[lxc-users] Nested user namespace container fails to start

Sat Mar 26 00:47:18 UTC 2016

The main error appears to be that /proc fails to mount (I bolded it below).
Is there any way I can debug this further?

Log:
$ for cg in blkio  cpu  cpuacct  cpuset  devices  freezer  hugetlb  memory
net_cls  net_prio  perf_event; do sudo mkdir /sys/fs/cgroup/${cg}$(grep
cpuset /proc/self/cgroup | cut -d : -f 3)/ulxc ; sudo chown vagrant:vagrant
$_ ; echo $$ >> ${_}/tasks ; done
$ lxc-start -n test --logfile=log --logpriority=trace
      lxc-start 1458950691.548 INFO     lxc_start_ui - lxc_start.c:main:264
- using rcfile /home/vagrant/.local/share/lxc/test/config
      lxc-start 1458950691.548 INFO     lxc_utils - utils.c:get_rundir:280
- XDG_RUNTIME_DIR isn't set in the environment.
      lxc-start 1458950691.548 WARN     lxc_confile -
confile.c:config_pivotdir:1801 - lxc.pivotdir is ignored.  It will soon
become an error.
      lxc-start 1458950691.548 INFO     lxc_confile -
confile.c:config_idmap:1437 - read uid map: type u nsid 0 hostid 100000
range 100000
      lxc-start 1458950691.548 INFO     lxc_confile -
confile.c:config_idmap:1437 - read uid map: type g nsid 0 hostid 100000
range 100000
      lxc-start 1458950691.548 WARN     lxc_cgfs -
cgfs.c:lxc_cgroup_get_container_info:1100 - Not attaching to cgroup cpuset
unknown to /home/vagrant/.local/share/lxc test
      lxc-start 1458950691.548 WARN     lxc_cgfs -
cgfs.c:lxc_cgroup_get_container_info:1100 - Not attaching to cgroup cpu
unknown to /home/vagrant/.local/share/lxc test
      lxc-start 1458950691.548 WARN     lxc_cgfs -
cgfs.c:lxc_cgroup_get_container_info:1100 - Not attaching to cgroup cpuacct
unknown to /home/vagrant/.local/share/lxc test
      lxc-start 1458950691.548 WARN     lxc_cgfs -
cgfs.c:lxc_cgroup_get_container_info:1100 - Not attaching to cgroup memory
unknown to /home/vagrant/.local/share/lxc test
      lxc-start 1458950691.548 WARN     lxc_cgfs -
cgfs.c:lxc_cgroup_get_container_info:1100 - Not attaching to cgroup devices
unknown to /home/vagrant/.local/share/lxc test
      lxc-start 1458950691.548 WARN     lxc_cgfs -
cgfs.c:lxc_cgroup_get_container_info:1100 - Not attaching to cgroup freezer
unknown to /home/vagrant/.local/share/lxc test
      lxc-start 1458950691.548 WARN     lxc_cgfs -
cgfs.c:lxc_cgroup_get_container_info:1100 - Not attaching to cgroup net_cls
unknown to /home/vagrant/.local/share/lxc test
      lxc-start 1458950691.548 WARN     lxc_cgfs -
cgfs.c:lxc_cgroup_get_container_info:1100 - Not attaching to cgroup blkio
unknown to /home/vagrant/.local/share/lxc test
      lxc-start 1458950691.548 WARN     lxc_cgfs -
cgfs.c:lxc_cgroup_get_container_info:1100 - Not attaching to cgroup
perf_event unknown to /home/vagrant/.local/share/lxc test
      lxc-start 1458950691.548 WARN     lxc_cgfs -
cgfs.c:lxc_cgroup_get_container_info:1100 - Not attaching to cgroup
net_prio unknown to /home/vagrant/.local/share/lxc test
      lxc-start 1458950691.548 WARN     lxc_cgfs -
cgfs.c:lxc_cgroup_get_container_info:1100 - Not attaching to cgroup hugetlb
unknown to /home/vagrant/.local/share/lxc test
      lxc-start 1458950691.549 INFO     lxc_start -
start.c:lxc_check_inherited:240 - closed inherited fd 4
      lxc-start 1458950691.555 INFO     lxc_container -
lxccontainer.c:do_lxcapi_start:712 - Attempting to set proc title to [lxc
monitor] /home/vagrant/.local/share/lxc test
      lxc-start 1458950691.555 ERROR    lxc_utils -
utils.c:setproctitle:1455 - Invalid argument - setting cmdline failed
      lxc-start 1458950691.556 INFO     lxc_lsm - lsm/lsm.c:lsm_init:48 -
LSM security driver AppArmor
      lxc-start 1458950691.556 INFO     lxc_seccomp -
seccomp.c:use_seccomp:531 - Already seccomp-confined, not loading new policy
      lxc-start 1458950691.556 INFO     lxc_utils - utils.c:get_rundir:280
- XDG_RUNTIME_DIR isn't set in the environment.
      lxc-start 1458950691.556 DEBUG    lxc_start -
start.c:setup_signal_fd:278 - sigchild handler set
      lxc-start 1458950691.556 DEBUG    lxc_console -
console.c:lxc_console_peer_default:536 - no console peer
      lxc-start 1458950691.557 INFO     lxc_start -
start.c:lxc_check_inherited:240 - closed inherited fd 4
      lxc-start 1458950691.559 INFO     lxc_monitor -
monitor.c:lxc_monitor_sock_name:178 - using monitor sock name
lxc/a35126afb628c43f//home/vagrant/.local/share/lxc
      lxc-start 1458950691.593 INFO     lxc_start - start.c:lxc_init:474 -
'test' is initialized
      lxc-start 1458950691.594 DEBUG    lxc_start -
start.c:__lxc_start:1186 - Not dropping cap_sys_boot or watching utmp
      lxc-start 1458950691.594 INFO     lxc_start -
start.c:resolve_clone_flags:883 - Cloning a new user namespace
      lxc-start 1458950691.594 INFO     lxc_cgroup -
cgroup.c:cgroup_init:65 - cgroup driver cgroupfs initing for test
      lxc-start 1458950691.601 NOTICE   lxc_start - start.c:do_start:699 -
switching to gid/uid 0 in new user namespace
      lxc-start 1458950691.602 DEBUG    lxc_conf - conf.c:setup_rootfs:1295
- mounted '/mnt/ulxc-home/.local/share/lxc/test/rootfs' on
'/usr/lib/x86_64-linux-gnu/lxc'
      lxc-start 1458950691.602 INFO     lxc_conf - conf.c:setup_utsname:928
- 'test' hostname has been setup
      lxc-start 1458950691.602 INFO     lxc_conf -
conf.c:mount_autodev:1157 - Mounting container /dev
      lxc-start 1458950691.605 INFO     lxc_conf -
conf.c:mount_autodev:1179 - Mounted tmpfs onto
/usr/lib/x86_64-linux-gnu/lxc/dev
      lxc-start 1458950691.605 INFO     lxc_conf -
conf.c:mount_autodev:1197 - Mounted container /dev

*      lxc-start 1458950691.607 ERROR    lxc_utils -
utils.c:safe_mount:1686 - Operation not permitted - Failed to mount proc
onto /usr/lib/x86_64-linux-gnu/lxc/proc      lxc-start 1458950691.607
ERROR    lxc_conf - conf.c:lxc_mount_auto_mounts:828 - Operation not
permitted - error mounting proc on /usr/lib/x86_64-linux-gnu/lxc/proc flags
14*
      lxc-start 1458950691.607 ERROR    lxc_conf - conf.c:lxc_setup:3910 -
failed to setup the automatic mounts for 'test'
      lxc-start 1458950691.607 ERROR    lxc_start - start.c:do_start:731 -
failed to setup the container
      lxc-start 1458950691.607 ERROR    lxc_sync - sync.c:__sync_wait:51 -
invalid sequence number 1. expected 2
      lxc-start 1458950691.607 INFO     lxc_utils - utils.c:get_rundir:280
- XDG_RUNTIME_DIR isn't set in the environment.
      lxc-start 1458950691.607 ERROR    lxc_start -
start.c:__lxc_start:1213 - failed to spawn 'test'
      lxc-start 1458950691.607 INFO     lxc_utils - utils.c:get_rundir:280
- XDG_RUNTIME_DIR isn't set in the environment.
      lxc-start 1458950691.632 INFO     lxc_utils - utils.c:get_rundir:280
- XDG_RUNTIME_DIR isn't set in the environment.
      lxc-start 1458950691.632 WARN     lxc_commands -
commands.c:lxc_cmd_rsp_recv:172 - command get_cgroup failed to receive
response
      lxc-start 1458950691.632 WARN     lxc_cgfs -
cgfs.c:lxc_cgroup_get_container_info:1100 - Not attaching to cgroup cpuset
unknown to /home/vagrant/.local/share/lxc test
      lxc-start 1458950691.632 WARN     lxc_cgfs -
cgfs.c:lxc_cgroup_get_container_info:1100 - Not attaching to cgroup cpu
unknown to /home/vagrant/.local/share/lxc test
      lxc-start 1458950691.632 WARN     lxc_cgfs -
cgfs.c:lxc_cgroup_get_container_info:1100 - Not attaching to cgroup cpuacct
unknown to /home/vagrant/.local/share/lxc test
      lxc-start 1458950691.632 WARN     lxc_cgfs -
cgfs.c:lxc_cgroup_get_container_info:1100 - Not attaching to cgroup memory
unknown to /home/vagrant/.local/share/lxc test
      lxc-start 1458950691.632 WARN     lxc_cgfs -
cgfs.c:lxc_cgroup_get_container_info:1100 - Not attaching to cgroup devices
unknown to /home/vagrant/.local/share/lxc test
      lxc-start 1458950691.632 WARN     lxc_cgfs -
cgfs.c:lxc_cgroup_get_container_info:1100 - Not attaching to cgroup freezer
unknown to /home/vagrant/.local/share/lxc test
      lxc-start 1458950691.633 WARN     lxc_cgfs -
cgfs.c:lxc_cgroup_get_container_info:1100 - Not attaching to cgroup net_cls
unknown to /home/vagrant/.local/share/lxc test
      lxc-start 1458950691.633 WARN     lxc_cgfs -
cgfs.c:lxc_cgroup_get_container_info:1100 - Not attaching to cgroup blkio
unknown to /home/vagrant/.local/share/lxc test
      lxc-start 1458950691.633 WARN     lxc_cgfs -
cgfs.c:lxc_cgroup_get_container_info:1100 - Not attaching to cgroup
perf_event unknown to /home/vagrant/.local/share/lxc test
      lxc-start 1458950691.633 WARN     lxc_cgfs -
cgfs.c:lxc_cgroup_get_container_info:1100 - Not attaching to cgroup
net_prio unknown to /home/vagrant/.local/share/lxc test
      lxc-start 1458950691.633 WARN     lxc_cgfs -
cgfs.c:lxc_cgroup_get_container_info:1100 - Not attaching to cgroup hugetlb
unknown to /home/vagrant/.local/share/lxc test
      lxc-start 1458950696.638 ERROR    lxc_start_ui - lxc_start.c:main:344
- The container failed to start.
      lxc-start 1458950696.639 ERROR    lxc_start_ui - lxc_start.c:main:346
- To get more details, run the container in foreground mode.
      lxc-start 1458950696.640 ERROR    lxc_start_ui - lxc_start.c:main:348
- Additional information can be obtained by setting the --logfile and
--logpriority options.

##############

Host:

   - Distribution: Ubuntu 14.04
   - Kernels: 3.16.0-55, 3.16.0-60, 3.19.0-56
      - It looks like the nfsd module is loaded, so maybe it's related to
      https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1519106 ?
      - LXC version: 1.1.5, no cgmanager

Privileged Container:

   - Distribution: Ubuntu 12.04
   - LXC version: 1.1.5, no cgmanager
   - Modifications:
      - installed backport of uidmap package
      - made a cgroup owned by the user account
      - set uidmaps in /etc/sub{u,g}id and in ~/.config/lxc/default.conf

   - Config:

lxc.include = /usr/share/lxc/config/ubuntu.common.conf
lxc.rootfs = /var/lib/lxc/server_default_1457736559572_57990/rootfs
lxc.utsname = server_default_1457736559572_57990
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = virbr0
lxc.network.hwaddr = 00:16:3e:d7:09:5b
lxc.cgroup.devices.allow = b 7:* rwm
lxc.aa_profile=unconfined
lxc.cgroup.memory.limit_in_bytes=8G
lxc.utsname=server_default_1457736559572_57990
lxc.mount.entry=/sys/fs/pstore sys/fs/pstore none bind,optional 0 0
lxc.mount.entry=tmpfs tmp tmpfs nodev,nosuid,size=2G 0 0

Unprivileged Container:

   - Distribution: Ubuntu 12.04
   - Config:

lxc.include = /usr/share/lxc/config/ubuntu.common.conf
lxc.include = /usr/share/lxc/config/ubuntu.userns.conf
lxc.arch = x86_64
lxc.id_map = u 0 100000 100000
lxc.id_map = g 0 100000 100000
lxc.rootfs = /mnt/ulxc-home/.local/share/lxc/test/rootfs
lxc.utsname = test

-Cam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20160325/7725b647/attachment.html>