ARCH kernel. I cannot<br>
> > > reliably use docker (with lxc driver, or with native driver) as it<br>
> > crashes<br>
> > > often (on the last docker/lxc/kernel combo I get 41 out of 100 failures<br>
> > > with native docker and 23 out of 100 with lxc).<br>
> > ><br>
> > > The lxc version is 1.0.3, docker is 0.11.1.<br>
> > ><br>
> > > From docker side the error looks like:<br>
> > > finalize namespace drop capabilities operation not permitted<br>
> > ><br>
> > > (generated by docker capabilities module,<br>
> > ><br>
> > <a href="https://github.com/dotcloud/docker/blob/master/pkg/libcontainer/security/capabilities/capabilities.go#L32" target="_blank">https://github.com/dotcloud/docker/blob/master/pkg/libcontainer/security/capabilities/capabilities.go#L32</a><br>
> > > )<br>
> > ><br>
> > > lxc-start just silently returns 1 and I didn't manage to get any<br>
> > reasonable<br>
> > > log output from it.<br>
> ><br>
> > How did you use lxc-start exactly?<br>
> ><br>
> > > I managed to look a bit deeper into kernel side of things on what is<br>
> > > failing exactly, and the offending syscall seems to be:<br>
> > ><br>
> > > <a href="https://github.com/torvalds/linux/blob/master/kernel/capability.c#L240" target="_blank">https://github.com/torvalds/linux/blob/master/kernel/capability.c#L240</a><br>
> > ><br>
> > > where pid is always 1 and task_pid_vnr(current) is 7, sometimes 6,<br>
> > rarely 1<br>
> > > (the good case).<br>
> ><br>
> > You'll probably want to get init to run under strace so you can figure out<br>
> > why current is pid 7 instead of 1. What binary is it actually that's doing<br>
> > the capset?<br>
> ><br>
> > > Any ideas on what could be going wrong? What other info can I provide to<br>
> > > track this bug down?<br>
> > ><br>
> > > --<br>
> > > Sincerely,<br>
> > > Vladimir "Farcaller" Pouzanov<br>
> > > <a href="http://farcaller.net/" target="_blank">http://farcaller.net/</a><br>
> ><br>
> > > _______________________________________________<br>
> > > lxc-users mailing list<br>
> > > <a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a><br>
> > > <a href="http://lists.linuxcontainers.org/listinfo/lxc-users" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a><br>
> ><br>
> > _______________________________________________<br>
> > lxc-users mailing list<br>
> > <a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a><br>
> > <a href="http://lists.linuxcontainers.org/listinfo/lxc-users" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a><br>
><br>
><br>
><br>
><br>
> --<br>
> Sincerely,<br>
> Vladimir "Farcaller" Pouzanov<br>
> <a href="http://farcaller.net/" target="_blank">http://farcaller.net/</a><br>
<br>
> _______________________________________________<br>
> lxc-users mailing list<br>
> <a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a><br>
> <a href="http://lists.linuxcontainers.org/listinfo/lxc-users" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a><br>
<br>
_______________________________________________<br>
lxc-users mailing list<br>
<a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a><br>
<a href="http://lists.linuxcontainers.org/listinfo/lxc-users" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a></div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br>Sincerely,<br>
Vladimir "Farcaller" Pouzanov<br><a href="http://farcaller.net/">http://farcaller.net/</a>
</div>