[lxc-users] Unable to Start Unprivileged Containers on Debian / Jessie
J Bc
javibc at esdebian.org
Sun Sep 21 16:33:35 UTC 2014
www.youtube.com/watch?v=SPk7EL1jja4
2014-09-21 18:22 GMT+02:00 Chris <berzerkatives at gmail.com>:
> Hi,
>
> For the last few days I've been attempting to run an unprivileged container
> on Jessie without much luck, I was hoping someone might be able to steer me
> in the right direction.
>
> socrates at plato:~$ . /etc/*release; echo $PRETTY_NAME
> Debian GNU/Linux jessie/sid
> socrates at plato:~$ uname -a
> Linux plato 3.14-2-amd64 #1 SMP Debian 3.14.15-2 (2014-08-09) x86_64
> GNU/Linux
> socrates at plato:~$ dpkg-query -l lxc
> Desired=Unknown/Install/Remove/Purge/Hold
> |
> Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
> |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
> ||/ Name Version Architecture
> Description
> +++-==============================-====================-====================-=================================================================
> ii lxc 1:1.0.5-3 amd64
> Linux Containers userspace tools
> socrates at plato:~$ socrates at plato:~$ cat
> /sys/fs/cgroup/cpuset/cgroup.clone_children
> /proc/sys/kernel/unprivileged_userns_clone
> 1
> 1
>
> So just running it straight off gives me the following.
>
> socrates at plato:~$ lxc-start -d -n socrates --logfile ~/x
> --logpriority=TRACE
> lxc-start: The container failed to start.
> lxc-start: To get more details, run the container in foreground mode.
> lxc-start: Additional information can be obtained by setting the
> --logfile and --log-priority options.
>
> With this coming up in the log:
>
> lxc-start 1411313929.470 INFO lxc_start_ui - using rcfile
> /home/socrates/.local/share/lxc/socrates/config
> lxc-start 1411313929.520 INFO lxc_utils - XDG_RUNTIME_DIR isn't
> set in the environment.
> lxc-start 1411313929.540 INFO lxc_confile - read uid map: type u
> nsid 0 hostid 427680 range 65536
> lxc-start 1411313929.540 INFO lxc_confile - read uid map: type g
> nsid 0 hostid 427680 range 65536
> lxc-start 1411313929.541 WARN lxc_log - lxc_log_init called with
> log already initialized
> lxc-start 1411313929.567 INFO lxc_lsm - LSM security driver nop
> lxc-start 1411313929.568 INFO lxc_utils - XDG_RUNTIME_DIR isn't
> set in the environment.
> lxc-start 1411313929.570 DEBUG lxc_conf - allocated pty
> '/dev/pts/2' (5/6)
> lxc-start 1411313929.570 INFO lxc_conf - tty's configured
> lxc-start 1411313929.570 DEBUG lxc_start - sigchild handler set
> lxc-start 1411313929.571 DEBUG lxc_console - opening
> /home/socrates/.console for console peer
> lxc-start 1411313929.571 DEBUG lxc_console - using
> '/home/socrates/.console' as console
> lxc-start 1411313929.571 DEBUG lxc_console - no console peer
> lxc-start 1411313929.575 INFO lxc_monitor - using monitor sock
> name lxc/5a8aaa9d4fd81a5c//home/socrates/.local/share/lxc
> lxc-start 1411313929.860 INFO lxc_start - 'socrates' is
> initialized
> lxc-start 1411313929.891 DEBUG lxc_start - Not dropping
> cap_sys_boot or watching utmp
> lxc-start 1411313929.891 INFO lxc_start - Cloning a new user
> namespace
> lxc-start 1411313929.891 INFO lxc_cgroup - cgroup driver cgroupfs
> initing for socrates
> lxc-start 1411313929.892 ERROR lxc_cgfs - Permission denied - Could
> not create cgroup '/socrates' in '/sys/fs/cgroup/perf_event'.
> lxc-start 1411313929.892 ERROR lxc_cgfs - Permission denied -
> cgroup_rmdir: failed to delete /sys/fs/cgroup/perf_event/
> lxc-start 1411313929.893 ERROR lxc_cgfs - Permission denied -
> cgroup_rmdir: failed to delete /sys/fs/cgroup/blkio/
> lxc-start 1411313929.893 ERROR lxc_cgfs - Permission denied -
> cgroup_rmdir: failed to delete /sys/fs/cgroup/net_cls/
> lxc-start 1411313929.893 ERROR lxc_cgfs - Permission denied -
> cgroup_rmdir: failed to delete /sys/fs/cgroup/freezer/
> lxc-start 1411313929.893 ERROR lxc_cgfs - Permission denied -
> cgroup_rmdir: failed to delete /sys/fs/cgroup/devices/
> lxc-start 1411313929.893 ERROR lxc_cgfs - Permission denied -
> cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct/
> lxc-start 1411313929.893 ERROR lxc_cgfs - Permission denied -
> cgroup_rmdir: failed to delete /sys/fs/cgroup/cpuset/
> lxc-start 1411313929.893 ERROR lxc_start - failed creating cgroups
> lxc-start 1411313929.894 INFO lxc_utils - XDG_RUNTIME_DIR isn't
> set in the environment.
> lxc-start 1411313929.894 ERROR lxc_start - failed to spawn
> 'socrates'
> lxc-start 1411313929.894 INFO lxc_utils - XDG_RUNTIME_DIR isn't
> set in the environment.
> lxc-start 1411313929.894 INFO lxc_utils - XDG_RUNTIME_DIR isn't
> set in the environment.
> lxc-start 1411313929.894 WARN lxc_commands - command get_cgroup
> failed to receive response
> lxc-start 1411313929.894 WARN lxc_cgfs - Not attaching to cgroup
> cpuset unknown to /home/socrates/.local/share/lxc socrates
> lxc-start 1411313929.894 WARN lxc_cgfs - Not attaching to cgroup
> cpu unknown to /home/socrates/.local/share/lxc socrates
> lxc-start 1411313929.894 WARN lxc_cgfs - Not attaching to cgroup
> devices unknown to /home/socrates/.local/share/lxc socrates
> lxc-start 1411313929.894 WARN lxc_cgfs - Not attaching to cgroup
> freezer unknown to /home/socrates/.local/share/lxc socrates
> lxc-start 1411313929.894 WARN lxc_cgfs - Not attaching to cgroup
> net_cls unknown to /home/socrates/.local/share/lxc socrates
> lxc-start 1411313929.894 WARN lxc_cgfs - Not attaching to cgroup
> blkio unknown to /home/socrates/.local/share/lxc socrates
> lxc-start 1411313929.895 WARN lxc_cgfs - Not attaching to cgroup
> perf_event unknown to /home/socrates/.local/share/lxc socrates
> lxc-start 1411313934.900 ERROR lxc_start_ui - The
> lxc-start 1411313934.900 ERROR lxc_start_ui - To get more details,
> run the container in
> lxc-start 1411313934.900 ERROR lxc_start_ui - Additional
> information can be obtained by setting the --logfile and --log-priority
> options.
>
> Looking at mailing list posts/etc, I came across this script (from Serge, if
> I recall correctly) and have attempted to run it prior to starting the
> container, however this seems to cause it to try to create a new cgroup
> (socrates-1) seeing that socrates is in use...
>
> socrates at plato:~$ cat prep.sh
> #!/bin/bash --
> for d in /sys/fs/cgroup/*; do
> f=$(basename $d)
> echo "looking at $f"
> if [ "$f" = "cpuset" ]; then
> echo 1 | sudo tee -a $d/cgroup.clone_children;
> elif [ "$f" = "memory" ]; then
> echo 1 | sudo tee -a $d/memory.use_hierarchy;
> fi
> sudo mkdir -p $d/$USER
> sudo chown -R $USER $d/$USER
> echo $$ > $d/$USER/tasks
> done
> socrates at plato:~$ ./prep.sh
> looking at blkio
> looking at cgmanager
> looking at cpu
> looking at cpuacct
> looking at cpu,cpuacct
> looking at cpuset
> 1
> looking at devices
> looking at freezer
> looking at net_cls
> looking at perf_event
> looking at systemd
> socrates at plato:~$ lxc-start -d -n socrates --logfile ~/x
> --logpriority=TRACE
> lxc-start: The container failed to start.
> lxc-start: To get more details, run the container in foreground mode.
> lxc-start: Additional information can be obtained by setting the
> --logfile and --log-priority options.
>
> The log output:
>
> lxc-start 1411313677.267 INFO lxc_start_ui - using rcfile
> /home/socrates/.local/share/lxc/socrates/config
> lxc-start 1411313677.267 INFO lxc_utils - XDG_RUNTIME_DIR isn't
> set in the environment.
> lxc-start 1411313677.269 INFO lxc_confile - read uid map: type u
> nsid 0 hostid 427680 range 65536
> lxc-start 1411313677.269 INFO lxc_confile - read uid map: type g
> nsid 0 hostid 427680 range 65536
> lxc-start 1411313677.269 WARN lxc_log - lxc_log_init called with
> log already initialized
> lxc-start 1411313677.276 INFO lxc_lsm - LSM security driver nop
> lxc-start 1411313677.276 INFO lxc_utils - XDG_RUNTIME_DIR isn't
> set in the environment.
> lxc-start 1411313677.279 DEBUG lxc_conf - allocated pty
> '/dev/pts/2' (5/6)
> lxc-start 1411313677.279 INFO lxc_conf - tty's configured
> lxc-start 1411313677.279 DEBUG lxc_start - sigchild handler set
> lxc-start 1411313677.279 DEBUG lxc_console - opening
> /home/socrates/.console for console peer
> lxc-start 1411313677.279 DEBUG lxc_console - using
> '/home/socrates/.console' as console
> lxc-start 1411313677.280 DEBUG lxc_console - no console peer
> lxc-start 1411313677.285 INFO lxc_monitor - using monitor sock
> name lxc/5a8aaa9d4fd81a5c//home/socrates/.local/share/lxc
> lxc-start 1411313677.564 INFO lxc_start - 'socrates' is
> initialized
> lxc-start 1411313677.575 DEBUG lxc_start - Not dropping
> cap_sys_boot or watching utmp
> lxc-start 1411313677.576 INFO lxc_start - Cloning a new user
> namespace
> lxc-start 1411313677.576 INFO lxc_cgroup - cgroup driver cgroupfs
> initing for socrates
> lxc-start 1411313677.576 ERROR lxc_cgfs - Permission denied - Could
> not create cgroup '/socrates-1' in '/sys/fs/cgroup/perf_event'.
> lxc-start 1411313677.577 ERROR lxc_cgfs - Permission denied -
> cgroup_rmdir: failed to delete /sys/fs/cgroup/perf_event//socrates
> lxc-start 1411313677.577 ERROR lxc_cgfs - Permission denied -
> cgroup_rmdir: failed to delete /sys/fs/cgroup/perf_event/
> lxc-start 1411313677.577 ERROR lxc_cgfs - Permission denied -
> cgroup_rmdir: failed to delete /sys/fs/cgroup/blkio//socrates
> lxc-start 1411313677.577 ERROR lxc_cgfs - Permission denied -
> cgroup_rmdir: failed to delete /sys/fs/cgroup/blkio/
> lxc-start 1411313677.578 ERROR lxc_cgfs - Permission denied -
> cgroup_rmdir: failed to delete /sys/fs/cgroup/net_cls//socrates
> lxc-start 1411313677.578 ERROR lxc_cgfs - Permission denied -
> cgroup_rmdir: failed to delete /sys/fs/cgroup/net_cls/
> lxc-start 1411313677.578 ERROR lxc_cgfs - Permission denied -
> cgroup_rmdir: failed to delete /sys/fs/cgroup/freezer//socrates
> lxc-start 1411313677.578 ERROR lxc_cgfs - Permission denied -
> cgroup_rmdir: failed to delete /sys/fs/cgroup/freezer/
> lxc-start 1411313677.578 ERROR lxc_cgfs - Permission denied -
> cgroup_rmdir: failed to delete /sys/fs/cgroup/devices//socrates
> lxc-start 1411313677.578 ERROR lxc_cgfs - Permission denied -
> cgroup_rmdir: failed to delete /sys/fs/cgroup/devices/
> lxc-start 1411313677.578 ERROR lxc_cgfs - Permission denied -
> cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//socrates
> lxc-start 1411313677.578 ERROR lxc_cgfs - Permission denied -
> cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct/
> lxc-start 1411313677.579 ERROR lxc_cgfs - Permission denied -
> cgroup_rmdir: failed to delete /sys/fs/cgroup/cpuset//socrates
> lxc-start 1411313677.579 ERROR lxc_cgfs - Permission denied -
> cgroup_rmdir: failed to delete /sys/fs/cgroup/cpuset/
> lxc-start 1411313677.579 ERROR lxc_start - failed creating cgroups
> lxc-start 1411313677.579 INFO lxc_utils - XDG_RUNTIME_DIR isn't
> set in the environment.
> lxc-start 1411313677.579 ERROR lxc_start - failed to spawn
> 'socrates'
> lxc-start 1411313677.579 INFO lxc_utils - XDG_RUNTIME_DIR isn't
> set in the environment.
> lxc-start 1411313677.579 INFO lxc_utils - XDG_RUNTIME_DIR isn't
> set in the environment.
> lxc-start 1411313677.579 WARN lxc_commands - command get_cgroup
> failed to receive response
> lxc-start 1411313677.579 WARN lxc_cgfs - Not attaching to cgroup
> cpuset unknown to /home/socrates/.local/share/lxc socrates
> lxc-start 1411313677.579 WARN lxc_cgfs - Not attaching to cgroup
> cpu unknown to /home/socrates/.local/share/lxc socrates
> lxc-start 1411313677.580 WARN lxc_cgfs - Not attaching to cgroup
> devices unknown to /home/socrates/.local/share/lxc socrates
> lxc-start 1411313677.580 WARN lxc_cgfs - Not attaching to cgroup
> freezer unknown to /home/socrates/.local/share/lxc socrates
> lxc-start 1411313677.580 WARN lxc_cgfs - Not attaching to cgroup
> net_cls unknown to /home/socrates/.local/share/lxc socrates
> lxc-start 1411313677.580 WARN lxc_cgfs - Not attaching to cgroup
> blkio unknown to /home/socrates/.local/share/lxc socrates
> lxc-start 1411313677.580 WARN lxc_cgfs - Not attaching to cgroup
> perf_event unknown to /home/socrates/.local/share/lxc socrates
> lxc-start 1411313682.585 ERROR lxc_start_ui - The container failed
> to start.
> lxc-start 1411313682.585 ERROR lxc_start_ui - To get more details,
> run the container in foreground mode.
> lxc-start 1411313682.585 ERROR lxc_start_ui - Additional
> information can be obtained by setting the --logfile and --log-priority
> options.
>
> Any advice would be much appreciated, I've spent quite a while scouring the
> Internet for ideas, but now I am stuck.
>
> Thanks,
> Chris
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
More information about the lxc-users
mailing list