[lxc-users] unprivilaged nested containers - Failed to create hugetlb:lxc/test

Ivan Ogai ivan.ogai at gmail.com
Tue Mar 8 15:34:32 UTC 2016 

> I have a user 'jenkins' in a host, which is able to create
> and start this unprivilaged container whose config is:
>
>     # Distribution configuration
>     lxc.include = /usr/share/lxc/config/ubuntu.common.conf
>     lxc.include = /usr/share/lxc/config/ubuntu.userns.conf
>     lxc.arch = x86_64
>
>     lxc.mount.auto = cgroup
>     lxc.aa_profile = lxc-container-default-with-nesting
>
>     # Container specific configuration
>     lxc.id_map = u 0 100000 65536
>     lxc.id_map = u 100000 165536 65536
>     lxc.id_map = g 0 100000 65536
>     lxc.id_map = g 100000 165536 65536
>     lxc.rootfs = /home/jenkins/.local/share/lxc/jenkins/rootfs
>     lxc.utsname = jenkins
>
>     # Network configuration
>     lxc.network.type = veth
>     lxc.network.flags = up
>     lxc.network.link = lxcbr0
>     lxc.network.hwaddr = 00:16:3e:17:02:1a
>
>
> The idea is to use the ids in the host 165536-231072 for an unprivilaged
> inside the unprivilaged container above.
>
> Another user (also called jenkins) in the container jenkins is able to
create
> unprivilaged (nested) containers as expected, but is not able to start
them.
> The log says:
>
>     lxc-start 1457449899.746 INFO     lxc_start_ui - lxc_start.c:main:264
- using rcfile /var/lib/jenkins/.local/share/lxc/test/config
>     lxc-start 1457449899.746 INFO     lxc_confile -
confile.c:config_idmap:1378 - read uid map: type u nsid 0 hostid 100000
range 65536
>     lxc-start 1457449899.746 INFO     lxc_confile -
confile.c:config_idmap:1378 - read uid map: type g nsid 0 hostid 100000
range 65536
>     lxc-start 1457449899.746 WARN     lxc_log - log.c:lxc_log_init:316 -
lxc_log_init called with log already initialized
>     lxc-start 1457449899.748 WARN     lxc_cgmanager -
cgmanager.c:cgm_get:985 - do_cgm_get exited with error
>     lxc-start 1457449899.748 INFO     lxc_lsm - lsm/lsm.c:lsm_init:48 -
LSM security driver AppArmor
>     lxc-start 1457449899.748 INFO     lxc_seccomp -
seccomp.c:use_seccomp:531 - Already seccomp-confined, not loading new policy
>     lxc-start 1457449899.748 DEBUG    lxc_conf -
conf.c:lxc_create_tty:3791 - allocated pty '/dev/pts/5' (5/6)
>     lxc-start 1457449899.748 DEBUG    lxc_conf -
conf.c:lxc_create_tty:3791 - allocated pty '/dev/pts/6' (7/8)
>     lxc-start 1457449899.748 DEBUG    lxc_conf -
conf.c:lxc_create_tty:3791 - allocated pty '/dev/pts/7' (9/10)
>     lxc-start 1457449899.748 DEBUG    lxc_conf -
conf.c:lxc_create_tty:3791 - allocated pty '/dev/pts/8' (11/12)
>     lxc-start 1457449899.748 INFO     lxc_conf -
conf.c:lxc_create_tty:3802 - tty's configured
>     lxc-start 1457449899.748 DEBUG    lxc_start -
start.c:setup_signal_fd:263 - sigchild handler set
>     lxc-start 1457449899.748 DEBUG    lxc_console -
console.c:lxc_console_peer_default:500 - opening /dev/tty for console peer
>     lxc-start 1457449899.748 DEBUG    lxc_console -
console.c:lxc_console_peer_default:506 - using '/dev/tty' as console
>     lxc-start 1457449899.748 DEBUG    lxc_console -
console.c:lxc_console_sigwinch_init:179 - 10902 got SIGWINCH fd 17
>     lxc-start 1457449899.748 DEBUG    lxc_console -
console.c:lxc_console_winsz:88 - set winsz dstfd:14 cols:382 rows:92
>     lxc-start 1457449899.931 INFO     lxc_start - start.c:lxc_init:463 -
'test' is initialized
>     lxc-start 1457449899.931 DEBUG    lxc_start -
start.c:__lxc_start:1099 - Not dropping cap_sys_boot or watching utmp
>     lxc-start 1457449899.931 INFO     lxc_start - start.c:lxc_spawn:832 -
Cloning a new user namespace
>     lxc-start 1457449899.931 INFO     lxc_cgroup -
cgroup.c:cgroup_init:62 - cgroup driver cgmanager initing for test
>     lxc-start 1457449899.932 ERROR    lxc_cgmanager -
cgmanager.c:lxc_cgmanager_create:301 - call to cgmanager_create_sync
failed: invalid request
>     lxc-start 1457449899.932 ERROR    lxc_cgmanager -
cgmanager.c:lxc_cgmanager_create:303 - Failed to create hugetlb:lxc/test
>     lxc-start 1457449899.932 ERROR    lxc_cgmanager -
cgmanager.c:cgm_create:650 - Error creating cgroup hugetlb:lxc/test
>     lxc-start 1457449899.933 INFO     lxc_cgmanager -
cgmanager.c:cgm_remove_cgroup:528 - cgroup removal attempt:
hugetlb:lxc/test did not exist
>     lxc-start 1457449899.933 INFO     lxc_cgmanager -
cgmanager.c:cgm_remove_cgroup:528 - cgroup removal attempt:
net_prio:lxc/test did not exist
>     lxc-start 1457449899.933 INFO     lxc_cgmanager -
cgmanager.c:cgm_remove_cgroup:528 - cgroup removal attempt:
perf_event:lxc/test did not exist
>     lxc-start 1457449899.934 INFO     lxc_cgmanager -
cgmanager.c:cgm_remove_cgroup:528 - cgroup removal attempt:
net_cls:lxc/test did not exist
>     lxc-start 1457449899.934 INFO     lxc_cgmanager -
cgmanager.c:cgm_remove_cgroup:528 - cgroup removal attempt:
freezer:lxc/test did not exist
>     lxc-start 1457449899.934 INFO     lxc_cgmanager -
cgmanager.c:cgm_remove_cgroup:528 - cgroup removal attempt:
devices:lxc/test did not exist
>     lxc-start 1457449899.934 INFO     lxc_cgmanager -
cgmanager.c:cgm_remove_cgroup:528 - cgroup removal attempt: memory:lxc/test
did not exist
>     lxc-start 1457449899.934 INFO     lxc_cgmanager -
cgmanager.c:cgm_remove_cgroup:528 - cgroup removal attempt: blkio:lxc/test
did not exist
>     lxc-start 1457449899.934 INFO     lxc_cgmanager -
cgmanager.c:cgm_remove_cgroup:528 - cgroup removal attempt:
cpuacct:lxc/test did not exist
>     lxc-start 1457449899.935 INFO     lxc_cgmanager -
cgmanager.c:cgm_remove_cgroup:528 - cgroup removal attempt: cpu:lxc/test
did not exist
>     lxc-start 1457449899.935 INFO     lxc_cgmanager -
cgmanager.c:cgm_remove_cgroup:528 - cgroup removal attempt: cpuset:lxc/test
did not exist
>     lxc-start 1457449899.935 INFO     lxc_cgmanager -
cgmanager.c:cgm_remove_cgroup:528 - cgroup removal attempt:
name=systemd:lxc/test did not exist
>     lxc-start 1457449899.935 ERROR    lxc_start - start.c:lxc_spawn:891 -
failed creating cgroups
>     lxc-start 1457449899.935 ERROR    lxc_start -
start.c:__lxc_start:1121 - failed to spawn 'test'
>     lxc-start 1457449899.935 ERROR    lxc_start_ui - lxc_start.c:main:341
- The container failed to start.
>     lxc-start 1457449899.935 ERROR    lxc_start_ui - lxc_start.c:main:345
- Additional information can be obtained by setting the --logfile and
--logpriority options.
>
> In the container jenkins as user jenkins, cat /proc/self/cgroup returns:
>
>     12:hugetlb:/user/1009.user/2.session/lxc/jenkins
>     11:net_prio:/user/1009.user/2.session/lxc/jenkins
>     10:perf_event:/user/1009.user/2.session/lxc/jenkins
>     9:net_cls:/user/1009.user/2.session/lxc/jenkins
>     8:freezer:/user/1009.user/2.session/lxc/jenkins
>     7:devices:/user/1009.user/2.session/lxc/jenkins
>     6:memory:/user/1009.user/2.session/lxc/jenkins
>     5:blkio:/user/1009.user/2.session/lxc/jenkins
>     4:cpuacct:/user/1009.user/2.session/lxc/jenkins
>     3:cpu:/user/1009.user/2.session/lxc/jenkins
>     2:cpuset:/user/1009.user/2.session/lxc/jenkins
>
1:name=systemd:/user/1009.user/2.session/lxc/jenkins/user/1009.user/2.session/lxc/jenkins/user/106.user/c6.session
>
> How can I fix it?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20160308/c4e11706/attachment.html>

More information about the lxc-users mailing list