[Lxc-users] lxc setup on a grsec enabled kernel
Daniel Lezcano
daniel.lezcano at free.fr
Mon Jan 10 09:36:46 UTC 2011
On 01/09/2011 01:25 PM, Patrick Winnertz wrote:
> Hello,
>
> I've tried the last days hard to set up working lxc containers on a grsec
> enabled kernel. However I failed everytime with several error msgs and/or
> kernel oopses.
>
> After booting in the grsec kernel I've verified with gradm that RBAC is
> disabled to start the containers first:
>
> gradm -D
> lxc-start -n example
>
> however I get then first an error that /dev/pts can't be mounted and afterwards
> a kernel oops, which you can find attached to this mail - it seems to be some
> troubles with veth networking. I've straced the process and this is the output
> (strace-lxc1):
Hi Patrick,
thanks for the detailed informations. Is it possible you add the
addr2line and code context of gr_acl_handle_hidden_file ?
> instance of '/dev/pts'
> 336:lxc-start: failed to setup the new pts instance
> 337:lxc-start: failed to setup the container
Is the kernel compiled with CONFIG_DEVPTS_MULTIPLE_INSTANCES ?
> 344:write(2, "failed to spawn 'web'", 21failed to spawn 'web') = 21
> 358:write(2, "Device or resource busy - failed"..., 63Device or resource busy
> - failed to remove cgroup '/cgroup/web') = 63
>
> After a reboot I tried again, but this time I switched into the learning mode
> of grsec.. now the kernel oops is gone, however I'm getting now this error msg
> (output from strace (strace-lxc2)):
mmh, weird. I don't know grsec but is it possible the security prevents
the creation of such pair devices ?
As the pair device creation happens before the pivot_root, if that fails
we exit before the pivot_root code, that can explain why you don't have
the kernel oops.
Can you try to create a pair device without using the containers ?
ip link add veth1234 type veth peer name veth4321
> failed to create vethde3FDA-veth"..., 64failed to create vethde3FDA-vethelGBjP
> : Operation not permitted) = 64
> 295:write(2, "failed to create netdev", 23failed to create netdev) = 23
> 299:write(2, "failed to create the network", 28failed to create the network) =
> 28
> 305:write(2, "failed to spawn 'web'", 21failed to spawn 'web') = 21
> 319:write(2, "No such file or directory - fail"..., 65No such file or directory
> - failed to remove cgroup '/cgroup/web') = 65
>
> It would be nice if someone could give me hints or advices what is going wrong
> here and how to fix it. Full strace output of both lxc-start runs is also
> attached to the mail
>
> Greetings
> Patrick
>
>
> ------------------------------------------------------------------------------
> Gaining the trust of online customers is vital for the success of any company
> that requires sensitive data to be transmitted over the Web. Learn how to
> best implement a security strategy that keeps consumers' information secure
> and instills the confidence they need to proceed with transactions.
> http://p.sf.net/sfu/oracle-sfdevnl
>
>
> _______________________________________________
> Lxc-users mailing list
> Lxc-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-users
More information about the lxc-users
mailing list