← Back to team overview

touch-packages team mailing list archive

[Bug 1467611] Re: unprivileged lxc containers broken

 

I still don't get the point about lsh - I mean what's the difference
with openssh? Are there some specific step by ssh server with regards to
user session setup necessary? Or some specific system-wide configuration
required somewhere?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1467611

Title:
  unprivileged lxc containers broken

Status in lxc package in Ubuntu:
  Confirmed
Status in systemd package in Ubuntu:
  Confirmed

Bug description:
  Seems like I've hit the bug #1413927 but as requested in comments I'm
  filing new one.

  lxc-start -n asterisk -l debug -F --logfile /dev/stdout

        lxc-start 1434992414.067 INFO     lxc_start_ui - lxc_start.c:main:264 - using rcfile /home/x/.local/share/lxc/asterisk/config
        lxc-start 1434992414.067 INFO     lxc_utils - utils.c:get_rundir:483 - XDG_RUNTIME_DIR isn't set in the environment.
        lxc-start 1434992414.067 WARN     lxc_confile - confile.c:config_pivotdir:1768 - lxc.pivotdir is ignored.  It will soon become an error.
        lxc-start 1434992414.069 INFO     lxc_confile - confile.c:config_idmap:1376 - read uid map: type u nsid 0 hostid 100000 range 65536
        lxc-start 1434992414.069 INFO     lxc_confile - confile.c:config_idmap:1376 - read uid map: type g nsid 0 hostid 100000 range 65536
        lxc-start 1434992414.069 WARN     lxc_log - log.c:lxc_log_init:316 - lxc_log_init called with log already initialized
        lxc-start 1434992414.075 WARN     lxc_cgmanager - cgmanager.c:cgm_get:963 - do_cgm_get exited with error
        lxc-start 1434992414.076 WARN     lxc_start - start.c:lxc_check_inherited:224 - inherited fd 7
        lxc-start 1434992414.076 INFO     lxc_lsm - lsm/lsm.c:lsm_init:48 - LSM security driver AppArmor
        lxc-start 1434992414.076 INFO     lxc_seccomp - seccomp.c:parse_config_v2:316 - processing: .reject_force_umount  # comment this to allow umount -f;  not recommended.      
        lxc-start 1434992414.076 INFO     lxc_seccomp - seccomp.c:parse_config_v2:419 - Adding non-compat rule for reject_force_umount action 0
        lxc-start 1434992414.076 INFO     lxc_seccomp - seccomp.c:do_resolve_add_rule:210 - Setting seccomp rule to reject force umounts
        lxc-start 1434992414.076 INFO     lxc_seccomp - seccomp.c:parse_config_v2:430 - Adding compat rule for reject_force_umount action 0
        lxc-start 1434992414.076 INFO     lxc_seccomp - seccomp.c:parse_config_v2:438 - Adding non-compat rule bc nr1 == nr2 (-1, -1)
        lxc-start 1434992414.076 INFO     lxc_seccomp - seccomp.c:do_resolve_add_rule:210 - Setting seccomp rule to reject force umounts
                    
        lxc-start 1434992414.077 INFO     lxc_seccomp - seccomp.c:parse_config_v2:316 - processing: .[all].
        lxc-start 1434992414.077 INFO     lxc_seccomp - seccomp.c:parse_config_v2:316 - processing: .kexec_load errno 1.
        lxc-start 1434992414.077 INFO     lxc_seccomp - seccomp.c:parse_config_v2:419 - Adding non-compat rule for kexec_load action 327681
        lxc-start 1434992414.077 INFO     lxc_seccomp - seccomp.c:parse_config_v2:430 - Adding compat rule for kexec_load action 327681
        lxc-start 1434992414.077 INFO     lxc_seccomp - seccomp.c:parse_config_v2:443 - Really adding compat rule bc nr1 == nr2 (283, 246)
        lxc-start 1434992414.077 INFO     lxc_seccomp - seccomp.c:parse_config_v2:316 - processing: .open_by_handle_at errno 1.
        lxc-start 1434992414.077 INFO     lxc_seccomp - seccomp.c:parse_config_v2:419 - Adding non-compat rule for open_by_handle_at action 327681
        lxc-start 1434992414.077 INFO     lxc_seccomp - seccomp.c:parse_config_v2:430 - Adding compat rule for open_by_handle_at action 327681
        lxc-start 1434992414.077 INFO     lxc_seccomp - seccomp.c:parse_config_v2:443 - Really adding compat rule bc nr1 == nr2 (342, 304)
        lxc-start 1434992414.077 INFO     lxc_seccomp - seccomp.c:parse_config_v2:316 - processing: .init_module errno 1.
        lxc-start 1434992414.077 INFO     lxc_seccomp - seccomp.c:parse_config_v2:419 - Adding non-compat rule for init_module action 327681
        lxc-start 1434992414.077 INFO     lxc_seccomp - seccomp.c:parse_config_v2:430 - Adding compat rule for init_module action 327681
        lxc-start 1434992414.077 INFO     lxc_seccomp - seccomp.c:parse_config_v2:443 - Really adding compat rule bc nr1 == nr2 (128, 175)
        lxc-start 1434992414.077 INFO     lxc_seccomp - seccomp.c:parse_config_v2:316 - processing: .finit_module errno 1.
        lxc-start 1434992414.077 INFO     lxc_seccomp - seccomp.c:parse_config_v2:419 - Adding non-compat rule for finit_module action 327681
        lxc-start 1434992414.077 INFO     lxc_seccomp - seccomp.c:parse_config_v2:430 - Adding compat rule for finit_module action 327681
        lxc-start 1434992414.077 INFO     lxc_seccomp - seccomp.c:parse_config_v2:443 - Really adding compat rule bc nr1 == nr2 (350, 313)
        lxc-start 1434992414.077 INFO     lxc_seccomp - seccomp.c:parse_config_v2:316 - processing: .delete_module errno 1.
        lxc-start 1434992414.077 INFO     lxc_seccomp - seccomp.c:parse_config_v2:419 - Adding non-compat rule for delete_module action 327681
        lxc-start 1434992414.078 INFO     lxc_seccomp - seccomp.c:parse_config_v2:430 - Adding compat rule for delete_module action 327681
        lxc-start 1434992414.078 INFO     lxc_seccomp - seccomp.c:parse_config_v2:443 - Really adding compat rule bc nr1 == nr2 (129, 176)
        lxc-start 1434992414.078 INFO     lxc_seccomp - seccomp.c:parse_config_v2:451 - Merging in the compat seccomp ctx into the main one
        lxc-start 1434992414.078 INFO     lxc_utils - utils.c:get_rundir:483 - XDG_RUNTIME_DIR isn't set in the environment.
        lxc-start 1434992414.078 DEBUG    lxc_start - start.c:setup_signal_fd:259 - sigchild handler set
        lxc-start 1434992414.080 DEBUG    lxc_console - console.c:lxc_console_peer_default:500 - opening /dev/tty for console peer
        lxc-start 1434992414.081 INFO     lxc_caps - caps.c:lxc_caps_up:101 - Last supported cap was 36
        lxc-start 1434992414.081 DEBUG    lxc_console - console.c:lxc_console_peer_default:506 - using '/dev/tty' as console
        lxc-start 1434992414.081 DEBUG    lxc_console - console.c:lxc_console_sigwinch_init:179 - 974 got SIGWINCH fd 10
        lxc-start 1434992414.081 DEBUG    lxc_console - console.c:lxc_console_winsz:88 - set winsz dstfd:6 cols:160 rows:25
        lxc-start 1434992414.155 INFO     lxc_start - start.c:lxc_init:451 - 'asterisk' is initialized
        lxc-start 1434992414.157 DEBUG    lxc_start - start.c:__lxc_start:1137 - Not dropping cap_sys_boot or watching utmp
        lxc-start 1434992414.158 INFO     lxc_start - start.c:resolve_clone_flags:848 - Cloning a new user namespace
        lxc-start 1434992414.158 INFO     lxc_cgroup - cgroup.c:cgroup_init:65 - cgroup driver cgmanager initing for asterisk
        lxc-start 1434992414.176 ERROR    lxc_cgmanager - cgmanager.c:lxc_cgmanager_enter:694 - call to cgmanager_move_pid_sync failed: invalid request
  lxc-start: cgmanager.c: lxc_cgmanager_enter: 694 call to cgmanager_move_pid_sync failed: invalid request
        lxc-start 1434992414.177 INFO     lxc_utils - utils.c:get_rundir:483 - XDG_RUNTIME_DIR isn't set in the environment.
        lxc-start 1434992414.197 ERROR    lxc_start - start.c:__lxc_start:1164 - failed to spawn 'asterisk'
  lxc-start: start.c: __lxc_start: 1164 failed to spawn 'asterisk'
        lxc-start 1434992414.197 INFO     lxc_utils - utils.c:get_rundir:483 - XDG_RUNTIME_DIR isn't set in the environment.
        lxc-start 1434992414.197 INFO     lxc_utils - utils.c:get_rundir:483 - XDG_RUNTIME_DIR isn't set in the environment.
        lxc-start 1434992414.199 ERROR    lxc_start_ui - lxc_start.c:main:344 - The container failed to start.
  lxc-start: lxc_start.c: main: 344 The container failed to start.
        lxc-start 1434992414.200 ERROR    lxc_start_ui - lxc_start.c:main:348 - Additional information can be obtained by setting the --logfile and --logpriority options.
  lxc-start: lxc_start.c: main: 348 Additional information can be obtained by setting the --logfile and --logpriority options.

  I have also added bridge configured with systemdnetworkd into /etc/lxc/lxc-usernet:
  x veth ibr1 4

  and corresponding file /etc/systemd/network/internalbridge1.netdev
  [NetDev]
  Name=ibr1
  Kind=bridge

  The container config:
  # Distribution configuration
  lxc.include = /usr/share/lxc/config/ubuntu.common.conf
  lxc.include = /usr/share/lxc/config/ubuntu.userns.conf
  lxc.arch = x86_64

  # Container specific configuration
  lxc.include = /etc/lxc/default.conf
  lxc.id_map = u 0 100000 65536
  lxc.id_map = g 0 100000 65536
  lxc.rootfs = /home/x/.local/share/lxc/asterisk/rootfs
  lxc.utsname = asterisk

  # Network configuration
  lxc.network.type = veth
  lxc.network.link = ibr1
  lxc.network.flags = up
  lxc.network.name = internal
  lxc.network.ipv4 = 10.1.1.2/24
  lxc.network.ipv4.gateway = 10.1.1.1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1467611/+subscriptions


Follow ups

References