[Lxc-users] lxc setup on a grsec enabled kernel

Robert Kawecki thewanderer at gim11.pl
Tue Jan 11 20:11:44 UTC 2011 

On Sun, 9 Jan 2011 13:25:53 +0100, Patrick Winnertz <winnie at der-winnie.de>
wrote:
> Hello,
> 
> I've tried the last days hard to set up working lxc containers on a
grsec 
> enabled kernel. However I failed everytime with several error msgs
and/or 
> kernel oopses. 
> 
> After booting in the grsec kernel I've verified with gradm that RBAC is 
> disabled to start the containers first:
> 
> gradm -D
> lxc-start -n example
> 
> however I get then first an error that /dev/pts can't be mounted and
> afterwards 
> a kernel oops,  which you can find attached to this mail - it seems to
be
> some 
> troubles with veth networking. I've straced the process and this is the
> output 
> (strace-lxc1):
> 
> 335:read(16, lxc-start: Operation not permitted - failed to mount a new 
> instance of '/dev/pts'
> 336:lxc-start: failed to setup the new pts instance
> 337:lxc-start: failed to setup the container
> 344:write(2, "failed to spawn 'web'", 21failed to spawn 'web')   = 21
> 358:write(2, "Device or resource busy - failed"..., 63Device or resource
> busy 
> - failed to remove cgroup '/cgroup/web') = 63
> 
> After a reboot I tried again, but this time I switched into the learning
> mode 
> of grsec.. now the kernel oops is gone, however I'm getting now this
error
> msg 
> (output from strace (strace-lxc2)):
> 
> failed to create vethde3FDA-veth"..., 64failed to create
> vethde3FDA-vethelGBjP 
> : Operation not permitted) = 64
> 295:write(2, "failed to create netdev", 23failed to create netdev) = 23
> 299:write(2, "failed to create the network", 28failed to create the
> network) = 
> 28
> 305:write(2, "failed to spawn 'web'", 21failed to spawn 'web')   = 21
> 319:write(2, "No such file or directory - fail"..., 65No such file or
> directory 
> - failed to remove cgroup '/cgroup/web') = 65
> 
> It would be nice if someone could give me hints or advices what is going
> wrong 
> here and how to fix it. Full strace output of both lxc-start runs is
also 
> attached to the mail
> 
> Greetings
> Patrick

I can tell you I ran into similar oopses, haven't tested with learning
mode though. What I did was disable CONFIG_PAX_KERNEXEC, which conflicts
with CONFIG_PARAVIRT_GUEST and/or CONFIG_KVM_GUEST anyway (I was running
the kernel under KVM; wish this conflict would be documented anywhere).
After that, I could successfully start LXC guests without crashes. It was
on 2.6.32.2-grsec if it matters.
Yes, it is a workaround, and it does not help security of the system, but
it's the best I can suggest.

More information about the lxc-users mailing list