touch-packages team mailing list archive

Thread
Date
[Bug 1342960] Re: Error setting cgroup devices.deny limit with nested lxc container

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Serge Hallyn <1342960@xxxxxxxxxxxxxxxxxx>
Date: Thu, 17 Jul 2014 13:59:03 -0000
Reply-to: Bug 1342960 <1342960@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Thanks for verifying.  What is happening is actually vaguely explained
in the mountcgroup hook itself, and is an unfortunate side effect of a
somewhat recent kernel change:

cd /sys/fs/cgroup/devices
sudo mkdir a
echo  a | sudo tee -a a/devices.deny   # succeeds
sudo mkdir -p b/c
echo a | sudo tee -a b/devices.deny    # fails

If a devices cgroup has any child cgroups, then you can no longer make
certain changes to it.

Marking this confirmed and changing the title to reflect that the
comments in /usr/share/lxc/config/ubuntu.common.conf need to be changed.

** Changed in: lxc
       Status: Incomplete => Triaged

** Also affects: lxc (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: lxc (Ubuntu Trusty)
   Importance: Undecided
       Status: New

** Changed in: lxc (Ubuntu)
       Status: New => Triaged

** Changed in: lxc (Ubuntu Trusty)
       Status: New => Triaged

** Changed in: lxc (Ubuntu Trusty)
   Importance: Undecided => High

** Changed in: lxc (Ubuntu)
   Importance: Undecided => High

** Summary changed:

- Error setting cgroup devices.deny limit with nested lxc container
+ comments in common.conf must be updated

** Changed in: lxc
     Assignee: (unassigned) => Serge Hallyn (serge-hallyn)

** Changed in: lxc
       Status: Triaged => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1342960

Title:
  comments in common.conf must be updated

Status in lxc containers:
  In Progress
Status in “lxc” package in Ubuntu:
  Triaged
Status in “lxc” source package in Trusty:
  Triaged

Bug description:
  I tried to run a juju charm (jenkins-lxc) that starts a lxc container
  so I added lxc.aa_profile = lxc-container-default-with-nesting and
  lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups to /var/lib/lxc
  /juju-trusty-template/config and then tried to deploy the service. I
  got a failure from juju:

  agent-state-info: 'error executing "lxc-start": The container failed to start.;
        To get more details, run the container in foreground mode.; Additional information
        can be obtained by setting the --logfile and --log-priority options.'

  So I tried to start the container manually:

  $ sudo lxc-start -n matsubara-local-machine-1 --logpriority DEBUG
  --logfile /tmp/lxc.log which gave me this log:
  http://paste.ubuntu.com/7805486/

  I removed lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups  from the
  /var/lib/lxc/juju-trusty-template/config and tried again. Got the same
  error

  I created the file /etc/default/cgmanager and added cgmanager_opts="--
  debug"

  And got in /var/log/upstart/cgmanager.log:
  http://paste.ubuntu.com/7805602/

  Additional info:
  <hallyn> release, kernel version, lxc version, cgmanager version
  <matsubara> hallyn, I'm running this on Trusty, 3.13.0-30-generic, lxc 1.0.4-0ubuntu0.1 and 0.24-0ubuntu7

  /proc/self/cgroup content: http://paste.ubuntu.com/7805492/

  The config for the juju template used to start local provider containers in /var/lib/lxc/juju-trusty-template/config: http://paste.ubuntu.com/7805606/
  And the config for /var/lib/lxc/matsubara-local-machine-1/config: http://paste.ubuntu.com/7805610/

To manage notifications about this bug go to:
https://bugs.launchpad.net/lxc/+bug/1342960/+subscriptions