[lxc-users] Can't start unprivileged container in Ubuntu 14.04 with LXC 2

Serge E. Hallyn serge at hallyn.com
Thu May 4 16:00:13 UTC 2017 

Quoting Ben Warren (ben at skyportsystems.com):
> Hi,
> 
> I’m stuck with Ubuntu 14.04 for now and would like to be able to run unprivileged containers that are systemd-based.  I’ve found lots of examples of problems that are close, but nothing exactly matches.  I got the lxc packages from trusty-backports.
> 
> Versions:
> 
> ben at ben-sc:~$ lxc-ls --version
> 2.0.7
> ben at ben-sc:~$ cat /etc/lsb-release 
> DISTRIB_ID=Ubuntu
> DISTRIB_RELEASE=14.04
> DISTRIB_CODENAME=trusty
> DISTRIB_DESCRIPTION="Ubuntu 14.04.1 LTS"
> 
> To keep it simple, I created an unprivileged container of ‘trusty’ using the download method:
> 
> ben at ben-sc:~$ lxc-create -n cd-build -t download
> 
> 
> When I try to start the container, it won’t work:
> 
> ben at ben-sc:~$ lxc-start -n cd-build -d --logfile cd-build.log
> lxc-start: tools/lxc_start.c: main: 366 The container failed to start.
> lxc-start: tools/lxc_start.c: main: 368 To get more details, run the container in foreground mode.
> lxc-start: tools/lxc_start.c: main: 370 Additional information can be obtained by setting the --logfile and --logpriority options.
> 
> Logfile contents:
> 
>       lxc-start 20170503225525.382 ERROR    lxc_cgfsng - cgroups/cgfsng.c:do_secondstage_mounts_if_needed:1557 - Operation not permitted - Error remounting /usr/lib/x86_64-linux-gnu/lxc/sys/fs/cgroup/cpu read-only

This is odd, not the error I would have expected.

Can you tell me the exact version and from which ppa?

Is there anything in syslog about the failed mount?

You might try some of the other cgroup auto-mount settings (see lxc.container.conf(5)0, maybe

lxc.mount.auto = cgroup:rw

>       lxc-start 20170503225525.382 ERROR    lxc_conf - conf.c:lxc_mount_auto_mounts:839 - Operation not permitted - error mounting /sys/fs/cgroup
>       lxc-start 20170503225525.382 ERROR    lxc_conf - conf.c:lxc_setup:3885 - failed to setup the automatic mounts for 'cd-build'
>       lxc-start 20170503225525.382 ERROR    lxc_start - start.c:do_start:811 - Failed to setup container "cd-build".
>       lxc-start 20170503225525.382 ERROR    lxc_sync - sync.c:__sync_wait:57 - An error occurred in another process (expected sequence number 3)
>       lxc-start 20170503225525.382 ERROR    lxc_start - start.c:__lxc_start:1346 - Failed to spawn container "cd-build".
>       lxc-start 20170503225530.922 ERROR    lxc_start_ui - tools/lxc_start.c:main:366 - The container failed to start.
>       lxc-start 20170503225530.923 ERROR    lxc_start_ui - tools/lxc_start.c:main:368 - To get more details, run the container in foreground mode.
>       lxc-start 20170503225530.923 ERROR    lxc_start_ui - tools/lxc_start.c:main:370 - Additional information can be obtained by setting the --logfile and --logpriority options.
> 
> Also:
> 
> ————————————
> 
> ben at ben-sc:~$ cat /proc/self/cgroup 
> 12:name=dsystemd:/
> 11:name=systemd:/user/1001.user/c2.session
> 10:hugetlb:/user/1001.user/c2.session
> 9:perf_event:/user/1001.user/c2.session
> 8:blkio:/user/1001.user/c2.session
> 7:freezer:/user/1001.user/c2.session
> 6:devices:/user/1001.user/c2.session
> 5:memory:/user/1001.user/c2.session
> 4:cpuacct:/user/1001.user/c2.session
> 3:cpu:/user/1001.user/c2.session
> 2:cpuset:/
> 
> ben at ben-sc:~$ lxc-checkconfig 
> Kernel configuration not found at /proc/config.gz; searching...
> Kernel configuration found at /boot/config-3.13.0-40-generic
> --- Namespaces ---
> Namespaces: enabled
> Utsname namespace: enabled
> Ipc namespace: enabled
> Pid namespace: enabled
> User namespace: enabled
> Network namespace: enabled
> Multiple /dev/pts instances: enabled
> 
> --- Control groups ---
> Cgroup: enabled
> Cgroup clone_children flag: enabled
> Cgroup device: enabled
> Cgroup sched: enabled
> Cgroup cpu account: enabled
> Cgroup memory controller: enabled
> Cgroup cpuset: enabled
> 
> --- Misc ---
> Veth pair device: enabled
> Macvlan: enabled
> Vlan: enabled
> Bridges: enabled
> Advanced netfilter: enabled
> CONFIG_NF_NAT_IPV4: enabled
> CONFIG_NF_NAT_IPV6: enabled
> CONFIG_IP_NF_TARGET_MASQUERADE: enabled
> CONFIG_IP6_NF_TARGET_MASQUERADE: enabled
> CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled
> FUSE (for use with lxcfs): enabled
> 
> --- Checkpoint/Restore ---
> checkpoint restore: enabled
> CONFIG_FHANDLE: enabled
> CONFIG_EVENTFD: enabled
> CONFIG_EPOLL: enabled
> CONFIG_UNIX_DIAG: enabled
> CONFIG_INET_DIAG: enabled
> CONFIG_PACKET_DIAG: enabled
> CONFIG_NETLINK_DIAG: enabled
> File capabilities: enabled
> 
> Note : Before booting a new kernel, you can check its configuration
> usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig
> 
> ————————————
> 
> Hopefully I just missed something obvious.
> 
> thanks,
> —Ben
> 
> 
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

More information about the lxc-users mailing list