[lxc-users] LXC containers won't start after 15.10 -> 16.04 upgrade

Serge Hallyn serge.hallyn at ubuntu.com
Mon Apr 4 20:56:47 UTC 2016


Quoting Daan Willems (xatr0z at gmail.com):
> On Mon, Apr 4, 2016 at 5:41 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> > Can you show your full container configuration?
> 
> I tinkered a bit with the config. If I comment out all of the
> lxc.cgroup.devices.allow lines, the container starts.

Right.  If you ask lxc to set up devices cgroup entries, then you
must be able to write to your devices cgroup files...  You can enable
this by adding ',devices' to the end of the libpam-cgfs line in
/etc/pam.d/common-session*.  There is no security downside to it fwiw -
the kernel will enforce proper hierarchy so that your user cannot escape
its limits.

> Are there any changes to the lxc.cgroup configuration I should know of?

Modern containers (for the past few years I think) make use of the
lxc.include of common files, using different sets for privileged and
unprivileged containers, so that unpriv ones have no devices entries,
and do have some other needed entries.

-serge


More information about the lxc-users mailing list