[lxc-users] Unable to boot unprivileged container

Robert Pendell shinji at elite-systems.org
Mon May 5 18:58:42 UTC 2014 

On Mon, May 5, 2014 at 2:49 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> Quoting Robert Pendell (shinji at elite-systems.org):
>> On Mon, May 5, 2014 at 2:14 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
>> > Quoting Robert Pendell (shinji at elite-systems.org):
>> >> On Mon, May 5, 2014 at 12:25 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
>> >> > Quoting Robert Pendell (shinji at elite-systems.org):
>> >> >> Here is the information as you requested.
>> >> >>
>> >> >> lxc-start -n <container> -l info -o outfile
>> >> >>       lxc-start 1399295274.692 INFO     lxc_start_ui - using rcfile
>> >> >> /home/shinji/.local/share/lxc/utest/config
>> >> >>       lxc-start 1399295274.692 INFO     lxc_utils - XDG_RUNTIME_DIR
>> >> >> isn't set in the environment.
>> >> >>       lxc-start 1399295274.692 INFO     lxc_confile - read uid map:
>> >> >> type u nsid 0 hostid 100000 range 65536
>> >> >>       lxc-start 1399295274.692 INFO     lxc_confile - read uid map:
>> >> >> type g nsid 0 hostid 100000 range 65536
>> >> >>       lxc-start 1399295274.692 WARN     lxc_log - lxc_log_init called
>> >> >> with log already initialized
>> >> >>       lxc-start 1399295274.692 INFO     lxc_lsm - LSM security driver nop
>> >> >>       lxc-start 1399295274.692 INFO     lxc_utils - XDG_RUNTIME_DIR
>> >> >> isn't set in the environment.
>> >> >>       lxc-start 1399295274.693 INFO     lxc_conf - tty's configured
>> >> >>       lxc-start 1399295275.060 INFO     lxc_start - 'utest' is initialized
>> >> >>       lxc-start 1399295275.072 INFO     lxc_start - Cloning a new user namespace
>> >> >>       lxc-start 1399295275.072 INFO     lxc_cgroup - cgroup driver
>> >> >> cgmanager initing for utest
>> >> >>       lxc-start 1399295275.073 ERROR    lxc_cgmanager - call to
>> >> >> cgmanager_create_sync failed: invalid request
>> >> >>       lxc-start 1399295275.073 ERROR    lxc_cgmanager - Failed to
>> >> >> create cpuset:utest
>> >> >
>> >> > Thanks - so the problem is here.   Chances are you are not in a cgroup
>> >> > that you own.  The easiest way to fix this is
>> >> >
>> >> > sudo cgm create all shinji
>> >> > sudo cgm chown all shinji $(id -u) $(id -g)
>> >> > cgm movepid all shinji $$
>> >> >
>> >> > Now the lxc-start should work (or at least go on to the next problem)
>> >> >
>> >>
>> >> Ok.  So I had determined that before (I didn't realize it until after
>> >> I sent them message) however I had found a different way of handling
>> >> it.  Yours is more elegant.  Now then to the 2nd issue.
>> >>
>> >> This doesn't persist between server reboots or login sessions.  Is
>> >> there supposed to be a script that runs that makes this persistent or
>> >> does one have to move themselves manually whenever they want to run
>> >> unprivileged containers?
>> >
>> > logind should be putting you into a cgroup that you own when you log
>> > in.  I think it's the libpam-systemd package which provides that.
>> >
>>
>> Wow!  Thanks alot.  You have been a great help.  I mentioned my
>> provider up front earlier because I thought there might be missing
>> packages and I was hoping I would get that eventually and you just
>> gave me the missing link.  Doing that made great progress.  Now after
>> doing so new sessions seem to update the cgroup that I'm sitting in
>> however it isn't doing it fully.
>>
>> When attempting to start I still get an error but it is later on (an
>> issue I had before once I figured out it was the cgroup scope at
>> issue).
>>
>> shinji at icarus:/etc/systemd$ lxc-start -n utest
>> lxc_container: call to cgmanager_create_sync failed: invalid request
>> lxc_container: Failed to create debug:utest
>> lxc_container: Error creating cgroup debug:utest
>> lxc_container: failed creating cgroups
>> lxc_container: failed to spawn 'utest'
>>
>> I'm not even sure where "debug" cgroup is coming from but I suspect it
>> is due to the way the host is compiling the kernel?
>>
>> This is how my /proc/self/cgroup looks after server reboot and relogin.
>>
>> shinji at icarus:/etc/systemd$ cat /proc/self/cgroup
>> 12:net_prio:/
>> 11:perf_event:/user/1000.user/1.session
>> 10:blkio:/user/1000.user/1.session
>> 9:net_cls:/
>> 8:freezer:/user/1000.user/1.session
>> 7:devices:/user/1000.user/1.session
>> 6:cpuacct:/user/1000.user/1.session
>> 5:cpu:/user/1000.user/1.session
>> 4:debug:/
>> 3:cpuset:/user/1000.user/1.session
>> 2:name=systemd:/user/1000.user/1.session
>>
>> I checked the Controllers setting in /etc/systemd/logind.conf and it
>> is lacking debug, net_cls, and net_prio listed above.  Would it be
>> sufficient to add those 3 to that conf file and relogin?
>
> Yup, that should be the correct solution.
>

Once again Thank you very much for your great assistance.  I'm going
to post this on the linode forums for others to see as well so that
they are aware.

Basically for Linode users it is the following for them (on
unprivileged containers)

1) Ensure either using PV-Grub with latest distribution kernel _or_
using most recent host-provided kernel (They officially support Docker
and LXC by inheritance)
2) Install the base LXC package
3) (at least on Ubuntu 14.04) install libpam-systemd
4) Update /etc/systemd/logind.conf and append "debug net_cls net_prio"
to the end of the Controllers setting.

Of course if they don't need or want unprivileged containers then it
is sufficient to just stop at step 2 since there is sufficient support
otherwise.

:)

More information about the lxc-users mailing list