[lxc-users] Can't start unprivileged container in Ubuntu 14.04 with LXC 2

Ben Warren ben at skyportsystems.com
Mon May 8 04:22:31 UTC 2017 

Hi Serge,

> On May 4, 2017, at 9:00 AM, Serge E. Hallyn <serge at hallyn.com> wrote:
> 
> Quoting Ben Warren (ben at skyportsystems.com):
>> Hi,
>> 
>> I’m stuck with Ubuntu 14.04 for now and would like to be able to run unprivileged containers that are systemd-based.  I’ve found lots of examples of problems that are close, but nothing exactly matches.  I got the lxc packages from trusty-backports.
>> 
>> Versions:
>> 
>> ben at ben-sc:~$ lxc-ls --version
>> 2.0.7
>> ben at ben-sc:~$ cat /etc/lsb-release 
>> DISTRIB_ID=Ubuntu
>> DISTRIB_RELEASE=14.04
>> DISTRIB_CODENAME=trusty
>> DISTRIB_DESCRIPTION="Ubuntu 14.04.1 LTS"
>> 
>> To keep it simple, I created an unprivileged container of ‘trusty’ using the download method:
>> 
>> ben at ben-sc:~$ lxc-create -n cd-build -t download
>> 
>> 
>> When I try to start the container, it won’t work:
>> 
>> ben at ben-sc:~$ lxc-start -n cd-build -d --logfile cd-build.log
>> lxc-start: tools/lxc_start.c: main: 366 The container failed to start.
>> lxc-start: tools/lxc_start.c: main: 368 To get more details, run the container in foreground mode.
>> lxc-start: tools/lxc_start.c: main: 370 Additional information can be obtained by setting the --logfile and --logpriority options.
>> 
>> Logfile contents:
>> 
>>      lxc-start 20170503225525.382 ERROR    lxc_cgfsng - cgroups/cgfsng.c:do_secondstage_mounts_if_needed:1557 - Operation not permitted - Error remounting /usr/lib/x86_64-linux-gnu/lxc/sys/fs/cgroup/cpu read-only
> 
> This is odd, not the error I would have expected.
> 
> Can you tell me the exact version and from which ppa?
> 
$ dpkg -s lxc
Package: lxc
Status: install ok installed
Priority: extra
Section: oldlibs
Installed-Size: 77
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Architecture: all
Version: 2.0.7-0ubuntu1~14.04.1
Depends: lxc1 (>= 2.0.7-0ubuntu1~14.04.1)

I got it from here:

http://us.archive.ubuntu.com/ubuntu/ trusty-backports

Here’s what gets installed:

$ sudo apt-get install -t trusty-backports lxc
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  bridge-utils cgroup-lite cloud-image-utils debootstrap distro-info euca2ools
  libgnutls28 libhogweed2 liblxc1 libseccomp2 lxc-common lxc-templates lxc1
  python-distro-info python-requestbuilder python3-lxc uidmap
Suggested packages:
  shunit2 gnutls-bin btrfs-tools lvm2 lxctl
Recommended packages:
  lxcfs libpam-cgfs
The following NEW packages will be installed:
  bridge-utils cgroup-lite cloud-image-utils debootstrap distro-info euca2ools
  libgnutls28 libhogweed2 liblxc1 libseccomp2 lxc lxc-common lxc-templates
  lxc1 python-distro-info python-requestbuilder python3-lxc uidmap

As for the overall environment, this is a VM that was originally set up almost 3 years ago, and as a lab machine has only been piecemeal updated over time as needed.  The problem is that I have probably a hundred identical instances and am concerned that the package dependencies are maybe not quite right.  I’m certainly willing to update whatever individual packages are necessary to get this going.  I have the VM snapshotted before trying this, so it’s trivial to reproduce.

> Is there anything in syslog about the failed mount?
> 
This is all I see.  It’s at lxc install time, now when trying to start the container:

May  7 21:01:01 ben-sc kernel: [  103.486718] type=1400 audit(1494216061.420:68): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default" pid=5801 comm="apparmor_parser"
May  7 21:01:01 ben-sc kernel: [  103.486925] type=1400 audit(1494216061.420:69): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default-cgns" pid=5801 comm="apparmor_parser"
May  7 21:01:01 ben-sc kernel: [  103.487100] type=1400 audit(1494216061.420:70): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default-with-mounting" pid=5801 comm="apparmor_parser"
May  7 21:01:01 ben-sc kernel: [  103.487292] type=1400 audit(1494216061.420:71): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default-with-nesting" pid=5801 comm="apparmor_parser"
May  7 21:01:01 ben-sc kernel: [  103.519003] type=1400 audit(1494216061.452:72): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/lxc-start" pid=5835 comm="apparmor_parser"

> You might try some of the other cgroup auto-mount settings (see lxc.container.conf(5)0, maybe
> 
> lxc.mount.auto = cgroup:rw
> 
I tried that, and get:

      lxc-start 20170508041726.340 ERROR    lxc_cgfsng - cgroups/cgfsng.c:do_secondstage_mounts_if_needed:1557 - Operation not permitted - Error remounting /usr/lib/x86_64-linux-gnu/lxc/sys/fs/cgroup/cpu read-only
      lxc-start 20170508041726.340 ERROR    lxc_conf - conf.c:lxc_mount_auto_mounts:839 - Operation not permitted - error mounting /sys/fs/cgroup
      lxc-start 20170508041726.340 ERROR    lxc_conf - conf.c:lxc_setup:3885 - failed to setup the automatic mounts for 'cd-build'
      lxc-start 20170508041726.340 ERROR    lxc_start - start.c:do_start:811 - Failed to setup container "cd-build".
      lxc-start 20170508041726.340 ERROR    lxc_sync - sync.c:__sync_wait:57 - An error occurred in another process (expected sequence number 3)
      lxc-start 20170508041726.340 ERROR    lxc_start - start.c:__lxc_start:1346 - Failed to spawn container "cd-build".

>>      lxc-start 20170503225525.382 ERROR    lxc_conf - conf.c:lxc_mount_auto_mounts:839 - Operation not permitted - error mounting /sys/fs/cgroup
>>      lxc-start 20170503225525.382 ERROR    lxc_conf - conf.c:lxc_setup:3885 - failed to setup the automatic mounts for 'cd-build'
>>      lxc-start 20170503225525.382 ERROR    lxc_start - start.c:do_start:811 - Failed to setup container "cd-build".
>>      lxc-start 20170503225525.382 ERROR    lxc_sync - sync.c:__sync_wait:57 - An error occurred in another process (expected sequence number 3)
>>      lxc-start 20170503225525.382 ERROR    lxc_start - start.c:__lxc_start:1346 - Failed to spawn container "cd-build".
>>      lxc-start 20170503225530.922 ERROR    lxc_start_ui - tools/lxc_start.c:main:366 - The container failed to start.
>>      lxc-start 20170503225530.923 ERROR    lxc_start_ui - tools/lxc_start.c:main:368 - To get more details, run the container in foreground mode.
>>      lxc-start 20170503225530.923 ERROR    lxc_start_ui - tools/lxc_start.c:main:370 - Additional information can be obtained by setting the --logfile and --logpriority options.
>> 
>> Also:
>> 
>> ————————————
>> 
>> ben at ben-sc:~$ cat /proc/self/cgroup 
>> 12:name=dsystemd:/
>> 11:name=systemd:/user/1001.user/c2.session
>> 10:hugetlb:/user/1001.user/c2.session
>> 9:perf_event:/user/1001.user/c2.session
>> 8:blkio:/user/1001.user/c2.session
>> 7:freezer:/user/1001.user/c2.session
>> 6:devices:/user/1001.user/c2.session
>> 5:memory:/user/1001.user/c2.session
>> 4:cpuacct:/user/1001.user/c2.session
>> 3:cpu:/user/1001.user/c2.session
>> 2:cpuset:/
>> 
>> ben at ben-sc:~$ lxc-checkconfig 
>> Kernel configuration not found at /proc/config.gz; searching...
>> Kernel configuration found at /boot/config-3.13.0-40-generic
>> --- Namespaces ---
>> Namespaces: enabled
>> Utsname namespace: enabled
>> Ipc namespace: enabled
>> Pid namespace: enabled
>> User namespace: enabled
>> Network namespace: enabled
>> Multiple /dev/pts instances: enabled
>> 
>> --- Control groups ---
>> Cgroup: enabled
>> Cgroup clone_children flag: enabled
>> Cgroup device: enabled
>> Cgroup sched: enabled
>> Cgroup cpu account: enabled
>> Cgroup memory controller: enabled
>> Cgroup cpuset: enabled
>> 
>> --- Misc ---
>> Veth pair device: enabled
>> Macvlan: enabled
>> Vlan: enabled
>> Bridges: enabled
>> Advanced netfilter: enabled
>> CONFIG_NF_NAT_IPV4: enabled
>> CONFIG_NF_NAT_IPV6: enabled
>> CONFIG_IP_NF_TARGET_MASQUERADE: enabled
>> CONFIG_IP6_NF_TARGET_MASQUERADE: enabled
>> CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled
>> FUSE (for use with lxcfs): enabled
>> 
>> --- Checkpoint/Restore ---
>> checkpoint restore: enabled
>> CONFIG_FHANDLE: enabled
>> CONFIG_EVENTFD: enabled
>> CONFIG_EPOLL: enabled
>> CONFIG_UNIX_DIAG: enabled
>> CONFIG_INET_DIAG: enabled
>> CONFIG_PACKET_DIAG: enabled
>> CONFIG_NETLINK_DIAG: enabled
>> File capabilities: enabled
>> 
>> Note : Before booting a new kernel, you can check its configuration
>> usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig
>> 
>> ————————————
>> 
>> Hopefully I just missed something obvious.
>> 
>> thanks,
>> —Ben
>> 
>> 
>> _______________________________________________
>> lxc-users mailing list
>> lxc-users at lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-users
> 
regards,
Ben

More information about the lxc-users mailing list