touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #85715
[Bug 1467611] [NEW] unprivileged lxc containers broken
Public bug reported:
Seems like I've hit the bug #1413927 but as requested in comments I'm
filing new one.
lxc-start -n asterisk -l debug -F --logfile /dev/stdout
lxc-start 1434992414.067 INFO lxc_start_ui - lxc_start.c:main:264 - using rcfile /home/x/.local/share/lxc/asterisk/config
lxc-start 1434992414.067 INFO lxc_utils - utils.c:get_rundir:483 - XDG_RUNTIME_DIR isn't set in the environment.
lxc-start 1434992414.067 WARN lxc_confile - confile.c:config_pivotdir:1768 - lxc.pivotdir is ignored. It will soon become an error.
lxc-start 1434992414.069 INFO lxc_confile - confile.c:config_idmap:1376 - read uid map: type u nsid 0 hostid 100000 range 65536
lxc-start 1434992414.069 INFO lxc_confile - confile.c:config_idmap:1376 - read uid map: type g nsid 0 hostid 100000 range 65536
lxc-start 1434992414.069 WARN lxc_log - log.c:lxc_log_init:316 - lxc_log_init called with log already initialized
lxc-start 1434992414.075 WARN lxc_cgmanager - cgmanager.c:cgm_get:963 - do_cgm_get exited with error
lxc-start 1434992414.076 WARN lxc_start - start.c:lxc_check_inherited:224 - inherited fd 7
lxc-start 1434992414.076 INFO lxc_lsm - lsm/lsm.c:lsm_init:48 - LSM security driver AppArmor
lxc-start 1434992414.076 INFO lxc_seccomp - seccomp.c:parse_config_v2:316 - processing: .reject_force_umount # comment this to allow umount -f; not recommended.
lxc-start 1434992414.076 INFO lxc_seccomp - seccomp.c:parse_config_v2:419 - Adding non-compat rule for reject_force_umount action 0
lxc-start 1434992414.076 INFO lxc_seccomp - seccomp.c:do_resolve_add_rule:210 - Setting seccomp rule to reject force umounts
lxc-start 1434992414.076 INFO lxc_seccomp - seccomp.c:parse_config_v2:430 - Adding compat rule for reject_force_umount action 0
lxc-start 1434992414.076 INFO lxc_seccomp - seccomp.c:parse_config_v2:438 - Adding non-compat rule bc nr1 == nr2 (-1, -1)
lxc-start 1434992414.076 INFO lxc_seccomp - seccomp.c:do_resolve_add_rule:210 - Setting seccomp rule to reject force umounts
lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:316 - processing: .[all].
lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:316 - processing: .kexec_load errno 1.
lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:419 - Adding non-compat rule for kexec_load action 327681
lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:430 - Adding compat rule for kexec_load action 327681
lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:443 - Really adding compat rule bc nr1 == nr2 (283, 246)
lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:316 - processing: .open_by_handle_at errno 1.
lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:419 - Adding non-compat rule for open_by_handle_at action 327681
lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:430 - Adding compat rule for open_by_handle_at action 327681
lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:443 - Really adding compat rule bc nr1 == nr2 (342, 304)
lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:316 - processing: .init_module errno 1.
lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:419 - Adding non-compat rule for init_module action 327681
lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:430 - Adding compat rule for init_module action 327681
lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:443 - Really adding compat rule bc nr1 == nr2 (128, 175)
lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:316 - processing: .finit_module errno 1.
lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:419 - Adding non-compat rule for finit_module action 327681
lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:430 - Adding compat rule for finit_module action 327681
lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:443 - Really adding compat rule bc nr1 == nr2 (350, 313)
lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:316 - processing: .delete_module errno 1.
lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:419 - Adding non-compat rule for delete_module action 327681
lxc-start 1434992414.078 INFO lxc_seccomp - seccomp.c:parse_config_v2:430 - Adding compat rule for delete_module action 327681
lxc-start 1434992414.078 INFO lxc_seccomp - seccomp.c:parse_config_v2:443 - Really adding compat rule bc nr1 == nr2 (129, 176)
lxc-start 1434992414.078 INFO lxc_seccomp - seccomp.c:parse_config_v2:451 - Merging in the compat seccomp ctx into the main one
lxc-start 1434992414.078 INFO lxc_utils - utils.c:get_rundir:483 - XDG_RUNTIME_DIR isn't set in the environment.
lxc-start 1434992414.078 DEBUG lxc_start - start.c:setup_signal_fd:259 - sigchild handler set
lxc-start 1434992414.080 DEBUG lxc_console - console.c:lxc_console_peer_default:500 - opening /dev/tty for console peer
lxc-start 1434992414.081 INFO lxc_caps - caps.c:lxc_caps_up:101 - Last supported cap was 36
lxc-start 1434992414.081 DEBUG lxc_console - console.c:lxc_console_peer_default:506 - using '/dev/tty' as console
lxc-start 1434992414.081 DEBUG lxc_console - console.c:lxc_console_sigwinch_init:179 - 974 got SIGWINCH fd 10
lxc-start 1434992414.081 DEBUG lxc_console - console.c:lxc_console_winsz:88 - set winsz dstfd:6 cols:160 rows:25
lxc-start 1434992414.155 INFO lxc_start - start.c:lxc_init:451 - 'asterisk' is initialized
lxc-start 1434992414.157 DEBUG lxc_start - start.c:__lxc_start:1137 - Not dropping cap_sys_boot or watching utmp
lxc-start 1434992414.158 INFO lxc_start - start.c:resolve_clone_flags:848 - Cloning a new user namespace
lxc-start 1434992414.158 INFO lxc_cgroup - cgroup.c:cgroup_init:65 - cgroup driver cgmanager initing for asterisk
lxc-start 1434992414.176 ERROR lxc_cgmanager - cgmanager.c:lxc_cgmanager_enter:694 - call to cgmanager_move_pid_sync failed: invalid request
lxc-start: cgmanager.c: lxc_cgmanager_enter: 694 call to cgmanager_move_pid_sync failed: invalid request
lxc-start 1434992414.177 INFO lxc_utils - utils.c:get_rundir:483 - XDG_RUNTIME_DIR isn't set in the environment.
lxc-start 1434992414.197 ERROR lxc_start - start.c:__lxc_start:1164 - failed to spawn 'asterisk'
lxc-start: start.c: __lxc_start: 1164 failed to spawn 'asterisk'
lxc-start 1434992414.197 INFO lxc_utils - utils.c:get_rundir:483 - XDG_RUNTIME_DIR isn't set in the environment.
lxc-start 1434992414.197 INFO lxc_utils - utils.c:get_rundir:483 - XDG_RUNTIME_DIR isn't set in the environment.
lxc-start 1434992414.199 ERROR lxc_start_ui - lxc_start.c:main:344 - The container failed to start.
lxc-start: lxc_start.c: main: 344 The container failed to start.
lxc-start 1434992414.200 ERROR lxc_start_ui - lxc_start.c:main:348 - Additional information can be obtained by setting the --logfile and --logpriority options.
lxc-start: lxc_start.c: main: 348 Additional information can be obtained by setting the --logfile and --logpriority options.
I have also added bridge configured with systemdnetworkd into /etc/lxc/lxc-usernet:
x veth ibr1 4
and corresponding file /etc/systemd/network/internalbridge1.netdev
[NetDev]
Name=ibr1
Kind=bridge
The container config:
# Distribution configuration
lxc.include = /usr/share/lxc/config/ubuntu.common.conf
lxc.include = /usr/share/lxc/config/ubuntu.userns.conf
lxc.arch = x86_64
# Container specific configuration
lxc.include = /etc/lxc/default.conf
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536
lxc.rootfs = /home/x/.local/share/lxc/asterisk/rootfs
lxc.utsname = asterisk
# Network configuration
lxc.network.type = veth
lxc.network.link = ibr1
lxc.network.flags = up
lxc.network.name = internal
lxc.network.ipv4 = 10.1.1.2/24
lxc.network.ipv4.gateway = 10.1.1.1
** Affects: systemd (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1467611
Title:
unprivileged lxc containers broken
Status in systemd package in Ubuntu:
New
Bug description:
Seems like I've hit the bug #1413927 but as requested in comments I'm
filing new one.
lxc-start -n asterisk -l debug -F --logfile /dev/stdout
lxc-start 1434992414.067 INFO lxc_start_ui - lxc_start.c:main:264 - using rcfile /home/x/.local/share/lxc/asterisk/config
lxc-start 1434992414.067 INFO lxc_utils - utils.c:get_rundir:483 - XDG_RUNTIME_DIR isn't set in the environment.
lxc-start 1434992414.067 WARN lxc_confile - confile.c:config_pivotdir:1768 - lxc.pivotdir is ignored. It will soon become an error.
lxc-start 1434992414.069 INFO lxc_confile - confile.c:config_idmap:1376 - read uid map: type u nsid 0 hostid 100000 range 65536
lxc-start 1434992414.069 INFO lxc_confile - confile.c:config_idmap:1376 - read uid map: type g nsid 0 hostid 100000 range 65536
lxc-start 1434992414.069 WARN lxc_log - log.c:lxc_log_init:316 - lxc_log_init called with log already initialized
lxc-start 1434992414.075 WARN lxc_cgmanager - cgmanager.c:cgm_get:963 - do_cgm_get exited with error
lxc-start 1434992414.076 WARN lxc_start - start.c:lxc_check_inherited:224 - inherited fd 7
lxc-start 1434992414.076 INFO lxc_lsm - lsm/lsm.c:lsm_init:48 - LSM security driver AppArmor
lxc-start 1434992414.076 INFO lxc_seccomp - seccomp.c:parse_config_v2:316 - processing: .reject_force_umount # comment this to allow umount -f; not recommended.
lxc-start 1434992414.076 INFO lxc_seccomp - seccomp.c:parse_config_v2:419 - Adding non-compat rule for reject_force_umount action 0
lxc-start 1434992414.076 INFO lxc_seccomp - seccomp.c:do_resolve_add_rule:210 - Setting seccomp rule to reject force umounts
lxc-start 1434992414.076 INFO lxc_seccomp - seccomp.c:parse_config_v2:430 - Adding compat rule for reject_force_umount action 0
lxc-start 1434992414.076 INFO lxc_seccomp - seccomp.c:parse_config_v2:438 - Adding non-compat rule bc nr1 == nr2 (-1, -1)
lxc-start 1434992414.076 INFO lxc_seccomp - seccomp.c:do_resolve_add_rule:210 - Setting seccomp rule to reject force umounts
lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:316 - processing: .[all].
lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:316 - processing: .kexec_load errno 1.
lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:419 - Adding non-compat rule for kexec_load action 327681
lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:430 - Adding compat rule for kexec_load action 327681
lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:443 - Really adding compat rule bc nr1 == nr2 (283, 246)
lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:316 - processing: .open_by_handle_at errno 1.
lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:419 - Adding non-compat rule for open_by_handle_at action 327681
lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:430 - Adding compat rule for open_by_handle_at action 327681
lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:443 - Really adding compat rule bc nr1 == nr2 (342, 304)
lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:316 - processing: .init_module errno 1.
lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:419 - Adding non-compat rule for init_module action 327681
lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:430 - Adding compat rule for init_module action 327681
lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:443 - Really adding compat rule bc nr1 == nr2 (128, 175)
lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:316 - processing: .finit_module errno 1.
lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:419 - Adding non-compat rule for finit_module action 327681
lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:430 - Adding compat rule for finit_module action 327681
lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:443 - Really adding compat rule bc nr1 == nr2 (350, 313)
lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:316 - processing: .delete_module errno 1.
lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:419 - Adding non-compat rule for delete_module action 327681
lxc-start 1434992414.078 INFO lxc_seccomp - seccomp.c:parse_config_v2:430 - Adding compat rule for delete_module action 327681
lxc-start 1434992414.078 INFO lxc_seccomp - seccomp.c:parse_config_v2:443 - Really adding compat rule bc nr1 == nr2 (129, 176)
lxc-start 1434992414.078 INFO lxc_seccomp - seccomp.c:parse_config_v2:451 - Merging in the compat seccomp ctx into the main one
lxc-start 1434992414.078 INFO lxc_utils - utils.c:get_rundir:483 - XDG_RUNTIME_DIR isn't set in the environment.
lxc-start 1434992414.078 DEBUG lxc_start - start.c:setup_signal_fd:259 - sigchild handler set
lxc-start 1434992414.080 DEBUG lxc_console - console.c:lxc_console_peer_default:500 - opening /dev/tty for console peer
lxc-start 1434992414.081 INFO lxc_caps - caps.c:lxc_caps_up:101 - Last supported cap was 36
lxc-start 1434992414.081 DEBUG lxc_console - console.c:lxc_console_peer_default:506 - using '/dev/tty' as console
lxc-start 1434992414.081 DEBUG lxc_console - console.c:lxc_console_sigwinch_init:179 - 974 got SIGWINCH fd 10
lxc-start 1434992414.081 DEBUG lxc_console - console.c:lxc_console_winsz:88 - set winsz dstfd:6 cols:160 rows:25
lxc-start 1434992414.155 INFO lxc_start - start.c:lxc_init:451 - 'asterisk' is initialized
lxc-start 1434992414.157 DEBUG lxc_start - start.c:__lxc_start:1137 - Not dropping cap_sys_boot or watching utmp
lxc-start 1434992414.158 INFO lxc_start - start.c:resolve_clone_flags:848 - Cloning a new user namespace
lxc-start 1434992414.158 INFO lxc_cgroup - cgroup.c:cgroup_init:65 - cgroup driver cgmanager initing for asterisk
lxc-start 1434992414.176 ERROR lxc_cgmanager - cgmanager.c:lxc_cgmanager_enter:694 - call to cgmanager_move_pid_sync failed: invalid request
lxc-start: cgmanager.c: lxc_cgmanager_enter: 694 call to cgmanager_move_pid_sync failed: invalid request
lxc-start 1434992414.177 INFO lxc_utils - utils.c:get_rundir:483 - XDG_RUNTIME_DIR isn't set in the environment.
lxc-start 1434992414.197 ERROR lxc_start - start.c:__lxc_start:1164 - failed to spawn 'asterisk'
lxc-start: start.c: __lxc_start: 1164 failed to spawn 'asterisk'
lxc-start 1434992414.197 INFO lxc_utils - utils.c:get_rundir:483 - XDG_RUNTIME_DIR isn't set in the environment.
lxc-start 1434992414.197 INFO lxc_utils - utils.c:get_rundir:483 - XDG_RUNTIME_DIR isn't set in the environment.
lxc-start 1434992414.199 ERROR lxc_start_ui - lxc_start.c:main:344 - The container failed to start.
lxc-start: lxc_start.c: main: 344 The container failed to start.
lxc-start 1434992414.200 ERROR lxc_start_ui - lxc_start.c:main:348 - Additional information can be obtained by setting the --logfile and --logpriority options.
lxc-start: lxc_start.c: main: 348 Additional information can be obtained by setting the --logfile and --logpriority options.
I have also added bridge configured with systemdnetworkd into /etc/lxc/lxc-usernet:
x veth ibr1 4
and corresponding file /etc/systemd/network/internalbridge1.netdev
[NetDev]
Name=ibr1
Kind=bridge
The container config:
# Distribution configuration
lxc.include = /usr/share/lxc/config/ubuntu.common.conf
lxc.include = /usr/share/lxc/config/ubuntu.userns.conf
lxc.arch = x86_64
# Container specific configuration
lxc.include = /etc/lxc/default.conf
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536
lxc.rootfs = /home/x/.local/share/lxc/asterisk/rootfs
lxc.utsname = asterisk
# Network configuration
lxc.network.type = veth
lxc.network.link = ibr1
lxc.network.flags = up
lxc.network.name = internal
lxc.network.ipv4 = 10.1.1.2/24
lxc.network.ipv4.gateway = 10.1.1.1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1467611/+subscriptions
Follow ups
-
[Bug 1467611] Re: unprivileged lxc containers don't work in lsh remote sessions
From: Martin Pitt, 2015-06-30
-
[Bug 1467611] Re: unprivileged lxc containers don't work in remote sessions
From: god, 2015-06-30
-
[Bug 1467611] Re: unprivileged lxc containers don't work in remote sessions
From: Martin Pitt, 2015-06-30
-
[Bug 1467611] Re: unprivileged lxc containers don't work in remote sessions
From: Martin Pitt, 2015-06-30
-
[Bug 1467611] Re: unprivileged lxc containers broken
From: god, 2015-06-29
-
[Bug 1467611] Re: unprivileged lxc containers broken
From: god, 2015-06-29
-
[Bug 1467611] Re: unprivileged lxc containers broken
From: god, 2015-06-29
-
[Bug 1467611] Re: unprivileged lxc containers broken
From: Martin Pitt, 2015-06-29
-
[Bug 1467611] Re: unprivileged lxc containers broken
From: god, 2015-06-29
-
[Bug 1467611] Re: unprivileged lxc containers broken
From: Martin Pitt, 2015-06-29
-
[Bug 1467611] Re: unprivileged lxc containers broken
From: Launchpad Bug Tracker, 2015-06-28
-
[Bug 1467611] Re: unprivileged lxc containers broken
From: Launchpad Bug Tracker, 2015-06-28
-
[Bug 1467611] Re: unprivileged lxc containers broken
From: Serge Hallyn, 2015-06-26
-
[Bug 1467611] Re: unprivileged lxc containers broken
From: god, 2015-06-26
-
[Bug 1467611] Re: unprivileged lxc containers broken
From: Serge Hallyn, 2015-06-25
-
[Bug 1467611] Re: unprivileged lxc containers broken
From: god, 2015-06-22
-
[Bug 1467611] Re: unprivileged lxc containers broken
From: god, 2015-06-22
-
[Bug 1467611] [NEW] unprivileged lxc containers broken
From: god, 2015-06-22
References