[lxc-users] Debian and unprivileged LXC not working...
Dirk Geschke
dirk at lug-erding.de
Tue Dec 5 10:19:15 UTC 2017
Hi all,
I am a little bit clueless, I have several systems running with
Debian and unprivileged LXC. But newer systems won't start new
containers.
Actually I have a Debian stretch, installed the normal way but
with lxc-2.0.9 and cgmanager-0.41 installed from sources.
I can setup cgmanager, can do a cgm movepid and it is no problem
to download a template. But starting the container does not work,
it simply hungs at:
$ lxc-start -n lxc-test -l trace -o wheezy -F
I tried it with debian stretch first, then I tried wheezy since it
does not use systemd.
The kernel is 4.9.0-4-amd64 and kernel.unprivileged_userns_clone is
set to 1. The lxc-monitor complainy about a missing fifo, but I have
no idea, which one it should be.
I have to kill the processes with -9, all other signals are ignored.
The cgroups look good, too:
$ cat /proc/self/cgroup
12:name=systemd:/lxc-test
11:pids:/lxc-test
10:perf_event:/lxc-test
9:net_prio:/lxc-test
8:net_cls:/lxc-test
7:memory:/lxc-test
6:freezer:/lxc-test
5:devices:/lxc-test
4:cpuset:/lxc-test
3:cpuacct:/lxc-test
2:cpu:/lxc-test
1:blkio:/lxc-test
lxc-test is the user which tries to start the unprivileged LXC.
Has anyone an idea, what is going wrong?
Best regards
Dirk
PS: I tried lxc-2.1.1 too, but that does not work, too.
--
+----------------------------------------------------------------------+
| Dr. Dirk Geschke / Plankensteinweg 61 / 85435 Erding |
| Telefon: 08122-559448 / Mobil: 0176-96906350 / Fax: 08122-9818106 |
| dirk at geschke-online.de / dirk at lug-erding.de / kontakt at lug-erding.de |
+----------------------------------------------------------------------+
-------------- next part --------------
lxc-start 20171205100114.683 INFO lxc_start_ui - tools/lxc_start.c:main:277 - using rcfile /home/lxc-test/.local/share/lxc/lxc-test/config
lxc-start 20171205100114.683 INFO lxc_utils - utils.c:get_rundir:284 - XDG_RUNTIME_DIR isn't set in the environment.
lxc-start 20171205100114.683 WARN lxc_confile - confile.c:set_config_pivotdir:2262 - lxc.pivotdir is ignored. It will soon become an error.
lxc-start 20171205100114.684 INFO lxc_confile - confile.c:set_config_idmaps:1861 - read uid map: type u nsid 0 hostid 531072 range 65536
lxc-start 20171205100114.684 INFO lxc_confile - confile.c:set_config_idmaps:1861 - read uid map: type g nsid 0 hostid 531072 range 65536
lxc-start 20171205100114.684 TRACE lxc_commands - commands.c:lxc_cmd:290 - command get_init_pid tries to connect command socket
lxc-start 20171205100114.684 TRACE lxc_commands - commands.c:lxc_cmd:295 - command get_init_pid failed to connect command socket: Connection refused
lxc-start 20171205100114.684 TRACE lxc_commands - commands.c:lxc_cmd:290 - command get_init_pid tries to connect command socket
lxc-start 20171205100114.684 TRACE lxc_commands - commands.c:lxc_cmd:295 - command get_init_pid failed to connect command socket: Connection refused
lxc-start 20171205100114.685 WARN lxc_cgmanager - cgroups/cgmanager.c:cgm_get:993 - do_cgm_get exited with error
lxc-start 20171205100114.685 TRACE lxc_commands - commands.c:lxc_cmd:290 - command get_state tries to connect command socket
lxc-start 20171205100114.685 TRACE lxc_commands - commands.c:lxc_cmd:295 - command get_state failed to connect command socket: Connection refused
lxc-start 20171205100114.685 TRACE lxc_start - start.c:lxc_init_handler:589 - unix domain socket 4 for command server is ready
lxc-start 20171205100114.685 TRACE lxc_start - start.c:lxc_init:604 - initialized LSM
lxc-start 20171205100114.685 INFO lxc_seccomp - seccomp.c:parse_config_v2:435 - processing: .reject_force_umount # comment this to allow umount -f; not recommended.
lxc-start 20171205100114.685 INFO lxc_seccomp - seccomp.c:parse_config_v2:610 - Adding native rule for reject_force_umount action 0(kill).
lxc-start 20171205100114.685 INFO lxc_seccomp - seccomp.c:do_resolve_add_rule:276 - Setting Seccomp rule to reject force umounts.
lxc-start 20171205100114.685 INFO lxc_seccomp - seccomp.c:parse_config_v2:614 - Adding compat rule for reject_force_umount action 0(kill).
lxc-start 20171205100114.685 INFO lxc_seccomp - seccomp.c:do_resolve_add_rule:276 - Setting Seccomp rule to reject force umounts.
lxc-start 20171205100114.685 INFO lxc_seccomp - seccomp.c:do_resolve_add_rule:276 - Setting Seccomp rule to reject force umounts.
lxc-start 20171205100114.685 INFO lxc_seccomp - seccomp.c:parse_config_v2:435 - processing: .[all].
lxc-start 20171205100114.685 INFO lxc_seccomp - seccomp.c:parse_config_v2:435 - processing: .kexec_load errno 1.
lxc-start 20171205100114.685 INFO lxc_seccomp - seccomp.c:parse_config_v2:610 - Adding native rule for kexec_load action 327681(errno).
lxc-start 20171205100114.685 INFO lxc_seccomp - seccomp.c:parse_config_v2:614 - Adding compat rule for kexec_load action 327681(errno).
lxc-start 20171205100114.685 INFO lxc_seccomp - seccomp.c:parse_config_v2:435 - processing: .open_by_handle_at errno 1.
lxc-start 20171205100114.685 INFO lxc_seccomp - seccomp.c:parse_config_v2:610 - Adding native rule for open_by_handle_at action 327681(errno).
lxc-start 20171205100114.685 INFO lxc_seccomp - seccomp.c:parse_config_v2:614 - Adding compat rule for open_by_handle_at action 327681(errno).
lxc-start 20171205100114.685 INFO lxc_seccomp - seccomp.c:parse_config_v2:435 - processing: .init_module errno 1.
lxc-start 20171205100114.686 INFO lxc_seccomp - seccomp.c:parse_config_v2:610 - Adding native rule for init_module action 327681(errno).
lxc-start 20171205100114.686 INFO lxc_seccomp - seccomp.c:parse_config_v2:614 - Adding compat rule for init_module action 327681(errno).
lxc-start 20171205100114.686 INFO lxc_seccomp - seccomp.c:parse_config_v2:435 - processing: .finit_module errno 1.
lxc-start 20171205100114.686 INFO lxc_seccomp - seccomp.c:parse_config_v2:610 - Adding native rule for finit_module action 327681(errno).
lxc-start 20171205100114.686 INFO lxc_seccomp - seccomp.c:parse_config_v2:614 - Adding compat rule for finit_module action 327681(errno).
lxc-start 20171205100114.686 INFO lxc_seccomp - seccomp.c:parse_config_v2:435 - processing: .delete_module errno 1.
lxc-start 20171205100114.686 INFO lxc_seccomp - seccomp.c:parse_config_v2:610 - Adding native rule for delete_module action 327681(errno).
lxc-start 20171205100114.686 INFO lxc_seccomp - seccomp.c:parse_config_v2:614 - Adding compat rule for delete_module action 327681(errno).
lxc-start 20171205100114.686 INFO lxc_seccomp - seccomp.c:parse_config_v2:624 - Merging in the compat Seccomp ctx into the main one.
lxc-start 20171205100114.686 TRACE lxc_start - start.c:lxc_init:610 - read seccomp policy
lxc-start 20171205100114.686 TRACE lxc_start - start.c:lxc_serve_state_clients:360 - set container state to STARTING
lxc-start 20171205100114.686 TRACE lxc_start - start.c:lxc_serve_state_clients:363 - no state clients registered
lxc-start 20171205100114.686 INFO lxc_utils - utils.c:get_rundir:284 - XDG_RUNTIME_DIR isn't set in the environment.
lxc-start 20171205100114.686 WARN lxc_monitor - monitor.c:lxc_monitor_fifo_send:111 - Failed to open fifo to send message: No such file or directory.
lxc-start 20171205100114.686 INFO lxc_utils - utils.c:get_rundir:284 - XDG_RUNTIME_DIR isn't set in the environment.
lxc-start 20171205100114.686 WARN lxc_monitor - monitor.c:lxc_monitor_fifo_send:111 - Failed to open fifo to send message: No such file or directory.
lxc-start 20171205100114.686 TRACE lxc_start - start.c:lxc_init:617 - set container state to "STARTING"
lxc-start 20171205100114.686 TRACE lxc_start - start.c:lxc_init:645 - set environment variables
lxc-start 20171205100114.686 TRACE lxc_start - start.c:lxc_init:651 - ran pre-start hooks
lxc-start 20171205100114.686 DEBUG lxc_start - start.c:setup_signal_fd:288 - Set SIGCHLD handler with file descriptor: 5.
lxc-start 20171205100114.686 TRACE lxc_start - start.c:lxc_init:662 - set up signal fd
lxc-start 20171205100114.686 DEBUG console - console.c:lxc_console_peer_default:459 - using "/dev/tty" as peer tty device
lxc-start 20171205100114.686 DEBUG console - console.c:lxc_console_sigwinch_init:151 - process 26870 created signal fd 9 to handle SIGWINCH events
lxc-start 20171205100114.686 DEBUG console - console.c:lxc_console_winsz:71 - set winsz dstfd:6 cols:80 rows:24
lxc-start 20171205100114.686 TRACE lxc_start - start.c:lxc_init:669 - created console
lxc-start 20171205100114.686 DEBUG lxc_conf - conf.c:chown_mapped_root:2830 - trying to chown "/dev/pts/2" to 1002
lxc-start 20171205100114.740 TRACE lxc_conf - conf.c:lxc_ttys_shift_ids:2908 - chowned console "/dev/pts/2"
lxc-start 20171205100114.740 TRACE lxc_start - start.c:lxc_init:675 - shifted tty ids
lxc-start 20171205100114.740 INFO lxc_start - start.c:lxc_init:677 - container "lxc-test" is initialized
lxc-start 20171205100114.741 DEBUG lxc_start - start.c:__lxc_start:1501 - Not dropping CAP_SYS_BOOT or watching utmp.
lxc-start 20171205100114.741 INFO lxc_cgroup - cgroups/cgroup.c:cgroup_init:67 - cgroup driver cgmanager initing for lxc-test
lxc-start 20171205100114.748 INFO lxc_start - start.c:lxc_spawn:1324 - Cloned CLONE_NEWUSER.
lxc-start 20171205100114.748 INFO lxc_start - start.c:lxc_spawn:1324 - Cloned CLONE_NEWNS.
lxc-start 20171205100114.748 INFO lxc_start - start.c:lxc_spawn:1324 - Cloned CLONE_NEWPID.
lxc-start 20171205100114.748 INFO lxc_start - start.c:lxc_spawn:1324 - Cloned CLONE_NEWUTS.
lxc-start 20171205100114.748 INFO lxc_start - start.c:lxc_spawn:1324 - Cloned CLONE_NEWIPC.
lxc-start 20171205100114.748 DEBUG lxc_conf - conf.c:idmaptool_on_path_and_privileged:2516 - The binary "/usr/bin/newuidmap" does have the setuid bit set.
lxc-start 20171205100114.748 DEBUG lxc_conf - conf.c:idmaptool_on_path_and_privileged:2516 - The binary "/usr/bin/newgidmap" does have the setuid bit set.
lxc-start 20171205100114.748 DEBUG lxc_conf - conf.c:lxc_map_ids:2604 - Functional newuidmap and newgidmap binary found.
lxc-start 20171205100114.751 TRACE lxc_conf - conf.c:lxc_map_ids:2660 - newuidmap wrote mapping "newuidmap 26879 0 531072 65536"
lxc-start 20171205100114.754 TRACE lxc_conf - conf.c:lxc_map_ids:2660 - newgidmap wrote mapping "newgidmap 26879 0 531072 65536"
lxc-start 20171205100114.755 INFO lxc_start - start.c:do_start:914 - Unshared CLONE_NEWNET.
lxc-start 20171205100114.758 TRACE lxc_conf - conf.c:userns_exec_1:3817 - establishing uid mapping for "26884" in new user namespace: nsuid 0 - hostid 531072 - range 65536
lxc-start 20171205100114.758 TRACE lxc_conf - conf.c:userns_exec_1:3817 - establishing uid mapping for "26884" in new user namespace: nsuid 65536 - hostid 1002 - range 1
lxc-start 20171205100114.758 TRACE lxc_conf - conf.c:userns_exec_1:3817 - establishing gid mapping for "26884" in new user namespace: nsuid 0 - hostid 531072 - range 65536
lxc-start 20171205100114.758 TRACE lxc_conf - conf.c:userns_exec_1:3817 - establishing gid mapping for "26884" in new user namespace: nsuid 65536 - hostid 1002 - range 1
lxc-start 20171205100114.758 DEBUG lxc_conf - conf.c:idmaptool_on_path_and_privileged:2516 - The binary "/usr/bin/newuidmap" does have the setuid bit set.
lxc-start 20171205100114.758 DEBUG lxc_conf - conf.c:idmaptool_on_path_and_privileged:2516 - The binary "/usr/bin/newgidmap" does have the setuid bit set.
lxc-start 20171205100114.758 DEBUG lxc_conf - conf.c:lxc_map_ids:2604 - Functional newuidmap and newgidmap binary found.
More information about the lxc-users
mailing list