[lxc-users] Can't start unprivileged container in Ubuntu 14.04 with LXC 2

Ben Warren ben at skyportsystems.com
Wed May 3 23:21:45 UTC 2017 

Hi,

I’m stuck with Ubuntu 14.04 for now and would like to be able to run unprivileged containers that are systemd-based.  I’ve found lots of examples of problems that are close, but nothing exactly matches.  I got the lxc packages from trusty-backports.

Versions:

ben at ben-sc:~$ lxc-ls --version
2.0.7
ben at ben-sc:~$ cat /etc/lsb-release 
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.1 LTS"

To keep it simple, I created an unprivileged container of ‘trusty’ using the download method:

ben at ben-sc:~$ lxc-create -n cd-build -t download


When I try to start the container, it won’t work:

ben at ben-sc:~$ lxc-start -n cd-build -d --logfile cd-build.log
lxc-start: tools/lxc_start.c: main: 366 The container failed to start.
lxc-start: tools/lxc_start.c: main: 368 To get more details, run the container in foreground mode.
lxc-start: tools/lxc_start.c: main: 370 Additional information can be obtained by setting the --logfile and --logpriority options.

Logfile contents:

      lxc-start 20170503225525.382 ERROR    lxc_cgfsng - cgroups/cgfsng.c:do_secondstage_mounts_if_needed:1557 - Operation not permitted - Error remounting /usr/lib/x86_64-linux-gnu/lxc/sys/fs/cgroup/cpu read-only
      lxc-start 20170503225525.382 ERROR    lxc_conf - conf.c:lxc_mount_auto_mounts:839 - Operation not permitted - error mounting /sys/fs/cgroup
      lxc-start 20170503225525.382 ERROR    lxc_conf - conf.c:lxc_setup:3885 - failed to setup the automatic mounts for 'cd-build'
      lxc-start 20170503225525.382 ERROR    lxc_start - start.c:do_start:811 - Failed to setup container "cd-build".
      lxc-start 20170503225525.382 ERROR    lxc_sync - sync.c:__sync_wait:57 - An error occurred in another process (expected sequence number 3)
      lxc-start 20170503225525.382 ERROR    lxc_start - start.c:__lxc_start:1346 - Failed to spawn container "cd-build".
      lxc-start 20170503225530.922 ERROR    lxc_start_ui - tools/lxc_start.c:main:366 - The container failed to start.
      lxc-start 20170503225530.923 ERROR    lxc_start_ui - tools/lxc_start.c:main:368 - To get more details, run the container in foreground mode.
      lxc-start 20170503225530.923 ERROR    lxc_start_ui - tools/lxc_start.c:main:370 - Additional information can be obtained by setting the --logfile and --logpriority options.

Also:

————————————

ben at ben-sc:~$ cat /proc/self/cgroup 
12:name=dsystemd:/
11:name=systemd:/user/1001.user/c2.session
10:hugetlb:/user/1001.user/c2.session
9:perf_event:/user/1001.user/c2.session
8:blkio:/user/1001.user/c2.session
7:freezer:/user/1001.user/c2.session
6:devices:/user/1001.user/c2.session
5:memory:/user/1001.user/c2.session
4:cpuacct:/user/1001.user/c2.session
3:cpu:/user/1001.user/c2.session
2:cpuset:/

ben at ben-sc:~$ lxc-checkconfig 
Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-3.13.0-40-generic
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
Multiple /dev/pts instances: enabled

--- Control groups ---
Cgroup: enabled
Cgroup clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
Bridges: enabled
Advanced netfilter: enabled
CONFIG_NF_NAT_IPV4: enabled
CONFIG_NF_NAT_IPV6: enabled
CONFIG_IP_NF_TARGET_MASQUERADE: enabled
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled
FUSE (for use with lxcfs): enabled

--- Checkpoint/Restore ---
checkpoint restore: enabled
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: enabled
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: enabled
File capabilities: enabled

Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig

————————————

Hopefully I just missed something obvious.

thanks,
—Ben

More information about the lxc-users mailing list