← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1635639] Re: Seccomp error with 2.0.5-0ubuntu1~ubuntu16.04.1 on s390x

 

** Changed in: juju-ci-tools
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1635639

Title:
  Seccomp  error with 2.0.5-0ubuntu1~ubuntu16.04.1 on s390x

Status in juju-ci-tools:
  Fix Released
Status in lxc package in Ubuntu:
  Fix Committed
Status in lxc source package in Xenial:
  Fix Released
Status in lxc source package in Yakkety:
  Fix Released
Status in lxc source package in Zesty:
  Fix Committed

Bug description:
  ## SRU paperwork
  ### Rationale
  LXC 2.0.5 added support for Seccomp on the s390x architecture for those kernels that support it. Unfortunately the personality handling for s390x is wrong and results in the profile being setup twice, causing a failure to start the container.

  This effectively means that LXC 2.0.5 fails out of the box on s390x.

  ### Test case
  With LXC:
   - lxc-start -n some-container -F

  With LXD:
   - lxc start some-container

  ### Regression potential
  Our own testing shows that the fix works perfectly fine. The code change itself only affects s390x (under ifdef) so can't possibly affect the other architectures.

  The worst that can happen should this fix be wrong is either status
  quo (container won't start) or having the container start without
  seccomp support (status quo when compared to 2.0.4).


  ## Original bug report
  The s390x host used to Juju testing spontaneously broke today.
  The disk filled up, we restarted so that we could remove unused
  kernels. We discovered that lxc1 cannot create containers any more.

  $ sudo lxc-create -t ubuntu-cloud -n curtis -- -r xenial -a s390x

  $ sudo lxc-start -o lxc.log -n curtis
  lxc-start: tools/lxc_start.c: main: 344 The container failed to start.
  lxc-start: tools/lxc_start.c: main: 346 To get more details, run the container in foreground mode.
  lxc-start: tools/lxc_start.c: main: 348 Additional information can be obtained by setting the --logfile and --logpriority options.

  $ cat lxc.log
        lxc-start 20161020121833.069 ERROR    lxc_seccomp - seccomp.c:get_new_ctx:224 - Seccomp error -17 (File exists) adding arch: 15
        lxc-start 20161020121833.069 ERROR    lxc_start - start.c:lxc_init:430 - failed loading seccomp policy
        lxc-start 20161020121833.069 ERROR    lxc_start - start.c:__lxc_start:1313 - failed to initialize the container
        lxc-start 20161020121838.075 ERROR    lxc_start_ui - tools/lxc_start.c:main:344 - The container failed to start.
        lxc-start 20161020121838.075 ERROR    lxc_start_ui - tools/lxc_start.c:main:346 - To get more details, run the container in foreground mode.
        lxc-start 20161020121838.075 ERROR    lxc_start_ui - tools/lxc_start.c:main:348 - Additional information can be obtained by setting the --logfile and --logpriority options.

  # <stgraber> sinzui: checking when s390x seccomp support was added to the
  # kernel, to see if it's just a missing config in our kernel that'd fix that
  # cleanly or if we'd need it backported to 4.4 which would be a bit more
  # annoying
  # <stgraber> sinzui: config-4.4.0-45-generic is what you're running right?
  # <sinzui> stgraber uname-a says 4.4.0-45-generic
  # stgraber> sinzui: you can workaround it by putting a file
  # with lxc.seccomp=
  # in /usr/share/lxc/config/common.conf.d/, that should get you going again

  WORK AROUND for LXC 1
  # on the s390x-slave
  sudo vim /usr/share/lxc/config/common.conf.d/10-secomp-hack.conf
  $ cat /usr/share/lxc/config/common.conf.d/10-secomp-hack.conf
  # Advised to stgraber to add this file after seeing lxc-start fail with
  # lxc-start 20161020121833.069 ERROR    lxc_seccomp - seccomp.
  lxc.seccomp=

To manage notifications about this bug go to:
https://bugs.launchpad.net/juju-ci-tools/+bug/1635639/+subscriptions