[lxc-users] Debian and unprivileged LXC not working...

Serge E. Hallyn serge at hallyn.com
Fri Dec 15 17:01:55 UTC 2017 

Quoting Dirk Geschke (dirk at lug-erding.de):
> Hi Serge,
> 
> > > just for the record, lxc-2.0.8 is still working this way, but it
> > > stops starting with lxc-2.0.9 and the whole lxc-2.1.x branch.
> > > 
> > > I have no idea, what happened to break it nor do I have any clue
> > > to fix it. But since I like to use unprivileged containers, it
> > > would be nice to get it running again.
> > 
> > You can see whether lxc-2.1.1 fixes it for you, or
> > you can run wigh cgfsng instead of cgmanager, as your
> > problem is just with the cgm_lock.
> 
> no, lxc-2.1.1 shows a similar problem. It hangs, too, but it tries
> to send a command in one thread and to receive it in another (afair).
> 
> But what is cgfsng? How can I use find and use this?

If you build without cgmanager, and your system has the cgroups
individually mounted under /sys/fs/cgroup, then cgfsng will be
automatically used.

> > > Can I help in any way?
> > 
> > If you were feeling bored and/or industrious, you could
> > grab the lxc git tree and git bisect to the commit that
> > breaks it :)  I'm 99% sure it'll point to the commit that
> > introduces run_command(), but actually it's possible that
> > I am actually wrong about that, so confirmation would be
> > useful.
> > 
> > Or instead of a bisect, you could just revert ea3a694fe
> > in the 2.0.9 tree and see if that fixes it.  Though it
> > may not revert cleanly.
> 
> Hmm, that looks like it causes a lot of files to be modified,
> especially network.c. This seems to be in rewritten in great
> parts...
> 
> > But, you've been enormously helpful in finding this.  While
> > it currently only affects a configuration which isn't much
> > used any more, if we're right about the cause then there is
> > a more general underlying problem which can strike elsewhere
> > too.  So thanks!
> 
> I think, this kind of setup is the most secure to deal with LXC,
> especially if you are not interested in migrating containers
> between hosts...

The 'not much used any more' isn't referring to unprivileged
containers, but to use cgmanager, which is deprecated (until
we decide we need it again :)

-serge

More information about the lxc-users mailing list