[lxc-devel] [bisect] user lxc work with kernel 3.14.18 but fail with 3.14.19

Tue Sep 23 12:15:08 UTC 2014

last long term 3.14.9 has a change that make user lxc fail to start, it
seem the permission problem has been already encountered and fixed
before, in lxc userspace, not in kernel.

=======================

lxc-start --version
1.0.5

=======================

git bisect good | tee -a ${HOME}/bisect.log

9810174c0384f725a31be1dfc64a881695ad465d is the first bad commit
commit 9810174c0384f725a31be1dfc64a881695ad465d
Author: Eric W. Biederman <ebiederm at xmission.com>
Date:   Mon Jul 28 17:10:56 2014 -0700

    mnt: Move the test for MNT_LOCK_READONLY from change_mount_flags
into do_remount

    commit 07b645589dcda8b7a5249e096fece2a67556f0f4 upstream.

    There are no races as locked mount flags are guaranteed to never change.

    Moving the test into do_remount makes it more visible, and ensures all
    filesystem remounts pass the MNT_LOCK_READONLY permission check.  This
    second case is not an issue today as filesystem remounts are guarded
    by capable(CAP_DAC_ADMIN) and thus will always fail in less privileged
    mount namespaces, but it could become an issue in the future.

    Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
    Signed-off-by: "Eric W. Biederman" <ebiederm at xmission.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>

:040000 040000 fdeae1bccd4d8935fe5ff820bb2a08ae9a19c15e
b2a326f9db8e6e34be00b7ad53f0dc8b203b9e93 M      fs

=======================

log of the fail start follow

I lxc_start_ui - using rcfile
/srv/lxc/lxc_user/.local/share/lxc/apache2/config
I lxc_confile - read uid map: type u nsid 0 hostid 100000 range 65536
I lxc_confile - read uid map: type g nsid 0 hostid 100000 range 65536
W lxc_log - lxc_log_init called with log already initialized
D lxc_conf - allocated pty '/dev/pts/10' (5/6)
I lxc_conf - tty's configured
D lxc_start - sigchild handler set
D lxc_console - opening /dev/tty for console peer
I lxc_caps - Last supported cap was 34
D lxc_console - using '/dev/tty' as console
D lxc_console - 5072 got SIGWINCH fd 11
D lxc_console - set winsz dstfd:8 cols:80 rows:24
I lxc_start - 'apache2' is initialized
D lxc_start - Not dropping cap_sys_boot or watching utmp
I lxc_start - Cloning a new user namespace
I lxc_cgroup - cgroup driver cgroupfs initing for apache2
N lxc_start - switching to gid/uid 0 in new user namespace
D lxc_conf - mounted '/srv/lxc/lxc_user/.local/share/lxc/apache2/rootfs'
on '/usr/lib/lxc/rootfs'
I lxc_conf - 'apache2' hostname has been setup
D lxc_conf - 'eth0' has been setup
I lxc_conf - network has been setup
I lxc_conf - Mounting /dev under /usr/lib/lxc/rootfs
D lxc_conf - entering mount_check_fs for /dev
D lxc_conf - mount_check_fs returning 1 last devtmpfs
D lxc_conf - Bind mounting /dev/.lxc/apache2.f4369c12c7bf962c to
/usr/lib/lxc/rootfs/dev
I lxc_conf - Mounted /dev under /usr/lib/lxc/rootfs
D lxc_conf - remounting /dev/console on /usr/lib/lxc/rootfs/dev/console
to respect bind or remount options
E lxc_conf - Operation not permitted - failed to mount '/dev/console' on
'/usr/lib/lxc/rootfs/dev/console'
E lxc_conf - failed to setup the mount entries for 'apache2'
E lxc_start - failed to setup the container
E lxc_sync - invalid sequence number 1. expected 2
E lxc_start - failed to spawn 'apache2'
E lxc_start_ui - The container failed to start.
E lxc_start_ui - Additional information can be obtained by setting the
--logfile and --log-priority options.