[lxc-users] Unable to boot unprivileged container

Robert Pendell shinji at elite-systems.org
Mon May 5 18:45:20 UTC 2014


On Mon, May 5, 2014 at 2:14 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> Quoting Robert Pendell (shinji at elite-systems.org):
>> On Mon, May 5, 2014 at 12:25 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
>> > Quoting Robert Pendell (shinji at elite-systems.org):
>> >> Here is the information as you requested.
>> >>
>> >> lxc-start -n <container> -l info -o outfile
>> >>       lxc-start 1399295274.692 INFO     lxc_start_ui - using rcfile
>> >> /home/shinji/.local/share/lxc/utest/config
>> >>       lxc-start 1399295274.692 INFO     lxc_utils - XDG_RUNTIME_DIR
>> >> isn't set in the environment.
>> >>       lxc-start 1399295274.692 INFO     lxc_confile - read uid map:
>> >> type u nsid 0 hostid 100000 range 65536
>> >>       lxc-start 1399295274.692 INFO     lxc_confile - read uid map:
>> >> type g nsid 0 hostid 100000 range 65536
>> >>       lxc-start 1399295274.692 WARN     lxc_log - lxc_log_init called
>> >> with log already initialized
>> >>       lxc-start 1399295274.692 INFO     lxc_lsm - LSM security driver nop
>> >>       lxc-start 1399295274.692 INFO     lxc_utils - XDG_RUNTIME_DIR
>> >> isn't set in the environment.
>> >>       lxc-start 1399295274.693 INFO     lxc_conf - tty's configured
>> >>       lxc-start 1399295275.060 INFO     lxc_start - 'utest' is initialized
>> >>       lxc-start 1399295275.072 INFO     lxc_start - Cloning a new user namespace
>> >>       lxc-start 1399295275.072 INFO     lxc_cgroup - cgroup driver
>> >> cgmanager initing for utest
>> >>       lxc-start 1399295275.073 ERROR    lxc_cgmanager - call to
>> >> cgmanager_create_sync failed: invalid request
>> >>       lxc-start 1399295275.073 ERROR    lxc_cgmanager - Failed to
>> >> create cpuset:utest
>> >
>> > Thanks - so the problem is here.   Chances are you are not in a cgroup
>> > that you own.  The easiest way to fix this is
>> >
>> > sudo cgm create all shinji
>> > sudo cgm chown all shinji $(id -u) $(id -g)
>> > cgm movepid all shinji $$
>> >
>> > Now the lxc-start should work (or at least go on to the next problem)
>> >
>>
>> Ok.  So I had determined that before (I didn't realize it until after
>> I sent them message) however I had found a different way of handling
>> it.  Yours is more elegant.  Now then to the 2nd issue.
>>
>> This doesn't persist between server reboots or login sessions.  Is
>> there supposed to be a script that runs that makes this persistent or
>> does one have to move themselves manually whenever they want to run
>> unprivileged containers?
>
> logind should be putting you into a cgroup that you own when you log
> in.  I think it's the libpam-systemd package which provides that.
>

Wow!  Thanks alot.  You have been a great help.  I mentioned my
provider up front earlier because I thought there might be missing
packages and I was hoping I would get that eventually and you just
gave me the missing link.  Doing that made great progress.  Now after
doing so new sessions seem to update the cgroup that I'm sitting in
however it isn't doing it fully.

When attempting to start I still get an error but it is later on (an
issue I had before once I figured out it was the cgroup scope at
issue).

shinji at icarus:/etc/systemd$ lxc-start -n utest
lxc_container: call to cgmanager_create_sync failed: invalid request
lxc_container: Failed to create debug:utest
lxc_container: Error creating cgroup debug:utest
lxc_container: failed creating cgroups
lxc_container: failed to spawn 'utest'

I'm not even sure where "debug" cgroup is coming from but I suspect it
is due to the way the host is compiling the kernel?

This is how my /proc/self/cgroup looks after server reboot and relogin.

shinji at icarus:/etc/systemd$ cat /proc/self/cgroup
12:net_prio:/
11:perf_event:/user/1000.user/1.session
10:blkio:/user/1000.user/1.session
9:net_cls:/
8:freezer:/user/1000.user/1.session
7:devices:/user/1000.user/1.session
6:cpuacct:/user/1000.user/1.session
5:cpu:/user/1000.user/1.session
4:debug:/
3:cpuset:/user/1000.user/1.session
2:name=systemd:/user/1000.user/1.session

I checked the Controllers setting in /etc/systemd/logind.conf and it
is lacking debug, net_cls, and net_prio listed above.  Would it be
sufficient to add those 3 to that conf file and relogin?


More information about the lxc-users mailing list