[lxc-users] CGManager and LXCFS causing lxc-start to fail for unprivileged containers

Akshay Karle akshay.a.karle at gmail.com
Fri Jan 29 01:55:47 UTC 2016


Hello,

Recently after upgrading lxc on Ubuntu 14.04.3 LTS, I noticed that it
included the libpam-cgm package. I started to see some weird problems with
cgroups and ownerships when trying to start an unprivileged container in
the cases when the user running the containers is not the same as the user
who logged in to the machine (for eg: ssh, change user and then start
container fails). I believe this may have to do with the recent changes to
libpam-cgm, lxcfs and cgfs as I didn't have any trouble before. After
changing the user we used to unset the XDG envs and run the cgm commands to
setup cgroups which stopped to work recently.

*lxc-start failure trace* (full stack trace attached):
      lxc-start 1454029959.193 ERROR    lxc_utils -
utils.c:setproctitle:1455 - Invalid argument - setting cmdline failed
      lxc-start 1454029959.581 ERROR    lxc_cgfs -
cgfs.c:handle_cgroup_settings:2091 - Permission denied - failed to set
memory.use_hierarchy to 1; continuing
      lxc-start 1454029959.581 ERROR    lxc_cgfs -
cgfs.c:lxc_cgroupfs_create:849 - Could not set clone_children to 1 for
cpuset hierarchy in parent cgroup.
      lxc-start 1454029959.581 ERROR    lxc_cgfs - cgfs.c:cgroup_rmdir:166
- cgroup_rmdir: failed to open /run/lxcfs/controllers/perf_event/user/test/0
      lxc-start 1454029959.581 ERROR    lxc_cgfs - cgfs.c:cgroup_rmdir:166
- cgroup_rmdir: failed to open /run/lxcfs/controllers/memory/user/test/0
      lxc-start 1454029959.581 ERROR    lxc_cgfs - cgfs.c:cgroup_rmdir:166
- cgroup_rmdir: failed to open /run/lxcfs/controllers/hugetlb/user/test/0
      lxc-start 1454029959.581 ERROR    lxc_cgfs - cgfs.c:cgroup_rmdir:166
- cgroup_rmdir: failed to open /run/lxcfs/controllers/freezer/user/test/0
      lxc-start 1454029959.581 ERROR    lxc_cgfs - cgfs.c:cgroup_rmdir:166
- cgroup_rmdir: failed to open /run/lxcfs/controllers/devices/user/test/0
      lxc-start 1454029959.581 ERROR    lxc_cgfs - cgfs.c:cgroup_rmdir:166
- cgroup_rmdir: failed to open /run/lxcfs/controllers/cpuset/user/test/0
      lxc-start 1454029959.581 ERROR    lxc_cgfs - cgfs.c:cgroup_rmdir:166
- cgroup_rmdir: failed to open /run/lxcfs/controllers/cpuacct/user/test/0
      lxc-start 1454029959.581 ERROR    lxc_cgfs - cgfs.c:cgroup_rmdir:166
- cgroup_rmdir: failed to open /run/lxcfs/controllers/cpu/user/test/0
      lxc-start 1454029959.581 ERROR    lxc_cgfs - cgfs.c:cgroup_rmdir:166
- cgroup_rmdir: failed to open /run/lxcfs/controllers/blkio/user/test/0
      lxc-start 1454029959.581 ERROR    lxc_start - start.c:lxc_spawn:970 -
failed creating cgroups
      lxc-start 1454029959.581 ERROR    lxc_start -
start.c:__lxc_start:1213 - failed to spawn 'test'
      lxc-start 1454029965.093 ERROR    lxc_start_ui - lxc_start.c:main:344
- The container failed to start.


*Steps to reproduce:*
* Upgrade LXC: $ sudo apt-get upgrade cgmanager libcgmanager0 lxc libcap2
libseccomp2 ruby-dev lxc-dev
* Add the management of all controllers to the pam module. Replace the
freezer in /etc/pam.d/common-session with all controllers:
session optional pam_cgm.so -c
freezer,perf_event,memory,cpu,cpuacct,cpuset,blkio,hugetlb,devices
* Add a test user : $ sudo useradd test -m
* Setup lxc configuration file for test user:
$ sudo su - test
$ mkdir -p ~/.config/lxc
$ cat > ~/.config/lxc/default.conf
lxc.include = /etc/lxc/default.conf
# you may have to change to your subuids/subgids
lxc.id_map = u 0 231072 65536
lxc.id_map = g 0 231072 65536
* Create container: $ lxc-create -n test -t download -- -d ubuntu -r trusty
-a amd64
* Run the container: $ lxc-start -n test -d -l debug -o container.log

*System info:*
$ uname -r
3.13.0-76-generic

$ dpkg -l | grep lxc
ii  liblxc1                          1.1.5-0ubuntu5~ubuntu14.04.1~ppa1
amd64        Linux Containers userspace tools (library)
ii  lxc                              1.1.5-0ubuntu5~ubuntu14.04.1~ppa1
amd64        Linux Containers userspace tools
ii  lxc-dev                          1.1.5-0ubuntu5~ubuntu14.04.1~ppa1
amd64        Linux Containers userspace tools (development)
ii  lxc-templates                    1.1.5-0ubuntu5~ubuntu14.04.1~ppa1
amd64        Linux Containers userspace tools (templates)
ii  lxcfs                            0.17-0ubuntu2~ubuntu14.04.1~ppa1
 amd64        FUSE based filesystem for LXC
ii  python3-lxc                      1.1.5-0ubuntu5~ubuntu14.04.1~ppa1
amd64        Linux Containers userspace tools (Python 3.x bindings)

$ dpkg -l | grep cgm
ii  cgmanager                        0.39-2ubuntu5~ubuntu14.04.1~ppa1
 amd64        Central cgroup manager daemon
ii  libcgmanager0:amd64              0.39-2ubuntu5~ubuntu14.04.1~ppa1
 amd64        Central cgroup manager daemon (client library)
ii  libpam-cgm                       0.39-2ubuntu5~ubuntu14.04.1~ppa1
 amd64        Central cgroup manager daemon (PAM module)

I would appreciate some help on this as I have been trying to figure out
the problem for the last few days now.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20160129/997351b0/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cli.log
Type: application/octet-stream
Size: 11197 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20160129/997351b0/attachment-0001.obj>


More information about the lxc-users mailing list