[Lxc-users] setrlimit(3) and containers

Mikhail Gusarov dottedmag at dottedmag.net
Fri Apr 2 19:40:19 UTC 2010 

Twas brillig at 09:47:33 01.04.2010 UTC-05 when serue at us.ibm.com did gyre and gimble:

 >> Here process drops root privileges, setuids to uid=103 and limits itself
 >> to 3 processes with this uid. Clone fails due to fact there are two
 >> processes with uid=103 running in another container.
 >> 
 >> Is it a known limitation, or maybe this is already handled in newer
 >> kernels? (I use 2.6.32)

 SEH> Hmm, you'll need to unshare the user namespace.  Try adding
 SEH> CLONE_NEWUSER to the list assigned to clone_flags at
 SEH> lxc/src/lxc/start.c line 353.

I tried, and was hit by the following problem:

[dottedmag at vertex:~]255% sudo lxc-start -n cf                                          
lxc-start: Device or resource busy - could not unmount old rootfs
lxc-start: failed to pivot_root to '/var/lib/lxc/cf/rootfs'
lxc-start: failed to set rootfs for 'cf'
lxc-start: failed to setup the container

See below for debugging output, config file and /proc/mounts.

* debugging output *

[dottedmag at vertex:~]255% sudo lxc-start --logfile=/dev/stderr --logpriority=TRACE -n cf
      lxc-start 1270237130.601 INFO     lxc_conf - tty's configured
      lxc-start 1270237130.601 DEBUG    lxc_start - sigchild handler set
      lxc-start 1270237130.601 INFO     lxc_start - 'cf' is initialized
      lxc-start 1270237130.608 DEBUG    lxc_conf - instanciated veth 'vethgrPrSt/vethQ8TUw5', index is '61'
      lxc-start 1270237130.615 DEBUG    lxc_cgroup - using cgroup mounted at '/var/local/cgroup'
      lxc-start 1270237130.615 DEBUG    lxc_cgroup - '/var/local/cgroup/21745' renamed to '/var/local/cgroup/cf'
      lxc-start 1270237130.639 DEBUG    lxc_conf - move 'br0' to '21745'
      lxc-start 1270237130.639 INFO     lxc_conf - 'cf' hostname has been setup
      lxc-start 1270237130.643 DEBUG    lxc_conf - 'eth0' has been setup
      lxc-start 1270237130.643 INFO     lxc_conf - network has been setup
      lxc-start 1270237130.643 INFO     lxc_conf - mount points have been setup
      lxc-start 1270237130.643 INFO     lxc_conf - console '/dev/pts/0' mounted to '/var/lib/lxc/cf/rootfs/dev/console'
      lxc-start 1270237130.643 INFO     lxc_conf - 4 tty(s) has been setup
      lxc-start 1270237130.644 DEBUG    lxc_conf - temporary mountpoint for old rootfs is './lxc-oldrootfs-cCEeJU'
      lxc-start 1270237130.644 DEBUG    lxc_conf - pivot_root syscall to '/lxc-oldrootfs-cCEeJU' successful
      lxc-start 1270237130.645 DEBUG    lxc_conf - umounted '/lxc-oldrootfs-cCEeJU/dev/pts'
      lxc-start 1270237130.645 DEBUG    lxc_conf - umounted '/lxc-oldrootfs-cCEeJU/dev/shm'
      lxc-start 1270237130.645 DEBUG    lxc_conf - umounted '/lxc-oldrootfs-cCEeJU/sys/fs/fuse/connections'
      lxc-start 1270237130.645 DEBUG    lxc_conf - umounted '/lxc-oldrootfs-cCEeJU/sys/kernel/debug'
      lxc-start 1270237130.645 DEBUG    lxc_conf - umounted '/lxc-oldrootfs-cCEeJU/sys/kernel/security'
      lxc-start 1270237130.645 DEBUG    lxc_conf - umounted '/lxc-oldrootfs-cCEeJU/proc/sys/fs/binfmt_misc'
      lxc-start 1270237130.645 DEBUG    lxc_conf - umounted '/lxc-oldrootfs-cCEeJU/var/run'
      lxc-start 1270237130.645 DEBUG    lxc_conf - umounted '/lxc-oldrootfs-cCEeJU/var/lock'
      lxc-start 1270237130.645 DEBUG    lxc_conf - umounted '/lxc-oldrootfs-cCEeJU/lib/init/rw'
      lxc-start 1270237130.645 DEBUG    lxc_conf - umounted '/lxc-oldrootfs-cCEeJU/boot'
      lxc-start 1270237130.645 DEBUG    lxc_conf - umounted '/lxc-oldrootfs-cCEeJU/home/scratchbox/users/dottedmag/scratchbox'
      lxc-start 1270237130.645 DEBUG    lxc_conf - umounted '/lxc-oldrootfs-cCEeJU/home/scratchbox/users/dottedmag/tmp'
      lxc-start 1270237130.645 DEBUG    lxc_conf - umounted '/lxc-oldrootfs-cCEeJU/home/scratchbox/users/dottedmag/proc'
      lxc-start 1270237130.645 DEBUG    lxc_conf - umounted '/lxc-oldrootfs-cCEeJU/home/scratchbox/users/dottedmag/dev/pts'
      lxc-start 1270237130.645 DEBUG    lxc_conf - umounted '/lxc-oldrootfs-cCEeJU/home/scratchbox/users/dottedmag/dev/shm'
      lxc-start 1270237130.645 DEBUG    lxc_conf - umounted '/lxc-oldrootfs-cCEeJU/home/scratchbox/users/dottedmag/sys'
      lxc-start 1270237130.645 DEBUG    lxc_conf - umounted '/lxc-oldrootfs-cCEeJU/home/dottedmag/samba'
      lxc-start 1270237130.645 DEBUG    lxc_conf - umounted '/lxc-oldrootfs-cCEeJU/home/dottedmag/.gvfs'
      lxc-start 1270237130.645 DEBUG    lxc_conf - umounted '/lxc-oldrootfs-cCEeJU/var/local/cgroup'
      lxc-start 1270237130.645 DEBUG    lxc_conf - umounted '/lxc-oldrootfs-cCEeJU/var/lib/lxc/cf/rootfs/dev/console'
      lxc-start 1270237130.645 DEBUG    lxc_conf - umounted '/lxc-oldrootfs-cCEeJU/var/lib/lxc/cf/rootfs/dev/tty1'
      lxc-start 1270237130.645 DEBUG    lxc_conf - umounted '/lxc-oldrootfs-cCEeJU/var/lib/lxc/cf/rootfs/dev/tty2'
      lxc-start 1270237130.645 DEBUG    lxc_conf - umounted '/lxc-oldrootfs-cCEeJU/var/lib/lxc/cf/rootfs/dev/tty3'
      lxc-start 1270237130.645 DEBUG    lxc_conf - umounted '/lxc-oldrootfs-cCEeJU/var/lib/lxc/cf/rootfs/dev/tty4'
      lxc-start 1270237130.645 DEBUG    lxc_conf - umounted '/lxc-oldrootfs-cCEeJU/dev'
      lxc-start 1270237130.645 DEBUG    lxc_conf - umounted '/lxc-oldrootfs-cCEeJU/sys'
      lxc-start 1270237130.645 DEBUG    lxc_conf - umounted '/lxc-oldrootfs-cCEeJU/proc'
      lxc-start 1270237130.645 DEBUG    lxc_conf - umounted '/lxc-oldrootfs-cCEeJU/home/scratchbox/users/dottedmag/dev'
      lxc-start 1270237130.645 DEBUG    lxc_conf - umounted '/lxc-oldrootfs-cCEeJU/var'
      lxc-start 1270237130.645 DEBUG    lxc_conf - umounted '/lxc-oldrootfs-cCEeJU/home'
      lxc-start 1270237130.645 ERROR    lxc_conf - Device or resource busy - could not unmount old rootfs
lxc-start: Device or resource busy - could not unmount old rootfs
      lxc-start 1270237130.646 ERROR    lxc_conf - failed to pivot_root to '/var/lib/lxc/cf/rootfs'
lxc-start: failed to pivot_root to '/var/lib/lxc/cf/rootfs'
      lxc-start 1270237130.646 ERROR    lxc_conf - failed to set rootfs for 'cf'
lxc-start: failed to set rootfs for 'cf'
      lxc-start 1270237130.646 ERROR    lxc_start - failed to setup the container
lxc-start: failed to setup the container
      lxc-start 1270237130.646 NOTICE   lxc_start - '/sbin/init' started with pid '21745'
      lxc-start 1270237130.646 DEBUG    lxc_utils - closing fd '1'
      lxc-start 1270237130.646 DEBUG    lxc_utils - closing fd '0'
      lxc-start 1270237130.646 DEBUG    lxc_utils - closed all inherited file descriptors
      lxc-start 1270237130.655 DEBUG    lxc_start - child exited
      lxc-start 1270237130.655 INFO     lxc_error - child <21745> ended on error (255)
      lxc-start 1270237130.656 DEBUG    lxc_cgroup - using cgroup mounted at '/var/local/cgroup'
      lxc-start 1270237130.671 DEBUG    lxc_cgroup - '/var/local/cgroup/cf' unlinked

* Config file *

lxc.utsname=cf

lxc.network.type=veth
lxc.network.flags=up
lxc.network.link=br0

lxc.pts=256
lxc.tty=4

lxc.rootfs=/var/lib/lxc/cf/rootfs

* /proc/mounts *

rootfs / rootfs rw 0 0
none /sys sysfs rw,nosuid,nodev,noexec,relatime 0 0
none /proc proc rw,nosuid,nodev,noexec,relatime 0 0
none /dev devtmpfs rw,relatime,size=2000752k,nr_inodes=206669,mode=755 0 0
none /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
/dev/mapper/vertex-root / ext4 rw,noatime,errors=remount-ro,barrier=1,data=ordered 0 0
none /sys/fs/fuse/connections fusectl rw,relatime 0 0
none /sys/kernel/debug debugfs rw,relatime 0 0
none /sys/kernel/security securityfs rw,relatime 0 0
none /dev/shm tmpfs rw,nosuid,nodev,relatime 0 0
none /var/run tmpfs rw,nosuid,relatime,mode=755 0 0
none /var/lock tmpfs rw,nosuid,nodev,noexec,relatime 0 0
none /lib/init/rw tmpfs rw,nosuid,relatime,mode=755 0 0
/dev/sda1 /boot ext4 rw,noatime,barrier=1,data=ordered 0 0
/dev/mapper/vertex-home /home ext4 rw,noatime,barrier=1,data=ordered 0 0
/dev/mapper/vertex-var /var ext4 rw,noatime,barrier=1,data=ordered 0 0
none /var/run tmpfs rw,nosuid,relatime,mode=755 0 0
none /var/lock tmpfs rw,nosuid,nodev,noexec,relatime 0 0
cgroup /var/local/cgroup cgroup rw,relatime,net_cls,freezer,devices,memory,cpuacct,cpu,ns,cpuset 0 0
none /proc/sys/fs/binfmt_misc binfmt_misc rw,relatime 0 0
/dev/mapper/vertex-home /home/scratchbox/users/dottedmag/scratchbox ext4 rw,noatime,barrier=1,data=ordered 0 0
/dev/mapper/vertex-root /home/scratchbox/users/dottedmag/tmp ext4 rw,noatime,errors=remount-ro,barrier=1,data=ordered 0 0
none /home/scratchbox/users/dottedmag/proc proc rw,nosuid,nodev,noexec,relatime 0 0
none /home/scratchbox/users/dottedmag/dev devtmpfs rw,relatime,size=2000752k,nr_inodes=206669,mode=755 0 0
none /home/scratchbox/users/dottedmag/dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
none /home/scratchbox/users/dottedmag/dev/shm tmpfs rw,nosuid,nodev,relatime 0 0
none /home/scratchbox/users/dottedmag/sys sysfs rw,nosuid,nodev,noexec,relatime 0 0
fusesmb /home/dottedmag/samba fuse.fusesmb rw,nosuid,nodev,relatime,user_id=1000,group_id=1000,max_read=32768 0 0
gvfs-fuse-daemon /home/dottedmag/.gvfs fuse.gvfs-fuse-daemon rw,nosuid,nodev,relatime,user_id=1000,group_id=1000 0 0


-- 
  http://fossarchy.blogspot.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20100403/82ea47e2/attachment.pgp>

More information about the lxc-users mailing list