[lxc-users] Can't start unprivileged containers on fedora 28
Christian Brauner
christian at brauner.io
Tue Jun 5 14:19:50 UTC 2018
On Tue, Jun 05, 2018 at 02:25:52PM +0200, Mohamed LADGEM wrote:
> Hi,
>
> Since few days, I'm struggling with lxc as unpriveleged user to start
> an alpine without success. I am running 2.1.1 from ganto/lxc repo.
>
> I ran lxc-start -n test --logpriority=DEBUG --logfile=/tmp/log_lxc
> Could you help me to get a better a view of what I am missing ?
Looks like your cgroups are not writable for your unprivileged users.
That's what the pam module (pre 3.0.0 ships this in LXCFS) is for.
Christian
>
> Here is what I found,
> lxc-start test 20180605120725.666 INFO lxc_start_ui -
> tools/lxc_start.c:main:280 - using rcfile
> /home/kinkazma/.local/share/lxc/test/config
> lxc-start test 20180605120725.666 INFO lxc_confile -
> confile.c:set_config_idmaps:1556 - Read uid map: type u nsid 0 hostid
> 100000 range 65536
> lxc-start test 20180605120725.666 INFO lxc_confile -
> confile.c:set_config_idmaps:1556 - Read uid map: type g nsid 0 hostid
> 100000 range 65536
> lxc-start test 20180605120725.667 INFO lxc_container -
> lxccontainer.c:do_lxcapi_start:883 - Attempting to set proc title to
> [lxc monitor] /home/kinkazma/.local/share/lxc test
> lxc-start test 20180605120725.667 INFO lxc_lsm -
> lsm/lsm.c:lsm_init:48 - LSM security driver SELinux
> lxc-start test 20180605120725.668 INFO lxc_seccomp -
> seccomp.c:parse_config_v2:435 - processing: .reject_force_umount #
> comment this to allow umount -f; not recommended.
> lxc-start test 20180605120725.668 INFO lxc_seccomp -
> seccomp.c:parse_config_v2:610 - Adding native rule for
> reject_force_umount action 0(kill).
> lxc-start test 20180605120725.668 INFO lxc_seccomp -
> seccomp.c:do_resolve_add_rule:276 - Setting Seccomp rule to reject
> force umounts.
> lxc-start test 20180605120725.668 INFO lxc_seccomp -
> seccomp.c:parse_config_v2:614 - Adding compat rule for
> reject_force_umount action 0(kill).
> lxc-start test 20180605120725.668 INFO lxc_seccomp -
> seccomp.c:do_resolve_add_rule:276 - Setting Seccomp rule to reject
> force umounts.
> lxc-start test 20180605120725.668 INFO lxc_seccomp -
> seccomp.c:do_resolve_add_rule:276 - Setting Seccomp rule to reject
> force umounts.
> lxc-start test 20180605120725.668 INFO lxc_seccomp -
> seccomp.c:parse_config_v2:435 - processing: .[all].
> lxc-start test 20180605120725.668 INFO lxc_seccomp -
> seccomp.c:parse_config_v2:435 - processing: .kexec_load errno 1.
> lxc-start test 20180605120725.668 INFO lxc_seccomp -
> seccomp.c:parse_config_v2:610 - Adding native rule for kexec_load
> action 327681(errno).
> lxc-start test 20180605120725.668 INFO lxc_seccomp -
> seccomp.c:parse_config_v2:614 - Adding compat rule for kexec_load
> action 327681(errno).
> lxc-start test 20180605120725.668 INFO lxc_seccomp -
> seccomp.c:parse_config_v2:435 - processing: .open_by_handle_at errno 1.
> lxc-start test 20180605120725.668 INFO lxc_seccomp -
> seccomp.c:parse_config_v2:610 - Adding native rule for
> open_by_handle_at action 327681(errno).
> lxc-start test 20180605120725.668 INFO lxc_seccomp -
> seccomp.c:parse_config_v2:614 - Adding compat rule for
> open_by_handle_at action 327681(errno).
> lxc-start test 20180605120725.668 INFO lxc_seccomp -
> seccomp.c:parse_config_v2:435 - processing: .init_module errno 1.
> lxc-start test 20180605120725.668 INFO lxc_seccomp -
> seccomp.c:parse_config_v2:610 - Adding native rule for init_module
> action 327681(errno).
> lxc-start test 20180605120725.668 INFO lxc_seccomp -
> seccomp.c:parse_config_v2:614 - Adding compat rule for init_module
> action 327681(errno).
> lxc-start test 20180605120725.668 INFO lxc_seccomp -
> seccomp.c:parse_config_v2:435 - processing: .finit_module errno 1.
> lxc-start test 20180605120725.668 INFO lxc_seccomp -
> seccomp.c:parse_config_v2:610 - Adding native rule for finit_module
> action 327681(errno).
> lxc-start test 20180605120725.668 INFO lxc_seccomp -
> seccomp.c:parse_config_v2:614 - Adding compat rule for finit_module
> action 327681(errno).
> lxc-start test 20180605120725.668 INFO lxc_seccomp -
> seccomp.c:parse_config_v2:435 - processing: .delete_module errno 1.
> lxc-start test 20180605120725.668 INFO lxc_seccomp -
> seccomp.c:parse_config_v2:610 - Adding native rule for delete_module
> action 327681(errno).
> lxc-start test 20180605120725.668 INFO lxc_seccomp -
> seccomp.c:parse_config_v2:614 - Adding compat rule for delete_module
> action 327681(errno).
> lxc-start test 20180605120725.668 INFO lxc_seccomp -
> seccomp.c:parse_config_v2:624 - Merging in the compat Seccomp ctx into
> the main one.
> lxc-start test 20180605120725.668 WARN lxc_monitor -
> monitor.c:lxc_monitor_fifo_send:111 - Failed to open fifo to send
> message: No such file or directory.
> lxc-start test 20180605120725.668 WARN lxc_monitor -
> monitor.c:lxc_monitor_fifo_send:111 - Failed to open fifo to send
> message: No such file or directory.
> lxc-start test 20180605120725.668 DEBUG lxc_start -
> start.c:setup_signal_fd:302 - Set SIGCHLD handler with file descriptor:
> 7.
> lxc-start test 20180605120725.669 DEBUG console -
> console.c:lxc_console_peer_default:450 - process does not have a
> controlling terminal
> lxc-start test 20180605120725.669 DEBUG lxc_conf -
> conf.c:chown_mapped_root:2892 - trying to chown "/dev/pts/0" to 1000
> lxc-start test 20180605120725.697 INFO lxc_start -
> start.c:lxc_init:681 - container "test" is initialized
> lxc-start test 20180605120725.697 INFO lxc_cgroup -
> cgroups/cgroup.c:cgroup_init:67 - cgroup driver cgroupfs initing for
> test
> lxc-start test 20180605120725.699 ERROR lxc_utils -
> utils.c:mkdir_p:257 - Permission denied - failed to create directory
> '/sys/fs/cgroup/cpu,cpuacct/user.slice/lxc'
> lxc-start test 20180605120725.699 ERROR lxc_utils -
> utils.c:mkdir_p:257 - Permission denied - failed to create directory
> '/sys/fs/cgroup/pids/user.slice/user-1000.slice/session-2.scope/lxc'
> lxc-start test 20180605120725.699 ERROR lxc_utils -
> utils.c:mkdir_p:257 - Permission denied - failed to create directory
> '/sys/fs/cgroup/hugetlb/lxc'
> lxc-start test 20180605120725.700 ERROR lxc_utils -
> utils.c:mkdir_p:257 - Permission denied - failed to create directory
> '/sys/fs/cgroup/memory/user.slice/user-1000.slice/session-2.scope/lxc'
> lxc-start test 20180605120725.700 ERROR lxc_utils -
> utils.c:mkdir_p:257 - Permission denied - failed to create directory
> '/sys/fs/cgroup/cpuset/lxc'
> lxc-start test 20180605120725.700 ERROR lxc_utils -
> utils.c:mkdir_p:257 - Permission denied - failed to create directory
> '/sys/fs/cgroup/perf_event/lxc'
> lxc-start test 20180605120725.700 ERROR lxc_utils -
> utils.c:mkdir_p:257 - Permission denied - failed to create directory
> '/sys/fs/cgroup/devices/user.slice/lxc'
> lxc-start test 20180605120725.700 ERROR lxc_utils -
> utils.c:mkdir_p:257 - Permission denied - failed to create directory
> '/sys/fs/cgroup/blkio/user.slice/lxc'
> lxc-start test 20180605120725.700 ERROR lxc_utils -
> utils.c:mkdir_p:257 - Permission denied - failed to create directory
> '/sys/fs/cgroup/freezer/lxc'
> lxc-start test 20180605120725.700 ERROR lxc_cgfs -
> cgroups/cgfs.c:lxc_cgroupfs_create:1022 - Permission denied - Could not
> create cgroup '/lxc' in '/sys/fs/cgroup/freezer'.
> lxc-start test 20180605120725.700 ERROR lxc_cgfs -
> cgroups/cgfs.c:cgroup_rmdir:209 - Permission denied - Failed to delete
> /sys/fs/cgroup/cpu,cpuacct/user.slice
> lxc-start test 20180605120725.700 ERROR lxc_cgfs -
> cgroups/cgfs.c:cgroup_rmdir:209 - Permission denied - Failed to delete
> /sys/fs/cgroup/pids/user.slice/user-1000.slice/session-2.scope
> lxc-start test 20180605120725.701 ERROR lxc_cgfs -
> cgroups/cgfs.c:cgroup_rmdir:209 - Permission denied - Failed to delete
> /sys/fs/cgroup/hugetlb//kinkazma
> lxc-start test 20180605120725.701 ERROR lxc_cgfs -
> cgroups/cgfs.c:cgroup_rmdir:209 - Read-only file system - Failed to
> delete /sys/fs/cgroup/hugetlb/
> lxc-start test 20180605120725.701 ERROR lxc_cgfs -
> cgroups/cgfs.c:cgroup_rmdir:209 - Permission denied - Failed to delete
> /sys/fs/cgroup/memory/user.slice/user-1000.slice/session-2.scope
> lxc-start test 20180605120725.702 ERROR lxc_cgfs -
> cgroups/cgfs.c:cgroup_rmdir:209 - Permission denied - Failed to delete
> /sys/fs/cgroup/cpuset//kinkazma
> lxc-start test 20180605120725.702 ERROR lxc_cgfs -
> cgroups/cgfs.c:cgroup_rmdir:209 - Read-only file system - Failed to
> delete /sys/fs/cgroup/cpuset/
> lxc-start test 20180605120725.702 ERROR lxc_cgfs -
> cgroups/cgfs.c:cgroup_rmdir:209 - Permission denied - Failed to delete
> /sys/fs/cgroup/perf_event//kinkazma
> lxc-start test 20180605120725.702 ERROR lxc_cgfs -
> cgroups/cgfs.c:cgroup_rmdir:209 - Read-only file system - Failed to
> delete /sys/fs/cgroup/perf_event/
> lxc-start test 20180605120725.702 ERROR lxc_cgfs -
> cgroups/cgfs.c:cgroup_rmdir:209 - Permission denied - Failed to delete
> /sys/fs/cgroup/devices/user.slice
> lxc-start test 20180605120725.703 ERROR lxc_cgfs -
> cgroups/cgfs.c:cgroup_rmdir:209 - Permission denied - Failed to delete
> /sys/fs/cgroup/blkio/user.slice
> lxc-start test 20180605120725.703 ERROR lxc_cgfs -
> cgroups/cgfs.c:cgroup_rmdir:209 - Permission denied - Failed to delete
> /sys/fs/cgroup/freezer//user/gdm/0
> lxc-start test 20180605120725.703 ERROR lxc_cgfs -
> cgroups/cgfs.c:cgroup_rmdir:209 - Permission denied - Failed to delete
> /sys/fs/cgroup/freezer//user/gdm
> lxc-start test 20180605120725.703 ERROR lxc_cgfs -
> cgroups/cgfs.c:cgroup_rmdir:209 - Permission denied - Failed to delete
> /sys/fs/cgroup/freezer//user/root/0
> lxc-start test 20180605120725.703 ERROR lxc_cgfs -
> cgroups/cgfs.c:cgroup_rmdir:209 - Permission denied - Failed to delete
> /sys/fs/cgroup/freezer//user/root
> lxc-start test 20180605120725.704 ERROR lxc_cgfs -
> cgroups/cgfs.c:cgroup_rmdir:209 - Permission denied - Failed to delete
> /sys/fs/cgroup/freezer//user/kinkazma/0
> lxc-start test 20180605120725.704 ERROR lxc_cgfs -
> cgroups/cgfs.c:cgroup_rmdir:209 - Permission denied - Failed to delete
> /sys/fs/cgroup/freezer//user/kinkazma
> lxc-start test 20180605120725.704 ERROR lxc_cgfs -
> cgroups/cgfs.c:cgroup_rmdir:209 - Permission denied - Failed to delete
> /sys/fs/cgroup/freezer//user
> lxc-start test 20180605120725.704 ERROR lxc_cgfs -
> cgroups/cgfs.c:cgroup_rmdir:209 - Permission denied - Failed to delete
> /sys/fs/cgroup/freezer//kinkazma
> lxc-start test 20180605120725.704 ERROR lxc_cgfs -
> cgroups/cgfs.c:cgroup_rmdir:209 - Read-only file system - Failed to
> delete /sys/fs/cgroup/freezer/
> lxc-start test 20180605120725.704 ERROR lxc_cgfs -
> cgroups/cgfs.c:cgroup_rmdir:209 - Permission denied - Failed to delete
> /sys/fs/cgroup/net_cls,net_prio//kinkazma
> lxc-start test 20180605120725.704 ERROR lxc_cgfs -
> cgroups/cgfs.c:cgroup_rmdir:209 - Read-only file system - Failed to
> delete /sys/fs/cgroup/net_cls,net_prio/
> lxc-start test 20180605120725.704 ERROR lxc_cgfs -
> cgroups/cgfs.c:cgroup_rmdir:209 - Permission denied - Failed to delete
> /sys/fs/cgroup/systemd/user.slice/user-1000.slice/session-2.scope
> lxc-start test 20180605120725.704 ERROR lxc_start -
> start.c:lxc_spawn:1222 - Failed creating cgroups.
> lxc-start test 20180605120725.704 DEBUG lxc_network -
> network.c:lxc_delete_network_unpriv:2307 - Cannot not guarantee safe
> deletion of network devices. Manual cleanup maybe needed
> lxc-start test 20180605120725.704 DEBUG lxc_network -
> network.c:lxc_delete_network:3122 - Failed to delete network devices
> lxc-start test 20180605120725.704 WARN lxc_monitor -
> monitor.c:lxc_monitor_fifo_send:111 - Failed to open fifo to send
> message: No such file or directory.
> lxc-start test 20180605120725.704 WARN lxc_monitor -
> monitor.c:lxc_monitor_fifo_send:111 - Failed to open fifo to send
> message: No such file or directory.
> lxc-start test 20180605120725.704 ERROR lxc_container -
> lxccontainer.c:wait_on_daemonized_start:760 - Received container state
> "ABORTING" instead of "RUNNING"
> lxc-start test 20180605120725.704 ERROR lxc_start -
> start.c:__lxc_start:1460 - Failed to spawn container "test".
> lxc-start test 20180605120725.704 WARN lxc_monitor -
> monitor.c:lxc_monitor_fifo_send:111 - Failed to open fifo to send
> message: No such file or directory.
> lxc-start test 20180605120725.704 WARN lxc_monitor -
> monitor.c:lxc_monitor_fifo_send:111 - Failed to open fifo to send
> message: No such file or directory.
> lxc-start test 20180605120725.704 ERROR lxc_start_ui -
> tools/lxc_start.c:main:371 - The container failed to start.
> lxc-start test 20180605120725.704 WARN lxc_monitor -
> monitor.c:lxc_monitor_fifo_send:111 - Failed to open fifo to send
> message: No such file or directory.
> lxc-start test 20180605120725.704 ERROR lxc_start_ui -
> tools/lxc_start.c:main:373 - To get more details, run the container in
> foreground mode.
> lxc-start test 20180605120725.704 WARN lxc_monitor -
> monitor.c:lxc_monitor_fifo_send:111 - Failed to open fifo to send
> message: No such file or directory.
> lxc-start test 20180605120725.704 ERROR lxc_start_ui -
> tools/lxc_start.c:main:375 - Additional information can be obtained by
> setting the --logfile and --logpriority options.
> lxc-start test 20180605120725.704 INFO lxc_conf -
> conf.c:run_script_argv:458 - Executing script
> "/usr/share/lxcfs/lxc.reboot.hook" for container "test", config section
> "lxc".
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
More information about the lxc-users
mailing list