[lxc-devel] Error "unshare: Operation not permitted" when trying to create user container

Brian Campbell lambda at continuation.org
Thu Feb 20 23:32:42 UTC 2014 

On Feb 20, 2014, at 11:23 AM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:

> Quoting Brian Campbell (lambda at continuation.org):
>> On Feb 20, 2014, at 9:21 AM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
>> 
>>> Quoting Brian Campbell (lambda at continuation.org):
>>>> On Feb 18, 2014, at 10:25 AM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
>>>>> It looks like you're in the root cgroup and starting as non-root.
>>>>> Without being root you indeed do not have the rights to create new
>>>>> cgroups there.  You'll need to either use lxc as root, or do something
>>>>> like
>>>>> 
>>>>> for d in /sys/fs/cgroup/*; do
>>>>> 	sudo mkdir $d/lambda
>>>>> 	sudo chown -R lambda: $d/lambda
>>>>> 	echo $$ > $d/lambda/tasks
>>>>> done
>>>> 
>>>> 
>>>> Apologies for the slow followup, been a busy few days.
>>>> 
>>>> Doing that gives me an error on the the cpuset cgroup (added an echo to see which one it was):
>>>> 
>>>> /sys/fs/cgroup/blkio/lambda
>>>> /sys/fs/cgroup/cpu/lambda
>>>> /sys/fs/cgroup/cpuacct/lambda
>>>> /sys/fs/cgroup/cpu,cpuacct/lambda
>>>> /sys/fs/cgroup/cpuset/lambda
>>>> -bash: echo: write error: No space left on device
>>>> /sys/fs/cgroup/devices/lambda
>>>> /sys/fs/cgroup/freezer/lambda
>>>> /sys/fs/cgroup/net_cls/lambda
>>>> /sys/fs/cgroup/perf_event/lambda
>>>> /sys/fs/cgroup/systemd/lambda
>>>> 
>>>> I decided to see if it would work anyhow, but it still fails. Any clue why cpuset would be failing?
>>> 
>>> You need to either echo 1 > /sys/fs/cgroup/cpuset/cgroup.clone_children,
>>> or else manually cp cpuset.cpus and cpuset.mems from the parent to the
>>> child cgroup.  Otherwise you cannot place a task into the cgroup.
>> 
>> Yep, as I mentioned in my followup I figured that out (the manual part, I hadn't noticed clone_children), and got a bit further, but it's still failing:
>> 
>>     lxc-start 1392878417.586 INFO     lxc_start_ui - using rcfile /home/lambda/.local/share/lxc/precise-test/config
>>     lxc-start 1392878417.586 INFO     lxc_confile - read uid map: type u nsid 0 hostid 100000 range 65536
>>     lxc-start 1392878417.586 INFO     lxc_confile - read uid map: type g nsid 0 hostid 100000 range 65536
>>     lxc-start 1392878417.586 WARN     lxc_log - lxc_log_init called with log already initialized
>>     lxc-start 1392878417.586 INFO     lxc_lsm - LSM security driver nop
>>     lxc-start 1392878417.586 DEBUG    lxc_conf - allocated pty '/dev/pts/3' (5/6)
>>     lxc-start 1392878417.586 DEBUG    lxc_conf - allocated pty '/dev/pts/4' (7/8)
>>     lxc-start 1392878417.586 DEBUG    lxc_conf - allocated pty '/dev/pts/5' (9/10)
>>     lxc-start 1392878417.586 DEBUG    lxc_conf - allocated pty '/dev/pts/6' (11/12)
>>     lxc-start 1392878417.586 INFO     lxc_conf - tty's configured
>>     lxc-start 1392878417.587 DEBUG    lxc_start - sigchild handler set
>>     lxc-start 1392878417.587 DEBUG    lxc_console - opening /dev/tty for console peer
>>     lxc-start 1392878417.587 INFO     lxc_caps - Last supported cap was 34
>>     lxc-start 1392878417.587 DEBUG    lxc_console - using '/dev/tty' as console
>>     lxc-start 1392878417.587 DEBUG    lxc_console - 21308 got SIGWINCH fd 17
>>     lxc-start 1392878417.587 DEBUG    lxc_console - set winsz dstfd:14 cols:161 rows:55
>>     lxc-start 1392878417.847 INFO     lxc_start - 'precise-test' is initialized
>>     lxc-start 1392878417.875 DEBUG    lxc_start - Not dropping cap_sys_boot or watching utmp
>>     lxc-start 1392878417.875 INFO     lxc_start - Cloning a new user namespace
>>     lxc-start 1392878417.875 INFO     lxc_cgroup - cgroup driver cgroupfs initing for precise-test
>>     lxc-start 1392878417.876 ERROR    lxc_cgfs - Operation not permitted - Could not add pid 21330 to cgroup /lambda/precise-test: internal error
>>     lxc-start 1392878417.909 ERROR    lxc_start - failed to spawn 'precise-test'
>> 
>> After changing that error to provide a little more information, I found that the full path is:
>> 
>> lxc-start: Operation not permitted - Could not add pid 23235 to cgroup /sys/fs/cgroup/devices/lambda/precise-test/tasks
> 
> Urgh, I'm not sure, but this stuff gets tedious so doing it by hand it's
> easy to overlook something (especially after one step has partially
> failed).
> 
> I just tested on a clean system without cgmanager.  I installed
> cgroup-lite and did the following on command line:
> 
> for d in /sys/fs/cgroup/*; do
>        f=$(basename $d)
>        echo "looking at $f"
>        if [ "$f" = "cpuset" ]; then
>                echo 1 | sudo tee -a $d/cgroup.clone_children;
>        elif [ "$f" = "memory" ]; then
>                echo 1 | sudo tee -a $d/memory.use_hierarchy;
>        fi
>        sudo mkdir -p $d/$USER
>        sudo chown -R $USER $d/$USER
>        echo $$ > $d/$USER/tasks
> done
> 
> After this I was able to do an unprivileged lxc-start.  Can you
> try rebooting then cut-pasting and running the above?

Sure. If I'm going to reboot anyhow, would it be easier to just set this up using systemd-logind? Do I just add all of the cgroup controllers to the "Controllers=" setting in logind.conf?

-- Brian

More information about the lxc-devel mailing list