[lxc-users] Unable to boot unprivileged container

Serge Hallyn serge.hallyn at ubuntu.com
Mon May 5 18:49:37 UTC 2014 

Quoting Robert Pendell (shinji at elite-systems.org):
> On Mon, May 5, 2014 at 2:14 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> > Quoting Robert Pendell (shinji at elite-systems.org):
> >> On Mon, May 5, 2014 at 12:25 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> >> > Quoting Robert Pendell (shinji at elite-systems.org):
> >> >> Here is the information as you requested.
> >> >>
> >> >> lxc-start -n <container> -l info -o outfile
> >> >>       lxc-start 1399295274.692 INFO     lxc_start_ui - using rcfile
> >> >> /home/shinji/.local/share/lxc/utest/config
> >> >>       lxc-start 1399295274.692 INFO     lxc_utils - XDG_RUNTIME_DIR
> >> >> isn't set in the environment.
> >> >>       lxc-start 1399295274.692 INFO     lxc_confile - read uid map:
> >> >> type u nsid 0 hostid 100000 range 65536
> >> >>       lxc-start 1399295274.692 INFO     lxc_confile - read uid map:
> >> >> type g nsid 0 hostid 100000 range 65536
> >> >>       lxc-start 1399295274.692 WARN     lxc_log - lxc_log_init called
> >> >> with log already initialized
> >> >>       lxc-start 1399295274.692 INFO     lxc_lsm - LSM security driver nop
> >> >>       lxc-start 1399295274.692 INFO     lxc_utils - XDG_RUNTIME_DIR
> >> >> isn't set in the environment.
> >> >>       lxc-start 1399295274.693 INFO     lxc_conf - tty's configured
> >> >>       lxc-start 1399295275.060 INFO     lxc_start - 'utest' is initialized
> >> >>       lxc-start 1399295275.072 INFO     lxc_start - Cloning a new user namespace
> >> >>       lxc-start 1399295275.072 INFO     lxc_cgroup - cgroup driver
> >> >> cgmanager initing for utest
> >> >>       lxc-start 1399295275.073 ERROR    lxc_cgmanager - call to
> >> >> cgmanager_create_sync failed: invalid request
> >> >>       lxc-start 1399295275.073 ERROR    lxc_cgmanager - Failed to
> >> >> create cpuset:utest
> >> >
> >> > Thanks - so the problem is here.   Chances are you are not in a cgroup
> >> > that you own.  The easiest way to fix this is
> >> >
> >> > sudo cgm create all shinji
> >> > sudo cgm chown all shinji $(id -u) $(id -g)
> >> > cgm movepid all shinji $$
> >> >
> >> > Now the lxc-start should work (or at least go on to the next problem)
> >> >
> >>
> >> Ok.  So I had determined that before (I didn't realize it until after
> >> I sent them message) however I had found a different way of handling
> >> it.  Yours is more elegant.  Now then to the 2nd issue.
> >>
> >> This doesn't persist between server reboots or login sessions.  Is
> >> there supposed to be a script that runs that makes this persistent or
> >> does one have to move themselves manually whenever they want to run
> >> unprivileged containers?
> >
> > logind should be putting you into a cgroup that you own when you log
> > in.  I think it's the libpam-systemd package which provides that.
> >
> 
> Wow!  Thanks alot.  You have been a great help.  I mentioned my
> provider up front earlier because I thought there might be missing
> packages and I was hoping I would get that eventually and you just
> gave me the missing link.  Doing that made great progress.  Now after
> doing so new sessions seem to update the cgroup that I'm sitting in
> however it isn't doing it fully.
> 
> When attempting to start I still get an error but it is later on (an
> issue I had before once I figured out it was the cgroup scope at
> issue).
> 
> shinji at icarus:/etc/systemd$ lxc-start -n utest
> lxc_container: call to cgmanager_create_sync failed: invalid request
> lxc_container: Failed to create debug:utest
> lxc_container: Error creating cgroup debug:utest
> lxc_container: failed creating cgroups
> lxc_container: failed to spawn 'utest'
> 
> I'm not even sure where "debug" cgroup is coming from but I suspect it
> is due to the way the host is compiling the kernel?
> 
> This is how my /proc/self/cgroup looks after server reboot and relogin.
> 
> shinji at icarus:/etc/systemd$ cat /proc/self/cgroup
> 12:net_prio:/
> 11:perf_event:/user/1000.user/1.session
> 10:blkio:/user/1000.user/1.session
> 9:net_cls:/
> 8:freezer:/user/1000.user/1.session
> 7:devices:/user/1000.user/1.session
> 6:cpuacct:/user/1000.user/1.session
> 5:cpu:/user/1000.user/1.session
> 4:debug:/
> 3:cpuset:/user/1000.user/1.session
> 2:name=systemd:/user/1000.user/1.session
> 
> I checked the Controllers setting in /etc/systemd/logind.conf and it
> is lacking debug, net_cls, and net_prio listed above.  Would it be
> sufficient to add those 3 to that conf file and relogin?

Yup, that should be the correct solution.

More information about the lxc-users mailing list