[lxc-users] Ubuntu 14.4 - unprivilaged nested containers - Failed to create hugetlb:lxc/test

Ivan Ogai lxc-users at ogai.name
Wed Mar 9 09:38:14 UTC 2016 

I repeat my last message but formatting it properly (sorry for the
original) and adding some info.

I have a user 'jenkins' in a host running Ubuntu 14.04. The user is able
to create and start this unprivilaged container (also running Ubuntu
14.04) whose config is:

    lxc.include = /usr/share/lxc/config/ubuntu.common.conf
    lxc.include = /usr/share/lxc/config/ubuntu.userns.conf
    lxc.arch = x86_64

    lxc.mount.auto = cgroup
    lxc.aa_profile = lxc-container-default-with-nesting

    lxc.id_map = u 0 100000 65536
    lxc.id_map = u 100000 165536 65536
    lxc.id_map = g 0 100000 65536
    lxc.id_map = g 100000 165536 65536
    lxc.rootfs = /home/jenkins/.local/share/lxc/jenkins/rootfs
    lxc.utsname = jenkins

    lxc.network.type = veth
    lxc.network.flags = up
    lxc.network.link = lxcbr0
    lxc.network.hwaddr = 00:16:3e:17:02:1a


The idea is to use the ids in the host 165536-231072 for an unprivilaged
container inside the unprivilaged container above.

Another user (also called jenkins) in the unprivilaged container jenkins
(with above config) is able to create unprivilaged (nested) containers
as expected, but is not able to start them. The log says:

     lxc-start 1457449899.746 INFO     lxc_start_ui - lxc_start.c:main:264 - using rcfile /var/lib/jenkins/.local/share/lxc/test/config
     lxc-start 1457449899.746 INFO     lxc_confile - confile.c:config_idmap:1378 - read uid map: type u nsid 0 hostid 100000 range 65536
     lxc-start 1457449899.746 INFO     lxc_confile - confile.c:config_idmap:1378 - read uid map: type g nsid 0 hostid 100000 range 65536
     lxc-start 1457449899.746 WARN     lxc_log - log.c:lxc_log_init:316 - lxc_log_init called with log already initialized
     lxc-start 1457449899.748 WARN     lxc_cgmanager - cgmanager.c:cgm_get:985 - do_cgm_get exited with error
     lxc-start 1457449899.748 INFO     lxc_lsm - lsm/lsm.c:lsm_init:48 - LSM security driver AppArmor
     lxc-start 1457449899.748 INFO     lxc_seccomp - seccomp.c:use_seccomp:531 - Already seccomp-confined, not loading new policy
     lxc-start 1457449899.748 DEBUG    lxc_conf - conf.c:lxc_create_tty:3791 - allocated pty '/dev/pts/5' (5/6)
     lxc-start 1457449899.748 DEBUG    lxc_conf - conf.c:lxc_create_tty:3791 - allocated pty '/dev/pts/6' (7/8)
     lxc-start 1457449899.748 DEBUG    lxc_conf - conf.c:lxc_create_tty:3791 - allocated pty '/dev/pts/7' (9/10)
     lxc-start 1457449899.748 DEBUG    lxc_conf - conf.c:lxc_create_tty:3791 - allocated pty '/dev/pts/8' (11/12)
     lxc-start 1457449899.748 INFO     lxc_conf - conf.c:lxc_create_tty:3802 - tty's configured
     lxc-start 1457449899.748 DEBUG    lxc_start - start.c:setup_signal_fd:263 - sigchild handler set
     lxc-start 1457449899.748 DEBUG    lxc_console - console.c:lxc_console_peer_default:500 - opening /dev/tty for console peer
     lxc-start 1457449899.748 DEBUG    lxc_console - console.c:lxc_console_peer_default:506 - using '/dev/tty' as console
     lxc-start 1457449899.748 DEBUG    lxc_console - console.c:lxc_console_sigwinch_init:179 - 10902 got SIGWINCH fd 17
     lxc-start 1457449899.748 DEBUG    lxc_console - console.c:lxc_console_winsz:88 - set winsz dstfd:14 cols:382 rows:92
     lxc-start 1457449899.931 INFO     lxc_start - start.c:lxc_init:463 - 'test' is initialized
     lxc-start 1457449899.931 DEBUG    lxc_start - start.c:__lxc_start:1099 - Not dropping cap_sys_boot or watching utmp
     lxc-start 1457449899.931 INFO     lxc_start - start.c:lxc_spawn:832 - Cloning a new user namespace
     lxc-start 1457449899.931 INFO     lxc_cgroup - cgroup.c:cgroup_init:62 - cgroup driver cgmanager initing for test
     lxc-start 1457449899.932 ERROR    lxc_cgmanager - cgmanager.c:lxc_cgmanager_create:301 - call to cgmanager_create_sync failed: invalid request
     lxc-start 1457449899.932 ERROR    lxc_cgmanager - cgmanager.c:lxc_cgmanager_create:303 - Failed to create hugetlb:lxc/test
     lxc-start 1457449899.932 ERROR    lxc_cgmanager - cgmanager.c:cgm_create:650 - Error creating cgroup hugetlb:lxc/test
     lxc-start 1457449899.933 INFO     lxc_cgmanager - cgmanager.c:cgm_remove_cgroup:528 - cgroup removal attempt: hugetlb:lxc/test did not exist
     lxc-start 1457449899.933 INFO     lxc_cgmanager - cgmanager.c:cgm_remove_cgroup:528 - cgroup removal attempt: net_prio:lxc/test did not exist
     lxc-start 1457449899.933 INFO     lxc_cgmanager - cgmanager.c:cgm_remove_cgroup:528 - cgroup removal attempt: perf_event:lxc/test did not exist
     lxc-start 1457449899.934 INFO     lxc_cgmanager - cgmanager.c:cgm_remove_cgroup:528 - cgroup removal attempt: net_cls:lxc/test did not exist
     lxc-start 1457449899.934 INFO     lxc_cgmanager - cgmanager.c:cgm_remove_cgroup:528 - cgroup removal attempt: freezer:lxc/test did not exist
     lxc-start 1457449899.934 INFO     lxc_cgmanager - cgmanager.c:cgm_remove_cgroup:528 - cgroup removal attempt: devices:lxc/test did not exist
     lxc-start 1457449899.934 INFO     lxc_cgmanager - cgmanager.c:cgm_remove_cgroup:528 - cgroup removal attempt: memory:lxc/test did not exist
     lxc-start 1457449899.934 INFO     lxc_cgmanager - cgmanager.c:cgm_remove_cgroup:528 - cgroup removal attempt: blkio:lxc/test did not exist
     lxc-start 1457449899.934 INFO     lxc_cgmanager - cgmanager.c:cgm_remove_cgroup:528 - cgroup removal attempt: cpuacct:lxc/test did not exist
     lxc-start 1457449899.935 INFO     lxc_cgmanager - cgmanager.c:cgm_remove_cgroup:528 - cgroup removal attempt: cpu:lxc/test did not exist
     lxc-start 1457449899.935 INFO     lxc_cgmanager - cgmanager.c:cgm_remove_cgroup:528 - cgroup removal attempt: cpuset:lxc/test did not exist
     lxc-start 1457449899.935 INFO     lxc_cgmanager - cgmanager.c:cgm_remove_cgroup:528 - cgroup removal attempt: name=systemd:lxc/test did not exist
     lxc-start 1457449899.935 ERROR    lxc_start - start.c:lxc_spawn:891 - failed creating cgroups
     lxc-start 1457449899.935 ERROR    lxc_start - start.c:__lxc_start:1121 - failed to spawn 'test'
     lxc-start 1457449899.935 ERROR    lxc_start_ui - lxc_start.c:main:341 - The container failed to start.
     lxc-start 1457449899.935 ERROR    lxc_start_ui - lxc_start.c:main:345

In the unprivilaged container jenkins as user jenkins, cat /proc/self/cgroup returns:

    12:hugetlb:/user/1009.user/2.session/lxc/jenkins
    11:net_prio:/user/1009.user/2.session/lxc/jenkins
    10:perf_event:/user/1009.user/2.session/lxc/jenkins
    9:net_cls:/user/1009.user/2.session/lxc/jenkins
    8:freezer:/user/1009.user/2.session/lxc/jenkins
    7:devices:/user/1009.user/2.session/lxc/jenkins
    6:memory:/user/1009.user/2.session/lxc/jenkins
    5:blkio:/user/1009.user/2.session/lxc/jenkins
    4:cpuacct:/user/1009.user/2.session/lxc/jenkins
    3:cpu:/user/1009.user/2.session/lxc/jenkins
    2:cpuset:/user/1009.user/2.session/lxc/jenkins
    1:name=systemd:/user/1009.user/2.session/lxc/jenkins/user/1009.user/2.session/lxc/jenkins/user/106.user/c6.session

How can I fix it or investigate further?

-- 
Ivan F. Villanueva B.
https://timefyme.com
--
Vorgründungsgesellschaft GridMind
Ivan Fernando Villanueva Barrio EU
--
Malmöer Str. 6
10439 Berlin
Germany
--
Tel: +49 30  398 20 596
Fax: +49 30  340 60 473

More information about the lxc-users mailing list