[lxc-users] Unable to Start Unprivileged Containers on Debian / Jessie
Michael H. Warfield
mhw at WittsEnd.com
Tue Sep 30 15:27:52 UTC 2014
On Mon, 2014-09-29 at 20:46 +0000, Serge Hallyn wrote:
> Hm, sorry, not looking deeper right now, but :
>
> > lxc-start 1411807327.953 ERROR lxc_conf - Permission denied - WARNING: Failed to create symlink '/home/osmium/.local/share/lxc/osmium/rootfs.dev'->'/dev/.lxc/user/osmium.3c68b3f0c5eeec7d'
> Something will need to set that up. I can't recall offhand
> what is supposed to do that. Michael (cc:d), is that done
> through the init script?
No, it should be done in lxc-start from the code in config.c for systemd
when autodev is enabled.
The fact that it's a "permission denied" is saying it's something wrong
in the LXC_PATH to container itself. It's a permission error in there.
Since you can create an arbitrary symlink even if the target does not
exist or you don't have permission to the target, it's got to be from
the location where the symlink is attempted to be created.
> -serge
Mike
> Quoting Chris (berzerkatives at gmail.com):
> >
> > On 27/09/14 00:02, Serge Hallyn wrote:
> > >Is /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic (or wherever it
> > >sits) setuid-root?
> > >
> > Yes. This was that problem. To my knowledge this program requires
> > setuid to be at all useful, so I wonder why it's not distributed as
> > such on Debian/Jessie.
> >
> > Now my container seems to be running into another issue, it's having
> > problems populating /dev, I see on the mailing lists that this (or a
> > very similar) issue cropped up in February, and had since been
> > patched, so very likely that I'm still doing something wrong. I've
> > attached the trace level log detailing initialisation of the
> > container.
>
> > lxc-start 1411807327.376 INFO lxc_start_ui - using rcfile /home/osmium/.local/share/lxc/osmium/config
> > lxc-start 1411807327.399 INFO lxc_utils - XDG_RUNTIME_DIR isn't set in the environment.
> > lxc-start 1411807327.420 INFO lxc_confile - read uid map: type u nsid 0 hostid 427680 range 65536
> > lxc-start 1411807327.420 INFO lxc_confile - read uid map: type g nsid 0 hostid 427680 range 65536
> > lxc-start 1411807327.420 WARN lxc_log - lxc_log_init called with log already initialized
> > lxc-start 1411807327.420 INFO lxc_lsm - LSM security driver nop
> > lxc-start 1411807327.420 INFO lxc_utils - XDG_RUNTIME_DIR isn't set in the environment.
> > lxc-start 1411807327.432 DEBUG lxc_conf - allocated pty '/dev/pts/2' (5/6)
> > lxc-start 1411807327.432 INFO lxc_conf - tty's configured
> > lxc-start 1411807327.432 DEBUG lxc_start - sigchild handler set
> > lxc-start 1411807327.432 DEBUG lxc_console - opening /home/osmium/.console for console peer
> > lxc-start 1411807327.432 DEBUG lxc_console - using '/home/osmium/.console' as console
> > lxc-start 1411807327.432 DEBUG lxc_console - no console peer
> > lxc-start 1411807327.776 INFO lxc_start - 'osmium' is initialized
> > lxc-start 1411807327.807 DEBUG lxc_start - Not dropping cap_sys_boot or watching utmp
> > lxc-start 1411807327.807 INFO lxc_start - Cloning a new user namespace
> > lxc-start 1411807327.807 INFO lxc_cgroup - cgroup driver cgroupfs initing for osmium
> > lxc-start 1411807327.811 DEBUG lxc_cgfs - cgroup 'devices.deny' set to 'a'
> > lxc-start 1411807327.811 DEBUG lxc_cgfs - cgroup 'devices.allow' set to 'c *:* m'
> > lxc-start 1411807327.811 DEBUG lxc_cgfs - cgroup 'devices.allow' set to 'b *:* m'
> > lxc-start 1411807327.811 DEBUG lxc_cgfs - cgroup 'devices.allow' set to 'c 5:1 rwm'
> > lxc-start 1411807327.811 DEBUG lxc_cgfs - cgroup 'devices.allow' set to 'c 10:229 rwm'
> > lxc-start 1411807327.811 DEBUG lxc_cgfs - cgroup 'devices.allow' set to 'c 1:3 rwm'
> > lxc-start 1411807327.811 DEBUG lxc_cgfs - cgroup 'devices.allow' set to 'c 5:2 rwm'
> > lxc-start 1411807327.811 DEBUG lxc_cgfs - cgroup 'devices.allow' set to 'c 136:* rwm'
> > lxc-start 1411807327.811 DEBUG lxc_cgfs - cgroup 'devices.allow' set to 'c 1:8 rwm'
> > lxc-start 1411807327.811 DEBUG lxc_cgfs - cgroup 'devices.allow' set to 'c 254:0 rwm'
> > lxc-start 1411807327.811 DEBUG lxc_cgfs - cgroup 'devices.allow' set to 'c 5:0 rwm'
> > lxc-start 1411807327.811 DEBUG lxc_cgfs - cgroup 'devices.allow' set to 'c 1:9 rwm'
> > lxc-start 1411807327.811 DEBUG lxc_cgfs - cgroup 'devices.allow' set to 'c 1:5 rwm'
> > lxc-start 1411807327.811 INFO lxc_cgfs - cgroup has been setup
> > lxc-start 1411807327.932 NOTICE lxc_start - switching to gid/uid 0 in new user namespace
> > lxc-start 1411807327.935 DEBUG lxc_conf - mounted '/home/osmium/root' on '/usr/lib/x86_64-linux-gnu/lxc/rootfs'
> > lxc-start 1411807327.935 INFO lxc_conf - 'osmium' hostname has been setup
> > lxc-start 1411807327.936 DEBUG lxc_conf - mac address '00:16:3e:73:bd:de' on 'eth0' has been setup
> > lxc-start 1411807327.936 DEBUG lxc_conf - 'eth0' has been setup
> > lxc-start 1411807327.936 INFO lxc_conf - network has been setup
> > lxc-start 1411807327.937 DEBUG lxc_conf - Set exec command to /sbin/init
> > lxc-start 1411807327.952 INFO lxc_conf - Container with systemd init detected - enabling autodev!
> > lxc-start 1411807327.952 INFO lxc_conf - Mounting /dev under /usr/lib/x86_64-linux-gnu/lxc/rootfs
> > lxc-start 1411807327.952 DEBUG lxc_conf - entering mount_check_fs for /dev
> > lxc-start 1411807327.952 DEBUG lxc_conf - mount_check_fs returning 1 last devtmpfs
> > lxc-start 1411807327.952 INFO lxc_conf - Setup in /dev/.lxc failed. Trying /dev/.lxc/user.
> > lxc-start 1411807327.953 ERROR lxc_conf - Permission denied - WARNING: Failed to create symlink '/home/osmium/.local/share/lxc/osmium/rootfs.dev'->'/dev/.lxc/user/osmium.3c68b3f0c5eeec7d'
> > lxc-start 1411807327.953 DEBUG lxc_conf - Bind mounting /dev/.lxc/user/osmium.3c68b3f0c5eeec7d to /usr/lib/x86_64-linux-gnu/lxc/rootfs/dev
> > lxc-start 1411807327.953 INFO lxc_conf - Mounted /dev under /usr/lib/x86_64-linux-gnu/lxc/rootfs
> > lxc-start 1411807327.953 WARN lxc_conf - ignoring mount point '/home/osmium/proc'
> > lxc-start 1411807327.953 WARN lxc_conf - ignoring mount point '/home/osmium/dev/pts'
> > lxc-start 1411807327.953 WARN lxc_conf - ignoring mount point '/home/osmium/sys'
> > lxc-start 1411807327.953 INFO lxc_conf - mount points have been setup
> > lxc-start 1411807327.954 INFO lxc_conf - Creating initial consoles under /usr/lib/x86_64-linux-gnu/lxc/rootfs/dev
> > lxc-start 1411807327.954 INFO lxc_conf - Populating /dev under /usr/lib/x86_64-linux-gnu/lxc/rootfs
> > lxc-start 1411807327.954 ERROR lxc_conf - Operation not permitted - Error creating null
> > lxc-start 1411807327.954 ERROR lxc_conf - failed to populate /dev in the container
> > lxc-start 1411807327.954 ERROR lxc_start - failed to setup the container
> > lxc-start 1411807327.954 ERROR lxc_sync - invalid sequence number 1. expected 2
> > lxc-start 1411807327.954 INFO lxc_utils - XDG_RUNTIME_DIR isn't set in the environment.
> > lxc-start 1411807328.067 ERROR lxc_start - failed to spawn 'osmium'
> > lxc-start 1411807328.068 INFO lxc_utils - XDG_RUNTIME_DIR isn't set in the environment.
> > lxc-start 1411807328.068 INFO lxc_utils - XDG_RUNTIME_DIR isn't set in the environment.
> > lxc-start 1411807328.069 ERROR lxc_start_ui - The container failed to start.
> > lxc-start 1411807328.069 ERROR lxc_start_ui - Additional information can be obtained by setting the --logfile and --log-priority options.
>
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
>
--
Michael H. Warfield (AI4NB) | (770) 978-7061 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 465 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140930/30a2a8d2/attachment.sig>
More information about the lxc-users
mailing list