[lxc-users] Error while trying to create/start unprivilege containers/ Bug report ?

Rémy Dernat remy.d1 at gmail.com
Fri May 13 14:30:48 UTC 2016


Hi Fajar,

Thank you for your detailed answer. However, I searched a solution a little
bit today, and I am still stuck.

For "userpace", I meant "userspace", of course. Sorry for mistyped.


Here are what I checked:

LXC tests in userspace

1. [VirtualBox] Fresh Ubuntu 14.04.2 server amd64
    creation OK, starting not OK
    without cgmanager, with libpam-systemd
2. [VirtualBox] Fresh Ubuntu 14.04.4 amd64 Desktop ( from
http://releases.ubuntu.com/14.04/ )
    same behaviour as above.
3. Ubuntu 14.04.4 LTS, Trusty Tahr [bare metal]
    Created through a basic FAI template + post-configure with SaltStack
    creation not OK, starting not OK (report from first mail)
    without cgmanager, with libpam-systemd
4. Ubuntu 16.04 [bare metal]
    creation OK, starting OK



I did not try nested container.

The start error in [1] VirtualBox is:

      lxc-start 20160513133526.251 ERROR    lxc_cgfsng -
cgfsng.c:do_secondstage_mounts_if_needed:1289 - Operation not permitted -
Error remounting /usr/lib/x86_64-linux-gnu/lxc/sys/fs/cgroup/systemd
read-only
      lxc-start 20160513133526.252 ERROR    lxc_conf -
conf.c:lxc_mount_auto_mounts:781 - Operation not permitted - error mounting
/sys/fs/cgroup
      lxc-start 20160513133526.252 ERROR    lxc_conf -
conf.c:lxc_setup:3746 - failed to setup the automatic mounts for 'u1'
      lxc-start 20160513133526.252 ERROR    lxc_start -
start.c:do_start:819 - failed to setup the container
      lxc-start 20160513133526.252 ERROR    lxc_sync -
sync.c:__sync_wait:52 - An error occurred in another process (expected
sequence number 2)
      lxc-start 20160513133526.252 ERROR    lxc_start -
start.c:__lxc_start:1329 - failed to spawn 'u1'
      lxc-start 20160513133531.764 ERROR    lxc_start_ui -
lxc_start.c:main:344 - The container failed to start.
      lxc-start 20160513133531.765 ERROR    lxc_start_ui -
lxc_start.c:main:346 - To get more details, run the container in foreground
mode.
      lxc-start 20160513133531.766 ERROR    lxc_start_ui -
lxc_start.c:main:348 - Additional information can be obtained by setting
the --logfile and --logpriority options.


The start error in [2] VirtualBox is :
      lxc-start 20160513161811.814 ERROR    lxc_start -
start.c:print_top_failing_dir:112 - Permission denied - could not access
/home/maintenance/.local.  Please grant it 'x' access, or add an ACL for
the container root.
      lxc-start 20160513161811.814 ERROR    lxc_sync -
sync.c:__sync_wait:52 - An error occurred in another process (expected
sequence number 2)
      lxc-start 20160513161811.814 ERROR    lxc_start -
start.c:__lxc_start:1329 - failed to spawn 'u1'
      lxc-start 20160513161817.339 ERROR    lxc_start_ui -
lxc_start.c:main:344 - The container failed to start.
      lxc-start 20160513161817.340 ERROR    lxc_start_ui -
lxc_start.c:main:346 - To get more details, run the container in foreground
mode.
      lxc-start 20160513161817.340 ERROR    lxc_start_ui -
lxc_start.c:main:348 - Additional information can be obtained by setting
the --logfile and --logpriority options.

The information you gave me about /proc/self/cgroup is helpful, however I
can not have the correct file at any point (for a lxc user). I am not using
sudo at all, except for the lxc install step.

I would be happy to move to Ubuntu 16.04 for hosting my lxc containers,
however, it is not possible right now, because it would mean to change all
my configuration and templates (specially the FAI one) on my servers (even
if I plan to do so in the future).

Regards,

Remy

2016-05-13 11:19 GMT+02:00 Fajar A. Nugraha <list at fajar.net>:

> On Fri, May 13, 2016 at 3:05 PM, Rémy Dernat <remy.d1 at gmail.com> wrote:
>
>> Hi,
>>
>> I am new on lxc, although, I used other container technologies in the
>> past.
>> I choose to switch to lxc for the userspace capabilties.
>>
>
> How do you define "userpace"?
>
> if you mean "lxc can be started by non-root users", root still needs to
> perform some configurations to allow them do so.
>
>
>
>> I followed this tutorial:
>> https://help.ubuntu.com/lts/serverguide/lxc.html
>>
>>
> Works for me.
>
> For my first tests of lxc I was quite disappointed; the creation of
>> containers works fine as sudo, but not when you try to run it as non-root
>> user: http://paste.debian.net/683686/
>>
>> Debug informations: http://paste.debian.net/683687/
>>
>>
> Did you mix sudo in the commands? e.g. when using lxc-create, or mkdir?
>
> In general, you should NOT do so. For unprivileged containers, commands
> must be run as normal user. And DON'T run it as root while su/sudo-ing to
> the user either, it won't work. use "ssh" to login as the user.
>
> The exception is when preparing the system (e.g. installing packages,
> modifying /etc/sub[ug]id, /etc/lxc/lxc-usernet), where you (obivously) must
> be root.
>
> Try again with a fresh system. Or, for test purposes, use a container with
> nesting enabled (e.g.
> https://insights.ubuntu.com/2016/04/15/lxd-2-0-lxd-in-lxd-812/ , setting
> security.nesting: true, and use THAT as your 'host')
>
>
>
>> I also read this thread on ubuntuask:
>> http://askubuntu.com/questions/623789/problem-setting-up-a-user-space-lxc-container
>> But running its script and installing lxc from ppa archive in version 2.0
>> did not change anything. Note that everything works as expected on ubuntu
>> 16.04 (from Ubuntu apt official repositories; I did not try the lxc ppa).
>> This problem only occurs on ubuntu 14.04.
>>
>>
>
> Just tested this on a container-with-nesting-enabled as 14.04 host:
> as root:
>
> add-apt-repository ppa:ubuntu-lxc/lxc-stable
> apt-get update
> apt-get install lxc
>
>
> as normal user (ssh as the existing "ubuntu" user, then following the
> guide you linked, 'Basic unprivileged usage'):
>
> mkdir -p ~/.config/lxc
> echo "lxc.id_map = u 0 100000 65536" > ~/.config/lxc/default.conf
> echo "lxc.id_map = g 0 100000 65536" >> ~/.config/lxc/default.conf
> echo "lxc.network.type = veth" >> ~/.config/lxc/default.conf
> echo "lxc.network.link = lxcbr0" >> ~/.config/lxc/default.conf
> echo "$USER veth lxcbr0 2" | sudo tee -a /etc/lxc/lxc-usernet
>
> cat /proc/self/cgroup
> lxc-create -t download -n u1 -- -d ubuntu -r xenial -a amd64
> lxc-start -n u1
> lxc-attach -n u1
>
>
> The the "cat /proc/self/group" command, I use it to check whether to user
> session is already on it's own cgroup. In my case it looks like this:
> $ cat /proc/self/cgroup
> 10:perf_event:/lxc/lxc-demo
> 9:memory:/lxc/lxc-demo/user/ubuntu/0
> 8:freezer:/lxc/lxc-demo/user/ubuntu/0
> 7:net_cls,net_prio:/lxc/lxc-demo
> 6:devices:/lxc/lxc-demo
> 5:cpu,cpuacct:/lxc/lxc-demo
> 4:blkio:/lxc/lxc-demo
> 3:cpuset:/lxc/lxc-demo
> 2:hugetlb:/lxc/lxc-demo
> 1:name=systemd:/lxc/lxc-demo/user/ubuntu/0
>
>
> ... while on a "normal" host it should look like this:
> $ cat /proc/self/cgroup
> 10:perf_event:/
> 9:memory:/user.slice/user-1000.slice
> 8:freezer:/
> 7:net_cls,net_prio:/
> 6:devices:/user.slice/user-1000.slice
> 5:cpu,cpuacct:/user.slice/user-1000.slice
> 4:blkio:/user.slice/user-1000.slice
> 3:cpuset:/
> 2:hugetlb:/
> 1:name=systemd:/user.slice/user-1000.slice/session-3545.scope
>
> The important thing is that there are some cgroups (e.g. memory,
> name=systemd) which starts with "user-$UID.slice" or "user/$USER". On newer
> systems, this is created by libpam-cgfs. If you've installed older versions
> of lxc, you might still have 'cgmanager' and 'libpam-systemd', which might
> interfere with the correct functions. You might be hitting these limitation.
>
>
> So again, my suggestion:
> - start with a fresh system as host. fresh install, VM,
> nesting-enabled-container, whatever
> - add ubuntu-lxc/lxc-stable ppa, install lxc. Make sure you have latest
> version (2.0.0-0ubuntu2~ubuntu14.04.1~ppa1 on my test)
> - use ssh to login as the user. Do NOT use su/sudo
> - follow the example
>
> If you CAN'T start with a fresh system, then you could probably have some
> luck by uninstalling old packages first (lxc, cgmanager, libpam-systemd,
> etc). I haven't test this though, and you might end up wasting time. Always
> use fresh system for testing purposes whenever possible.
>
> One last possibly-obvious suggestion: if you can start over with 16.04, do
> so, and use lxd. nicer, easier, cleaner. You can then create a
> nesting-capable-container for each of your users, and let them manage it
> (including creating their own containers under it)
>
> --
> Fajar
>
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20160513/5719c184/attachment.html>


More information about the lxc-users mailing list