[lxc-users] Unable to Start Unprivileged Containers on Debian / Jessie
Chris
berzerkatives at gmail.com
Sun Sep 21 16:22:55 UTC 2014
Hi,
For the last few days I've been attempting to run an unprivileged
container on Jessie without much luck, I was hoping someone might be
able to steer me in the right direction.
socrates at plato:~$ . /etc/*release; echo $PRETTY_NAME
Debian GNU/Linux jessie/sid
socrates at plato:~$ uname -a
Linux plato 3.14-2-amd64 #1 SMP Debian 3.14.15-2 (2014-08-09)
x86_64 GNU/Linux
socrates at plato:~$ dpkg-query -l lxc
Desired=Unknown/Install/Remove/Purge/Hold
|
Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture
Description
+++-==============================-====================-====================-=================================================================
ii lxc 1:1.0.5-3 amd64
Linux Containers userspace tools
socrates at plato:~$ socrates at plato:~$ cat
/sys/fs/cgroup/cpuset/cgroup.clone_children
/proc/sys/kernel/unprivileged_userns_clone
1
1
So just running it straight off gives me the following.
socrates at plato:~$ lxc-start -d -n socrates --logfile ~/x
--logpriority=TRACE
lxc-start: The container failed to start.
lxc-start: To get more details, run the container in foreground mode.
lxc-start: Additional information can be obtained by setting the
--logfile and --log-priority options.
With this coming up in the log:
lxc-start 1411313929.470 INFO lxc_start_ui - using rcfile
/home/socrates/.local/share/lxc/socrates/config
lxc-start 1411313929.520 INFO lxc_utils - XDG_RUNTIME_DIR
isn't set in the environment.
lxc-start 1411313929.540 INFO lxc_confile - read uid map:
type u nsid 0 hostid 427680 range 65536
lxc-start 1411313929.540 INFO lxc_confile - read uid map:
type g nsid 0 hostid 427680 range 65536
lxc-start 1411313929.541 WARN lxc_log - lxc_log_init called
with log already initialized
lxc-start 1411313929.567 INFO lxc_lsm - LSM security driver nop
lxc-start 1411313929.568 INFO lxc_utils - XDG_RUNTIME_DIR
isn't set in the environment.
lxc-start 1411313929.570 DEBUG lxc_conf - allocated pty
'/dev/pts/2' (5/6)
lxc-start 1411313929.570 INFO lxc_conf - tty's configured
lxc-start 1411313929.570 DEBUG lxc_start - sigchild handler set
lxc-start 1411313929.571 DEBUG lxc_console - opening
/home/socrates/.console for console peer
lxc-start 1411313929.571 DEBUG lxc_console - using
'/home/socrates/.console' as console
lxc-start 1411313929.571 DEBUG lxc_console - no console peer
lxc-start 1411313929.575 INFO lxc_monitor - using monitor
sock name lxc/5a8aaa9d4fd81a5c//home/socrates/.local/share/lxc
lxc-start 1411313929.860 INFO lxc_start - 'socrates' is
initialized
lxc-start 1411313929.891 DEBUG lxc_start - Not dropping
cap_sys_boot or watching utmp
lxc-start 1411313929.891 INFO lxc_start - Cloning a new user
namespace
lxc-start 1411313929.891 INFO lxc_cgroup - cgroup driver
cgroupfs initing for socrates
lxc-start 1411313929.892 ERROR lxc_cgfs - Permission denied -
Could not create cgroup '/socrates' in '/sys/fs/cgroup/perf_event'.
lxc-start 1411313929.892 ERROR lxc_cgfs - Permission denied -
cgroup_rmdir: failed to delete /sys/fs/cgroup/perf_event/
lxc-start 1411313929.893 ERROR lxc_cgfs - Permission denied -
cgroup_rmdir: failed to delete /sys/fs/cgroup/blkio/
lxc-start 1411313929.893 ERROR lxc_cgfs - Permission denied -
cgroup_rmdir: failed to delete /sys/fs/cgroup/net_cls/
lxc-start 1411313929.893 ERROR lxc_cgfs - Permission denied -
cgroup_rmdir: failed to delete /sys/fs/cgroup/freezer/
lxc-start 1411313929.893 ERROR lxc_cgfs - Permission denied -
cgroup_rmdir: failed to delete /sys/fs/cgroup/devices/
lxc-start 1411313929.893 ERROR lxc_cgfs - Permission denied -
cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct/
lxc-start 1411313929.893 ERROR lxc_cgfs - Permission denied -
cgroup_rmdir: failed to delete /sys/fs/cgroup/cpuset/
lxc-start 1411313929.893 ERROR lxc_start - failed creating cgroups
lxc-start 1411313929.894 INFO lxc_utils - XDG_RUNTIME_DIR
isn't set in the environment.
lxc-start 1411313929.894 ERROR lxc_start - failed to spawn
'socrates'
lxc-start 1411313929.894 INFO lxc_utils - XDG_RUNTIME_DIR
isn't set in the environment.
lxc-start 1411313929.894 INFO lxc_utils - XDG_RUNTIME_DIR
isn't set in the environment.
lxc-start 1411313929.894 WARN lxc_commands - command
get_cgroup failed to receive response
lxc-start 1411313929.894 WARN lxc_cgfs - Not attaching to
cgroup cpuset unknown to /home/socrates/.local/share/lxc socrates
lxc-start 1411313929.894 WARN lxc_cgfs - Not attaching to
cgroup cpu unknown to /home/socrates/.local/share/lxc socrates
lxc-start 1411313929.894 WARN lxc_cgfs - Not attaching to
cgroup devices unknown to /home/socrates/.local/share/lxc socrates
lxc-start 1411313929.894 WARN lxc_cgfs - Not attaching to
cgroup freezer unknown to /home/socrates/.local/share/lxc socrates
lxc-start 1411313929.894 WARN lxc_cgfs - Not attaching to
cgroup net_cls unknown to /home/socrates/.local/share/lxc socrates
lxc-start 1411313929.894 WARN lxc_cgfs - Not attaching to
cgroup blkio unknown to /home/socrates/.local/share/lxc socrates
lxc-start 1411313929.895 WARN lxc_cgfs - Not attaching to
cgroup perf_event unknown to /home/socrates/.local/share/lxc socrates
lxc-start 1411313934.900 ERROR lxc_start_ui - The
lxc-start 1411313934.900 ERROR lxc_start_ui - To get more
details, run the container in
lxc-start 1411313934.900 ERROR lxc_start_ui - Additional
information can be obtained by setting the --logfile and --log-priority
options.
Looking at mailing list posts/etc, I came across this script (from
Serge, if I recall correctly) and have attempted to run it prior to
starting the container, however this seems to cause it to try to create
a new cgroup (socrates-1) seeing that socrates is in use...
socrates at plato:~$ cat prep.sh
#!/bin/bash --
for d in /sys/fs/cgroup/*; do
f=$(basename $d)
echo "looking at $f"
if [ "$f" = "cpuset" ]; then
echo 1 | sudo tee -a $d/cgroup.clone_children;
elif [ "$f" = "memory" ]; then
echo 1 | sudo tee -a $d/memory.use_hierarchy;
fi
sudo mkdir -p $d/$USER
sudo chown -R $USER $d/$USER
echo $$ > $d/$USER/tasks
done
socrates at plato:~$ ./prep.sh
looking at blkio
looking at cgmanager
looking at cpu
looking at cpuacct
looking at cpu,cpuacct
looking at cpuset
1
looking at devices
looking at freezer
looking at net_cls
looking at perf_event
looking at systemd
socrates at plato:~$ lxc-start -d -n socrates --logfile ~/x
--logpriority=TRACE
lxc-start: The container failed to start.
lxc-start: To get more details, run the container in foreground mode.
lxc-start: Additional information can be obtained by setting the
--logfile and --log-priority options.
The log output:
lxc-start 1411313677.267 INFO lxc_start_ui - using rcfile
/home/socrates/.local/share/lxc/socrates/config
lxc-start 1411313677.267 INFO lxc_utils - XDG_RUNTIME_DIR
isn't set in the environment.
lxc-start 1411313677.269 INFO lxc_confile - read uid map:
type u nsid 0 hostid 427680 range 65536
lxc-start 1411313677.269 INFO lxc_confile - read uid map:
type g nsid 0 hostid 427680 range 65536
lxc-start 1411313677.269 WARN lxc_log - lxc_log_init called
with log already initialized
lxc-start 1411313677.276 INFO lxc_lsm - LSM security driver nop
lxc-start 1411313677.276 INFO lxc_utils - XDG_RUNTIME_DIR
isn't set in the environment.
lxc-start 1411313677.279 DEBUG lxc_conf - allocated pty
'/dev/pts/2' (5/6)
lxc-start 1411313677.279 INFO lxc_conf - tty's configured
lxc-start 1411313677.279 DEBUG lxc_start - sigchild handler set
lxc-start 1411313677.279 DEBUG lxc_console - opening
/home/socrates/.console for console peer
lxc-start 1411313677.279 DEBUG lxc_console - using
'/home/socrates/.console' as console
lxc-start 1411313677.280 DEBUG lxc_console - no console peer
lxc-start 1411313677.285 INFO lxc_monitor - using monitor
sock name lxc/5a8aaa9d4fd81a5c//home/socrates/.local/share/lxc
lxc-start 1411313677.564 INFO lxc_start - 'socrates' is
initialized
lxc-start 1411313677.575 DEBUG lxc_start - Not dropping
cap_sys_boot or watching utmp
lxc-start 1411313677.576 INFO lxc_start - Cloning a new user
namespace
lxc-start 1411313677.576 INFO lxc_cgroup - cgroup driver
cgroupfs initing for socrates
lxc-start 1411313677.576 ERROR lxc_cgfs - Permission denied -
Could not create cgroup '/socrates-1' in '/sys/fs/cgroup/perf_event'.
lxc-start 1411313677.577 ERROR lxc_cgfs - Permission denied -
cgroup_rmdir: failed to delete /sys/fs/cgroup/perf_event//socrates
lxc-start 1411313677.577 ERROR lxc_cgfs - Permission denied -
cgroup_rmdir: failed to delete /sys/fs/cgroup/perf_event/
lxc-start 1411313677.577 ERROR lxc_cgfs - Permission denied -
cgroup_rmdir: failed to delete /sys/fs/cgroup/blkio//socrates
lxc-start 1411313677.577 ERROR lxc_cgfs - Permission denied -
cgroup_rmdir: failed to delete /sys/fs/cgroup/blkio/
lxc-start 1411313677.578 ERROR lxc_cgfs - Permission denied -
cgroup_rmdir: failed to delete /sys/fs/cgroup/net_cls//socrates
lxc-start 1411313677.578 ERROR lxc_cgfs - Permission denied -
cgroup_rmdir: failed to delete /sys/fs/cgroup/net_cls/
lxc-start 1411313677.578 ERROR lxc_cgfs - Permission denied -
cgroup_rmdir: failed to delete /sys/fs/cgroup/freezer//socrates
lxc-start 1411313677.578 ERROR lxc_cgfs - Permission denied -
cgroup_rmdir: failed to delete /sys/fs/cgroup/freezer/
lxc-start 1411313677.578 ERROR lxc_cgfs - Permission denied -
cgroup_rmdir: failed to delete /sys/fs/cgroup/devices//socrates
lxc-start 1411313677.578 ERROR lxc_cgfs - Permission denied -
cgroup_rmdir: failed to delete /sys/fs/cgroup/devices/
lxc-start 1411313677.578 ERROR lxc_cgfs - Permission denied -
cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//socrates
lxc-start 1411313677.578 ERROR lxc_cgfs - Permission denied -
cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct/
lxc-start 1411313677.579 ERROR lxc_cgfs - Permission denied -
cgroup_rmdir: failed to delete /sys/fs/cgroup/cpuset//socrates
lxc-start 1411313677.579 ERROR lxc_cgfs - Permission denied -
cgroup_rmdir: failed to delete /sys/fs/cgroup/cpuset/
lxc-start 1411313677.579 ERROR lxc_start - failed creating cgroups
lxc-start 1411313677.579 INFO lxc_utils - XDG_RUNTIME_DIR
isn't set in the environment.
lxc-start 1411313677.579 ERROR lxc_start - failed to spawn
'socrates'
lxc-start 1411313677.579 INFO lxc_utils - XDG_RUNTIME_DIR
isn't set in the environment.
lxc-start 1411313677.579 INFO lxc_utils - XDG_RUNTIME_DIR
isn't set in the environment.
lxc-start 1411313677.579 WARN lxc_commands - command
get_cgroup failed to receive response
lxc-start 1411313677.579 WARN lxc_cgfs - Not attaching to
cgroup cpuset unknown to /home/socrates/.local/share/lxc socrates
lxc-start 1411313677.579 WARN lxc_cgfs - Not attaching to
cgroup cpu unknown to /home/socrates/.local/share/lxc socrates
lxc-start 1411313677.580 WARN lxc_cgfs - Not attaching to
cgroup devices unknown to /home/socrates/.local/share/lxc socrates
lxc-start 1411313677.580 WARN lxc_cgfs - Not attaching to
cgroup freezer unknown to /home/socrates/.local/share/lxc socrates
lxc-start 1411313677.580 WARN lxc_cgfs - Not attaching to
cgroup net_cls unknown to /home/socrates/.local/share/lxc socrates
lxc-start 1411313677.580 WARN lxc_cgfs - Not attaching to
cgroup blkio unknown to /home/socrates/.local/share/lxc socrates
lxc-start 1411313677.580 WARN lxc_cgfs - Not attaching to
cgroup perf_event unknown to /home/socrates/.local/share/lxc socrates
lxc-start 1411313682.585 ERROR lxc_start_ui - The container
failed to start.
lxc-start 1411313682.585 ERROR lxc_start_ui - To get more
details, run the container in foreground mode.
lxc-start 1411313682.585 ERROR lxc_start_ui - Additional
information can be obtained by setting the --logfile and --log-priority
options.
Any advice would be much appreciated, I've spent quite a while scouring
the Internet for ideas, but now I am stuck.
Thanks,
Chris
More information about the lxc-users
mailing list