[lxc-devel] LXC container fails to start by complaining that it is unable to unmount the old pivot-root

Daniel Lezcano daniel.lezcano at free.fr
Tue Feb 2 18:06:11 UTC 2010


Andrian Nord wrote:
> On Mon, Feb 01, 2010 at 01:54:15PM -0500, Michael H. Warfield wrote:
>   
>> On Mon, 2010-02-01 at 19:46 +0200, Ciprian Dorin, Craciun wrote: 
>>     
>>> Hello all!
>>>       
>>> I have a quite strange problem: the container fails to start and
>>> complains about being unable to unmount the old pivot root.
>>>     (What is strange is that I remember that one moth ago the same
>>> setup worked (lxc binaries and config file, but maybe 2.6.31 kernel).
>>> Now neither the old binaries or the latest ones from Git don't work.)
>>>       
>
> Taken from http://blog.flameeyes.eu/2010/01/31/lxc-s-unpolished-code
> "So what about the 0.6.5 problem? Well the problem came to be because
> 0.6.5 actually implements a nice feature (contributed by a non-core
> developer it seems): root pivoting. The idea is to drop access to the
> old root, so that the guest cannot in any way access the host’s
> filesystem unless given access to. It’s a very good idea, but there are
> two problems with it: it doesn’t really do it systematically, but rather
> with a “try and hope” approach, and it failed under certain conditions,
> saying that the original root is still busy (note here, since this
> happens within the cgroup’s mount namespace, it doesn’t matter to the
> rest of the system).
>
> At the end, last night I was able to identify the problem: I had this
> line in the fstab file used by lxc itself:
> none /tmp tmpfs size=200m 0 0
>
> What’s wrong with it? The mountpoint. The fstab (and lxc.mount commands)
> are used without previous validation or handling, so this is not
> mounting the /tmp for the guest, but the /tmp for the host, within the
> guest’s mount namespace. The result is that /tmp gets mounted twice
> (once inherited by the base mount namespace, once within the guest’s
> namespace, but it’s only unmounted once (as the unmount list keeps each
> mount point exactly once). This is quite an obvious error on my part, I
> should have used /media/chroots/tinderbox/tmp as mountpoint, but LXC
> being unable to catch the mistake in mountpoint (at least warning about
> it) is a definite problem."
>
> That's Gentoo maintainer for lxc ebuilds. May you check if this is
> source of the problem?
>   

Ha ! Let's check ! :)





More information about the lxc-devel mailing list