Bug#934387: [pkg-lxc-devel] Bug#934387: lxc: privileged LXC container do not start: ERROR cgfsng - cgroups/cgfsng.c:__do_cgroup_enter:1498 - No space left on device - Failed to enter cgroup "/sys/fs/cgroup/cpuset//lxc.monitor/test-container/cgroup.procs"

[Pierre-Elliott Bécue]

Le samedi 10 août 2019 à 16:59:32+0200, Salvatore Bonaccorso a écrit :
> Package: lxc
> Version: 1:3.1.0+really3.0.4-1
> Severity: normal
> 
> Hi
> 
> After an update of lxc and liblxc1 to 1:3.1.0+really3.0.4-1 privileged
> container do not start anymore on an affected host (this might be a
> problem specific, but not entirely sure if it is a bug in the package
> or it's here a user error). 
> 
> The host is already at 1:3.1.0+really3.0.4-1 and creating a new
> container:
> 
> sudo lxc-create -n test-container -t debian -- -r sid
> 
> and starting it
> 
> sudo lxc-start -n test-container --logfile=/tmp/test-container.log -l DEBUG
> 
> fails to start:
> 
> lxc-start: test-container: lxccontainer.c: wait_on_daemonized_start: 851 
> Received container state "STOPPING" instead of "RUNNING"
> lxc-start: test-container: tools/lxc_start.c: main: 329 The container failed 
> to start
> lxc-start: test-container: tools/lxc_start.c: main: 332 To get more details, 
> run the container in foreground mode
> lxc-start: test-container: tools/lxc_start.c: main: 335 Additional 
> information can be obtained by setting the --logfile and --logpriority options
> 
> And in detail the test-container.log contains:
> 
> lxc-start test-container 20190810144707.635 INFO     lxccontainer - 
> lxccontainer.c:do_lxcapi_start:971 - Set process title to [lxc monitor] 
> /var/lib/lxc test-container
> lxc-start test-container 20190810144707.636 INFO     lsm - 
> lsm/lsm.c:lsm_init:50 - LSM security driver AppArmor
> lxc-start test-container 20190810144707.636 INFO     seccomp - 
> seccomp.c:parse_config_v2:759 - Processing "reject_force_umount  # comment 
> this to allow umount -f;  not recommended"
> lxc-start test-container 20190810144707.636 INFO     seccomp - 
> seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts
> lxc-start test-container 20190810144707.636 INFO     seccomp - 
> seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for 
> reject_force_umount action 0(kill)
> lxc-start test-container 20190810144707.636 INFO     seccomp - 
> seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts
> lxc-start test-container 20190810144707.636 INFO     seccomp - 
> seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for 
> reject_force_umount action 0(kill)
> lxc-start test-container 20190810144707.636 INFO     seccomp - 
> seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts
> lxc-start test-container 20190810144707.636 INFO     seccomp - 
> seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for 
> reject_force_umount action 0(kill)
> lxc-start test-container 20190810144707.636 INFO     seccomp - 
> seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts
> lxc-start test-container 20190810144707.636 INFO     seccomp - 
> seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for 
> reject_force_umount action 0(kill)
> lxc-start test-container 20190810144707.636 INFO     seccomp - 
> seccomp.c:parse_config_v2:759 - Processing "[all]"
> lxc-start test-container 20190810144707.636 INFO     seccomp - 
> seccomp.c:parse_config_v2:759 - Processing "kexec_load errno 1"
> lxc-start test-container 20190810144707.636 INFO     seccomp - 
> seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for kexec_load 
> action 327681(errno)
> lxc-start test-container 20190810144707.636 INFO     seccomp - 
> seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for 
> kexec_load action 327681(errno)
> lxc-start test-container 20190810144707.637 INFO     seccomp - 
> seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for 
> kexec_load action 327681(errno)
> lxc-start test-container 20190810144707.637 INFO     seccomp - 
> seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for 
> kexec_load action 327681(errno)
> lxc-start test-container 20190810144707.637 INFO     seccomp - 
> seccomp.c:parse_config_v2:759 - Processing "open_by_handle_at errno 1"
> lxc-start test-container 20190810144707.637 INFO     seccomp - 
> seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for 
> open_by_handle_at action 327681(errno)
> lxc-start test-container 20190810144707.637 INFO     seccomp - 
> seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for 
> open_by_handle_at action 327681(errno)
> lxc-start test-container 20190810144707.637 INFO     seccomp - 
> seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for 
> open_by_handle_at action 327681(errno)
> lxc-start test-container 20190810144707.637 INFO     seccomp - 
> seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for 
> open_by_handle_at action 327681(errno)
> lxc-start test-container 20190810144707.637 INFO     seccomp - 
> seccomp.c:parse_config_v2:759 - Processing "init_module errno 1"
> lxc-start test-container 20190810144707.637 INFO     seccomp - 
> seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for init_module 
> action 327681(errno)
> lxc-start test-container 20190810144707.637 INFO     seccomp - 
> seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for 
> init_module action 327681(errno)
> lxc-start test-container 20190810144707.637 INFO     seccomp - 
> seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for 
> init_module action 327681(errno)
> lxc-start test-container 20190810144707.637 INFO     seccomp - 
> seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for 
> init_module action 327681(errno)
> lxc-start test-container 20190810144707.637 INFO     seccomp - 
> seccomp.c:parse_config_v2:759 - Processing "finit_module errno 1"
> lxc-start test-container 20190810144707.637 INFO     seccomp - 
> seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for finit_module 
> action 327681(errno)
> lxc-start test-container 20190810144707.637 INFO     seccomp - 
> seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for 
> finit_module action 327681(errno)
> lxc-start test-container 20190810144707.637 INFO     seccomp - 
> seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for 
> finit_module action 327681(errno)
> lxc-start test-container 20190810144707.637 INFO     seccomp - 
> seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for 
> finit_module action 327681(errno)
> lxc-start test-container 20190810144707.637 INFO     seccomp - 
> seccomp.c:parse_config_v2:759 - Processing "delete_module errno 1"
> lxc-start test-container 20190810144707.637 INFO     seccomp - 
> seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for 
> delete_module action 327681(errno)
> lxc-start test-container 20190810144707.637 INFO     seccomp - 
> seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for 
> delete_module action 327681(errno)
> lxc-start test-container 20190810144707.637 INFO     seccomp - 
> seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for 
> delete_module action 327681(errno)
> lxc-start test-container 20190810144707.637 INFO     seccomp - 
> seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for 
> delete_module action 327681(errno)
> lxc-start test-container 20190810144707.637 INFO     seccomp - 
> seccomp.c:parse_config_v2:970 - Merging compat seccomp contexts into main 
> context
> lxc-start test-container 20190810144707.637 DEBUG    terminal - 
> terminal.c:lxc_terminal_peer_default:676 - No such device - The process does 
> not have a controlling terminal
> lxc-start test-container 20190810144707.739 INFO     start - 
> start.c:lxc_init:926 - Container "test-container" is initialized
> lxc-start test-container 20190810144707.739 DEBUG    cgfsng - 
> cgroups/cgfsng.c:cg_legacy_filter_and_set_cpus:495 - No isolated or offline 
> cpus present in cpuset
> lxc-start test-container 20190810144707.739 DEBUG    cgfsng - 
> cgroups/cgfsng.c:cg_legacy_handle_cpuset_hierarchy:612 - 
> "cgroup.clone_children" was already set to "1"
> lxc-start test-container 20190810144707.740 INFO     cgfsng - 
> cgroups/cgfsng.c:cgfsng_monitor_create:1403 - The monitor process uses 
> "lxc.monitor/test-container" as cgroup
> lxc-start test-container 20190810144707.740 ERROR    cgfsng - 
> cgroups/cgfsng.c:__do_cgroup_enter:1498 - No space left on device - Failed to 
> enter cgroup "/sys/fs/cgroup/cpuset//lxc.monitor/test-container/cgroup.procs"
> lxc-start test-container 20190810144707.740 ERROR    start - 
> start.c:__lxc_start:2004 - Failed to enter monitor cgroup
> lxc-start test-container 20190810144707.740 DEBUG    lxccontainer - 
> lxccontainer.c:wait_on_daemonized_start:839 - First child 31136 exited
> lxc-start test-container 20190810144707.740 ERROR    lxccontainer - 
> lxccontainer.c:wait_on_daemonized_start:851 - Received container state 
> "STOPPING" instead of "RUNNING"
> lxc-start test-container 20190810144707.741 ERROR    lxc_start - 
> tools/lxc_start.c:main:329 - The container failed to start
> lxc-start test-container 20190810144707.741 ERROR    lxc_start - 
> tools/lxc_start.c:main:332 - To get more details, run the container in 
> foreground mode
> lxc-start test-container 20190810144707.741 ERROR    lxc_start - 
> tools/lxc_start.c:main:335 - Additional information can be obtained by 
> setting the --logfile and --logpriority options
> lxc-start test-container 20190810144707.837 DEBUG    cgfsng - 
> cgroups/cgfsng.c:cg_legacy_filter_and_set_cpus:495 - No isolated or offline 
> cpus present in cpuset
> lxc-start test-container 20190810144707.837 DEBUG    cgfsng - 
> cgroups/cgfsng.c:cg_legacy_handle_cpuset_hierarchy:612 - 
> "cgroup.clone_children" was already set to "1"
> lxc-start test-container 20190810144707.837 WARN     cgfsng - 
> cgroups/cgfsng.c:cgfsng_monitor_destroy:1178 - No space left on device - 
> Failed to move monitor 31137 to 
> "/sys/fs/cgroup/cpuset//lxc.pivot/cgroup.procs"
> 
> Downgrading to 1:3.1.0+really3.0.3-8 allows the containers to start again.
> 
> But as said I'm unsure here if this might be a bug in 1:3.1.0+really3.0.4-1.
> 
> I will try to reproduce as well on a fresh installation starting in buster and
> installing lxc there, then upgrading to unstable and see if the issue is
> reproducible in general. The affected host is one constantly following 
> unstable
> and regularly installing updates, so the lxc/liblxc1 updat happended when
> 1:3.1.0+really3.0.4-1  was uploaded to unstable.
> 
> Regards,

Hi,

I'll follow up to github to ask for some help, but have you tried to
debug the "no space left on device" part? Are cgroups properly
available?

WBR,

-- 
Pierre-Elliott Bécue
GPG: 9AE0 4D98 6400 E3B6 7528  F493 0D44 2664 1949 74E2
It's far easier to fight for one's principles than to live up to them.

signature.asc
Description: PGP signature