[lxc-users] Possible race condition in kernel, capset() fails randomly
Vladimir Pouzanov
farcaller at gmail.com
Tue Jun 3 18:57:16 UTC 2014
This bug happens with docker, but I don't see any traction on my issue over
there so trying to escalate further. The original bug report is here:
https://github.com/dotcloud/docker/issues/4556, here are all the
interesting details.
I'm running an armv7 box (wandboard) with 3.14.4-1-ARCH kernel. I cannot
reliably use docker (with lxc driver, or with native driver) as it crashes
often (on the last docker/lxc/kernel combo I get 41 out of 100 failures
with native docker and 23 out of 100 with lxc).
The lxc version is 1.0.3, docker is 0.11.1.
>From docker side the error looks like:
finalize namespace drop capabilities operation not permitted
(generated by docker capabilities module,
https://github.com/dotcloud/docker/blob/master/pkg/libcontainer/security/capabilities/capabilities.go#L32
)
lxc-start just silently returns 1 and I didn't manage to get any reasonable
log output from it.
I managed to look a bit deeper into kernel side of things on what is
failing exactly, and the offending syscall seems to be:
https://github.com/torvalds/linux/blob/master/kernel/capability.c#L240
where pid is always 1 and task_pid_vnr(current) is 7, sometimes 6, rarely 1
(the good case).
Any ideas on what could be going wrong? What other info can I provide to
track this bug down?
--
Sincerely,
Vladimir "Farcaller" Pouzanov
http://farcaller.net/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140603/406b6865/attachment.html>
More information about the lxc-users
mailing list