[lxc-devel] LXC container fails to start by complaining that it is unable to unmount the old pivot-root

Andrian Nord nightnord at gmail.com
Tue Feb 2 15:43:56 UTC 2010


On Mon, Feb 01, 2010 at 01:54:15PM -0500, Michael H. Warfield wrote:
> On Mon, 2010-02-01 at 19:46 +0200, Ciprian Dorin, Craciun wrote: 
> > Hello all!
> 
> > I have a quite strange problem: the container fails to start and
> > complains about being unable to unmount the old pivot root.
> >     (What is strange is that I remember that one moth ago the same
> > setup worked (lxc binaries and config file, but maybe 2.6.31 kernel).
> > Now neither the old binaries or the latest ones from Git don't work.)

Taken from http://blog.flameeyes.eu/2010/01/31/lxc-s-unpolished-code
"So what about the 0.6.5 problem? Well the problem came to be because
0.6.5 actually implements a nice feature (contributed by a non-core
developer it seems): root pivoting. The idea is to drop access to the
old root, so that the guest cannot in any way access the host’s
filesystem unless given access to. It’s a very good idea, but there are
two problems with it: it doesn’t really do it systematically, but rather
with a “try and hope” approach, and it failed under certain conditions,
saying that the original root is still busy (note here, since this
happens within the cgroup’s mount namespace, it doesn’t matter to the
rest of the system).

At the end, last night I was able to identify the problem: I had this
line in the fstab file used by lxc itself:
none /tmp tmpfs size=200m 0 0

What’s wrong with it? The mountpoint. The fstab (and lxc.mount commands)
are used without previous validation or handling, so this is not
mounting the /tmp for the guest, but the /tmp for the host, within the
guest’s mount namespace. The result is that /tmp gets mounted twice
(once inherited by the base mount namespace, once within the guest’s
namespace, but it’s only unmounted once (as the unmount list keeps each
mount point exactly once). This is quite an obvious error on my part, I
should have used /media/chroots/tinderbox/tmp as mountpoint, but LXC
being unable to catch the mistake in mountpoint (at least warning about
it) is a definite problem."

That's Gentoo maintainer for lxc ebuilds. May you check if this is
source of the problem?




More information about the lxc-devel mailing list