[lxc-users] Unable to Start Unprivileged Containers on Debian / Jessie
Naoki Kawakami
dolenin at parallels.com
Mon Sep 22 02:26:23 UTC 2014
Hi Chris,
Insure your plato user indeed has write access to the cgroups created by
prep.sh and that the bash PID which would run lxc-start is indeed in the
tasks file of each created cgroup.
I remember having to edit this script because it did not work for me as
is (though I am not on debian-based OS).
kind regards
On 09/22/2014 01:22 AM, Chris wrote:
> Hi,
>
> For the last few days I've been attempting to run an unprivileged
> container on Jessie without much luck, I was hoping someone might be
> able to steer me in the right direction.
>
> socrates at plato:~$ . /etc/*release; echo $PRETTY_NAME
> Debian GNU/Linux jessie/sid
> socrates at plato:~$ uname -a
> Linux plato 3.14-2-amd64 #1 SMP Debian 3.14.15-2 (2014-08-09)
> x86_64 GNU/Linux
> socrates at plato:~$ dpkg-query -l lxc
> Desired=Unknown/Install/Remove/Purge/Hold
> |
> Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
>
> |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
> ||/ Name Version Architecture Description
> +++-==============================-====================-====================-=================================================================
>
> ii lxc 1:1.0.5-3 amd64 Linux
> Containers userspace tools
> socrates at plato:~$ socrates at plato:~$ cat
> /sys/fs/cgroup/cpuset/cgroup.clone_children
> /proc/sys/kernel/unprivileged_userns_clone
> 1
> 1
>
> So just running it straight off gives me the following.
>
> socrates at plato:~$ lxc-start -d -n socrates --logfile ~/x
> --logpriority=TRACE
> lxc-start: The container failed to start.
> lxc-start: To get more details, run the container in foreground
> mode.
> lxc-start: Additional information can be obtained by setting the
> --logfile and --log-priority options.
>
> With this coming up in the log:
>
> lxc-start 1411313929.470 INFO lxc_start_ui - using rcfile
> /home/socrates/.local/share/lxc/socrates/config
> lxc-start 1411313929.520 INFO lxc_utils - XDG_RUNTIME_DIR
> isn't set in the environment.
> lxc-start 1411313929.540 INFO lxc_confile - read uid map:
> type u nsid 0 hostid 427680 range 65536
> lxc-start 1411313929.540 INFO lxc_confile - read uid map:
> type g nsid 0 hostid 427680 range 65536
> lxc-start 1411313929.541 WARN lxc_log - lxc_log_init called
> with log already initialized
> lxc-start 1411313929.567 INFO lxc_lsm - LSM security driver nop
> lxc-start 1411313929.568 INFO lxc_utils - XDG_RUNTIME_DIR
> isn't set in the environment.
> lxc-start 1411313929.570 DEBUG lxc_conf - allocated pty
> '/dev/pts/2' (5/6)
> lxc-start 1411313929.570 INFO lxc_conf - tty's configured
> lxc-start 1411313929.570 DEBUG lxc_start - sigchild handler set
> lxc-start 1411313929.571 DEBUG lxc_console - opening
> /home/socrates/.console for console peer
> lxc-start 1411313929.571 DEBUG lxc_console - using
> '/home/socrates/.console' as console
> lxc-start 1411313929.571 DEBUG lxc_console - no console peer
> lxc-start 1411313929.575 INFO lxc_monitor - using monitor
> sock name lxc/5a8aaa9d4fd81a5c//home/socrates/.local/share/lxc
> lxc-start 1411313929.860 INFO lxc_start - 'socrates' is
> initialized
> lxc-start 1411313929.891 DEBUG lxc_start - Not dropping
> cap_sys_boot or watching utmp
> lxc-start 1411313929.891 INFO lxc_start - Cloning a new user
> namespace
> lxc-start 1411313929.891 INFO lxc_cgroup - cgroup driver
> cgroupfs initing for socrates
> lxc-start 1411313929.892 ERROR lxc_cgfs - Permission denied -
> Could not create cgroup '/socrates' in '/sys/fs/cgroup/perf_event'.
> lxc-start 1411313929.892 ERROR lxc_cgfs - Permission denied -
> cgroup_rmdir: failed to delete /sys/fs/cgroup/perf_event/
> lxc-start 1411313929.893 ERROR lxc_cgfs - Permission denied -
> cgroup_rmdir: failed to delete /sys/fs/cgroup/blkio/
> lxc-start 1411313929.893 ERROR lxc_cgfs - Permission denied -
> cgroup_rmdir: failed to delete /sys/fs/cgroup/net_cls/
> lxc-start 1411313929.893 ERROR lxc_cgfs - Permission denied -
> cgroup_rmdir: failed to delete /sys/fs/cgroup/freezer/
> lxc-start 1411313929.893 ERROR lxc_cgfs - Permission denied -
> cgroup_rmdir: failed to delete /sys/fs/cgroup/devices/
> lxc-start 1411313929.893 ERROR lxc_cgfs - Permission denied -
> cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct/
> lxc-start 1411313929.893 ERROR lxc_cgfs - Permission denied -
> cgroup_rmdir: failed to delete /sys/fs/cgroup/cpuset/
> lxc-start 1411313929.893 ERROR lxc_start - failed creating
> cgroups
> lxc-start 1411313929.894 INFO lxc_utils - XDG_RUNTIME_DIR
> isn't set in the environment.
> lxc-start 1411313929.894 ERROR lxc_start - failed to spawn
> 'socrates'
> lxc-start 1411313929.894 INFO lxc_utils - XDG_RUNTIME_DIR
> isn't set in the environment.
> lxc-start 1411313929.894 INFO lxc_utils - XDG_RUNTIME_DIR
> isn't set in the environment.
> lxc-start 1411313929.894 WARN lxc_commands - command
> get_cgroup failed to receive response
> lxc-start 1411313929.894 WARN lxc_cgfs - Not attaching to
> cgroup cpuset unknown to /home/socrates/.local/share/lxc socrates
> lxc-start 1411313929.894 WARN lxc_cgfs - Not attaching to
> cgroup cpu unknown to /home/socrates/.local/share/lxc socrates
> lxc-start 1411313929.894 WARN lxc_cgfs - Not attaching to
> cgroup devices unknown to /home/socrates/.local/share/lxc socrates
> lxc-start 1411313929.894 WARN lxc_cgfs - Not attaching to
> cgroup freezer unknown to /home/socrates/.local/share/lxc socrates
> lxc-start 1411313929.894 WARN lxc_cgfs - Not attaching to
> cgroup net_cls unknown to /home/socrates/.local/share/lxc socrates
> lxc-start 1411313929.894 WARN lxc_cgfs - Not attaching to
> cgroup blkio unknown to /home/socrates/.local/share/lxc socrates
> lxc-start 1411313929.895 WARN lxc_cgfs - Not attaching to
> cgroup perf_event unknown to /home/socrates/.local/share/lxc socrates
> lxc-start 1411313934.900 ERROR lxc_start_ui - The
> lxc-start 1411313934.900 ERROR lxc_start_ui - To get more
> details, run the container in
> lxc-start 1411313934.900 ERROR lxc_start_ui - Additional
> information can be obtained by setting the --logfile and --log-priority
> options.
>
> Looking at mailing list posts/etc, I came across this script (from
> Serge, if I recall correctly) and have attempted to run it prior to
> starting the container, however this seems to cause it to try to create
> a new cgroup (socrates-1) seeing that socrates is in use...
>
> socrates at plato:~$ cat prep.sh
> #!/bin/bash --
> for d in /sys/fs/cgroup/*; do
> f=$(basename $d)
> echo "looking at $f"
> if [ "$f" = "cpuset" ]; then
> echo 1 | sudo tee -a $d/cgroup.clone_children;
> elif [ "$f" = "memory" ]; then
> echo 1 | sudo tee -a $d/memory.use_hierarchy;
> fi
> sudo mkdir -p $d/$USER
> sudo chown -R $USER $d/$USER
> echo $$ > $d/$USER/tasks
> done
> socrates at plato:~$ ./prep.sh
> looking at blkio
> looking at cgmanager
> looking at cpu
> looking at cpuacct
> looking at cpu,cpuacct
> looking at cpuset
> 1
> looking at devices
> looking at freezer
> looking at net_cls
> looking at perf_event
> looking at systemd
> socrates at plato:~$ lxc-start -d -n socrates --logfile ~/x
> --logpriority=TRACE
> lxc-start: The container failed to start.
> lxc-start: To get more details, run the container in foreground
> mode.
> lxc-start: Additional information can be obtained by setting the
> --logfile and --log-priority options.
>
> The log output:
>
> lxc-start 1411313677.267 INFO lxc_start_ui - using rcfile
> /home/socrates/.local/share/lxc/socrates/config
> lxc-start 1411313677.267 INFO lxc_utils - XDG_RUNTIME_DIR
> isn't set in the environment.
> lxc-start 1411313677.269 INFO lxc_confile - read uid map:
> type u nsid 0 hostid 427680 range 65536
> lxc-start 1411313677.269 INFO lxc_confile - read uid map:
> type g nsid 0 hostid 427680 range 65536
> lxc-start 1411313677.269 WARN lxc_log - lxc_log_init called
> with log already initialized
> lxc-start 1411313677.276 INFO lxc_lsm - LSM security driver nop
> lxc-start 1411313677.276 INFO lxc_utils - XDG_RUNTIME_DIR
> isn't set in the environment.
> lxc-start 1411313677.279 DEBUG lxc_conf - allocated pty
> '/dev/pts/2' (5/6)
> lxc-start 1411313677.279 INFO lxc_conf - tty's configured
> lxc-start 1411313677.279 DEBUG lxc_start - sigchild handler set
> lxc-start 1411313677.279 DEBUG lxc_console - opening
> /home/socrates/.console for console peer
> lxc-start 1411313677.279 DEBUG lxc_console - using
> '/home/socrates/.console' as console
> lxc-start 1411313677.280 DEBUG lxc_console - no console peer
> lxc-start 1411313677.285 INFO lxc_monitor - using monitor
> sock name lxc/5a8aaa9d4fd81a5c//home/socrates/.local/share/lxc
> lxc-start 1411313677.564 INFO lxc_start - 'socrates' is
> initialized
> lxc-start 1411313677.575 DEBUG lxc_start - Not dropping
> cap_sys_boot or watching utmp
> lxc-start 1411313677.576 INFO lxc_start - Cloning a new user
> namespace
> lxc-start 1411313677.576 INFO lxc_cgroup - cgroup driver
> cgroupfs initing for socrates
> lxc-start 1411313677.576 ERROR lxc_cgfs - Permission denied -
> Could not create cgroup '/socrates-1' in '/sys/fs/cgroup/perf_event'.
> lxc-start 1411313677.577 ERROR lxc_cgfs - Permission denied -
> cgroup_rmdir: failed to delete /sys/fs/cgroup/perf_event//socrates
> lxc-start 1411313677.577 ERROR lxc_cgfs - Permission denied -
> cgroup_rmdir: failed to delete /sys/fs/cgroup/perf_event/
> lxc-start 1411313677.577 ERROR lxc_cgfs - Permission denied -
> cgroup_rmdir: failed to delete /sys/fs/cgroup/blkio//socrates
> lxc-start 1411313677.577 ERROR lxc_cgfs - Permission denied -
> cgroup_rmdir: failed to delete /sys/fs/cgroup/blkio/
> lxc-start 1411313677.578 ERROR lxc_cgfs - Permission denied -
> cgroup_rmdir: failed to delete /sys/fs/cgroup/net_cls//socrates
> lxc-start 1411313677.578 ERROR lxc_cgfs - Permission denied -
> cgroup_rmdir: failed to delete /sys/fs/cgroup/net_cls/
> lxc-start 1411313677.578 ERROR lxc_cgfs - Permission denied -
> cgroup_rmdir: failed to delete /sys/fs/cgroup/freezer//socrates
> lxc-start 1411313677.578 ERROR lxc_cgfs - Permission denied -
> cgroup_rmdir: failed to delete /sys/fs/cgroup/freezer/
> lxc-start 1411313677.578 ERROR lxc_cgfs - Permission denied -
> cgroup_rmdir: failed to delete /sys/fs/cgroup/devices//socrates
> lxc-start 1411313677.578 ERROR lxc_cgfs - Permission denied -
> cgroup_rmdir: failed to delete /sys/fs/cgroup/devices/
> lxc-start 1411313677.578 ERROR lxc_cgfs - Permission denied -
> cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//socrates
> lxc-start 1411313677.578 ERROR lxc_cgfs - Permission denied -
> cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct/
> lxc-start 1411313677.579 ERROR lxc_cgfs - Permission denied -
> cgroup_rmdir: failed to delete /sys/fs/cgroup/cpuset//socrates
> lxc-start 1411313677.579 ERROR lxc_cgfs - Permission denied -
> cgroup_rmdir: failed to delete /sys/fs/cgroup/cpuset/
> lxc-start 1411313677.579 ERROR lxc_start - failed creating
> cgroups
> lxc-start 1411313677.579 INFO lxc_utils - XDG_RUNTIME_DIR
> isn't set in the environment.
> lxc-start 1411313677.579 ERROR lxc_start - failed to spawn
> 'socrates'
> lxc-start 1411313677.579 INFO lxc_utils - XDG_RUNTIME_DIR
> isn't set in the environment.
> lxc-start 1411313677.579 INFO lxc_utils - XDG_RUNTIME_DIR
> isn't set in the environment.
> lxc-start 1411313677.579 WARN lxc_commands - command
> get_cgroup failed to receive response
> lxc-start 1411313677.579 WARN lxc_cgfs - Not attaching to
> cgroup cpuset unknown to /home/socrates/.local/share/lxc socrates
> lxc-start 1411313677.579 WARN lxc_cgfs - Not attaching to
> cgroup cpu unknown to /home/socrates/.local/share/lxc socrates
> lxc-start 1411313677.580 WARN lxc_cgfs - Not attaching to
> cgroup devices unknown to /home/socrates/.local/share/lxc socrates
> lxc-start 1411313677.580 WARN lxc_cgfs - Not attaching to
> cgroup freezer unknown to /home/socrates/.local/share/lxc socrates
> lxc-start 1411313677.580 WARN lxc_cgfs - Not attaching to
> cgroup net_cls unknown to /home/socrates/.local/share/lxc socrates
> lxc-start 1411313677.580 WARN lxc_cgfs - Not attaching to
> cgroup blkio unknown to /home/socrates/.local/share/lxc socrates
> lxc-start 1411313677.580 WARN lxc_cgfs - Not attaching to
> cgroup perf_event unknown to /home/socrates/.local/share/lxc socrates
> lxc-start 1411313682.585 ERROR lxc_start_ui - The container
> failed to start.
> lxc-start 1411313682.585 ERROR lxc_start_ui - To get more
> details, run the container in foreground mode.
> lxc-start 1411313682.585 ERROR lxc_start_ui - Additional
> information can be obtained by setting the --logfile and --log-priority
> options.
>
> Any advice would be much appreciated, I've spent quite a while scouring
> the Internet for ideas, but now I am stuck.
>
> Thanks,
> Chris
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
More information about the lxc-users
mailing list