[lxc-devel] Error "unshare: Operation not permitted" when trying to create user container

Brian Campbell lambda at continuation.org
Tue Feb 18 05:43:01 UTC 2014 

On Feb 18, 2014, at 12:16 AM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:

>> Ah, that's the ticket:
>> 
>> lambda at gherkin:~$ cat /proc/sys/kernel/unprivileged_userns_clone
>> 0
>> 
>> Looks like this is a Debian specific patch,
> 
> *cough* pls not to ask how i knew to query it kthx
> 
>> which is why looking at the upstream kernel source left me puzzled about why I'd be getting an EPERM.
>> 
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712870
>> 
>> * namespaces: Enable USER_NS (Closes: #712870)
>>     - Restrict creation of user namespaces to root (CAP_SYS_ADMIN) by
>>       default (sysctl: kernel.unprivileged_userns_clone)
>> 
>> Works much better when I flip that to 1!
>> 
>>    lambda at gherkin:lxc$ lxc-create -l DEBUG -o lxc.log --name precise-test -t download -- -d ubuntu -r precise -a amd64Setting up the GPG keyring
>>    Downloading the image index
>>    Downloading the rootfs
>>    Downloading the metadata
>>    The image cache is now ready
>>    Unpacking the rootfs
>> 
>>    ---
>>    You just created an Ubuntu container (release=precise, arch=amd64).
>>    The default username/password is: ubuntu / ubuntu
>>    To gain root privileges, please use sudo.
>> 
>> Now I need to figure out what is required for the setup of cgroups,
>> since now that's failing. It looks like it's trying to clear out the
>> cgroup hierarchy to be able to set it up differently, but obviously
>> doesn't have permissions to do so. I'm running systemd, which uses the
>> cgroup hierarchy already. I've seen references to cgroup-lite,
>> cgroup-bin, and cgroup-tools; do I need one of these to packages to
>> set up cgroups appropriately for unprivileged containers? Or is it
>> possible to do natively with systemd?
>> 
>> lambda at gherkin:lxc$ lxc-start -n precise-test
>> lxc_container: Could not set clone_children to 1 for cpuset hierarchy in parent cgroup.
> 
> I thought we'd stopped doing that, but I guess not fully.
> Could you try this patch?
> 
> Subject: [PATCH 1/1] continue if we cannot set cpuset.clonechildren
> 
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>

It does get rid of that specific error, but still goes on to fail:

lambda at gherkin:lxc (master)$ lxc-start -n precise-test
lxc_container: Permission denied - Could not create cgroup /precise-test
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/perf_event/
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/blkio/
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/net_cls/
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/freezer/
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/devices/
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/cups.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/gdomap.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/cups-browsed.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/netatalk.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/udisks2.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/colord.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/upower.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/winbind.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/smbd.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/console-kit-daemon.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/acpid.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/polkitd.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/gdm3.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/getty at .service/getty at tty1.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/getty at .service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/accounts-daemon.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/network-manager.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/dbus.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/rsyslog.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/systemd-logind.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/ntp.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/ssh.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/cron.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/nmbd.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/avahi-daemon.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/incron.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/atd.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/minissdpd.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/exim4.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/mdadm.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/ifup at .service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/nfs-common.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/rpcbind.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/systemd-fsck at .service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/systemd-udevd.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/systemd-journald.service
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct/
lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpuset/
lxc_container: failed creating cgroups
lxc_container: failed to spawn 'precise-test'

More information about the lxc-devel mailing list