Hi all,
I am a little bit clueless, I have several systems running with
Debian and unprivileged LXC. But newer systems won't start new
containers.
Actually I have a Debian stretch, installed the normal way but
with lxc-2.0.9 and cgmanager-0.41 installed from sources.
I can setup cgmanager, can do a cgm movepid and it is no problem
to download a template. But starting the container does not work,
it simply hungs at:
$ lxc-start -n lxc-test -l trace -o wheezy -F
I tried it with debian stretch first, then I tried wheezy since it
does not use systemd.
The kernel is 4.9.0-4-amd64 and kernel.unprivileged_userns_clone is
set to 1. The lxc-monitor complainy about a missing fifo, but I have
no idea, which one it should be.
I have to kill the processes with -9, all other signals are ignored.
The cgroups look good, too:
$ cat /proc/self/cgroup
12:name=systemd:/lxc-test
11:pids:/lxc-test
10:perf_event:/lxc-test
9:net_prio:/lxc-test
8:net_cls:/lxc-test
7:memory:/lxc-test
6:freezer:/lxc-test
5:devices:/lxc-test
4:cpuset:/lxc-test
3:cpuacct:/lxc-test
2:cpu:/lxc-test
1:blkio:/lxc-test
lxc-test is the user which tries to start the unprivileged LXC.
Has anyone an idea, what is going wrong?
Best regards
Dirk
PS: I tried lxc-2.1.1 too, but that does not work, too.
--
+----------------------------------------------------------------------+
| Dr. Dirk Geschke / Plankensteinweg 61 / 85435 Erding |
| Telefon: 08122-559448 / Mobil: 0176-96906350 / Fax: 08122-9818106 |
| d...@geschke-online.de / d...@lug-erding.de / kont...@lug-erding.de |
+----------------------------------------------------------------------+
lxc-start 20171205100114.683 INFO lxc_start_ui -
tools/lxc_start.c:main:277 - using rcfile
/home/lxc-test/.local/share/lxc/lxc-test/config
lxc-start 20171205100114.683 INFO lxc_utils - utils.c:get_rundir:284
- XDG_RUNTIME_DIR isn't set in the environment.
lxc-start 20171205100114.683 WARN lxc_confile -
confile.c:set_config_pivotdir:2262 - lxc.pivotdir is ignored. It will soon
become an error.
lxc-start 20171205100114.684 INFO lxc_confile -
confile.c:set_config_idmaps:1861 - read uid map: type u nsid 0 hostid 531072
range 65536
lxc-start 20171205100114.684 INFO lxc_confile -
confile.c:set_config_idmaps:1861 - read uid map: type g nsid 0 hostid 531072
range 65536
lxc-start 20171205100114.684 TRACE lxc_commands -
commands.c:lxc_cmd:290 - command get_init_pid tries to connect command socket
lxc-start 20171205100114.684 TRACE lxc_commands -
commands.c:lxc_cmd:295 - command get_init_pid failed to connect command socket:
Connection refused
lxc-start 20171205100114.684 TRACE lxc_commands -
commands.c:lxc_cmd:290 - command get_init_pid tries to connect command socket
lxc-start 20171205100114.684 TRACE lxc_commands -
commands.c:lxc_cmd:295 - command get_init_pid failed to connect command socket:
Connection refused
lxc-start 20171205100114.685 WARN lxc_cgmanager -
cgroups/cgmanager.c:cgm_get:993 - do_cgm_get exited with error
lxc-start 20171205100114.685 TRACE lxc_commands -
commands.c:lxc_cmd:290 - command get_state tries to connect command socket
lxc-start 20171205100114.685 TRACE lxc_commands -
commands.c:lxc_cmd:295 - command get_state failed to connect command socket:
Connection refused
lxc-start 20171205100114.685 TRACE lxc_start -
start.c:lxc_init_handler:589 - unix domain socket 4 for command server is ready
lxc-start 20171205100114.685 TRACE lxc_start - start.c:lxc_init:604 -
initialized LSM
lxc-start 20171205100114.685 INFO lxc_seccomp -
seccomp.c:parse_config_v2:435 - processing: .reject_force_umount # comment
this to allow umount -f; not recommended.
lxc-start 20171205100114.685 INFO lxc_seccomp -
seccomp.c:parse_config_v2:610 - Adding native rule for reject_force_umount
action 0(kill).
lxc-start 20171205100114.685 INFO lxc_seccomp -
seccomp.c:do_resolve_add_rule:276 - Setting Seccomp rule to reject force
umounts.
lxc-start 20171205100114.685 INFO lxc_seccomp -
seccomp.c:parse_config_v2:614 - Adding compat rule for reject_force_umount
action 0(kill).
lxc-start 20171205100114.685 INFO lxc_seccomp -
seccomp.c:do_resolve_add_rule:276 - Setting Seccomp rule to reject force
umounts.
lxc-start 20171205100114.685 INFO lxc_seccomp -
seccomp.c:do_resolve_add_rule:276 - Setting Seccomp rule to reject force
umounts.
lxc-start 20171205100114.685 INFO lxc_seccomp -
seccomp.c:parse_config_v2:435 - processing: .[all].
lxc-start 20171205100114.685 INFO lxc_seccomp -
seccomp.c:parse_config_v2:435 - processing: .kexec_load errno 1.
lxc-start 20171205100114.685 INFO lxc_seccomp -
seccomp.c:parse_config_v2:610 - Adding native rule for kexec_load action
327681(errno).
lxc-start 20171205100114.685 INFO lxc_seccomp -
seccomp.c:parse_config_v2:614 - Adding compat rule for kexec_load action
327681(errno).
lxc-start 20171205100114.685 INFO lxc_seccomp -
seccomp.c:parse_config_v2:435 - processing: .open_by_handle_at errno 1.
lxc-start 20171205100114.685 INFO lxc_seccomp -
seccomp.c:parse_config_v2:610 - Adding native rule for open_by_handle_at action
327681(errno).
lxc-start 20171205100114.685 INFO lxc_seccomp -
seccomp.c:parse_config_v2:614 - Adding compat rule for open_by_handle_at action
327681(errno).
lxc-start 20171205100114.685 INFO lxc_seccomp -
seccomp.c:parse_config_v2:435 - processing: .init_module errno 1.
lxc-start 20171205100114.686 INFO lxc_seccomp -
seccomp.c:parse_config_v2:610 - Adding native rule for init_module action
327681(errno).
lxc-start 20171205100114.686 INFO lxc_seccomp -
seccomp.c:parse_config_v2:614 - Adding compat rule for init_module action
327681(errno).
lxc-start 20171205100114.686 INFO lxc_seccomp -
seccomp.c:parse_config_v2:435 - processing: .finit_module errno 1.
lxc-start 20171205100114.686 INFO lxc_seccomp -
seccomp.c:parse_config_v2:610 - Adding native rule for finit_module action
327681(errno).
lxc-start 20171205100114.686 INFO lxc_seccomp -
seccomp.c:parse_config_v2:614 - Adding compat rule for finit_module action
327681(errno).
lxc-start 20171205100114.686 INFO lxc_seccomp -
seccomp.c:parse_config_v2:435 - processing: .delete_module errno 1.
lxc-start 20171205100114.686 INFO lxc_seccomp -
seccomp.c:parse_config_v2:610 - Adding native rule for delete_module action
327681(errno).
lxc-start 20171205100114.686 INFO lxc_seccomp -
seccomp.c:parse_config_v2:614 - Adding compat rule for delete_module action
327681(errno).
lxc-start 20171205100114.686 INFO lxc_seccomp -
seccomp.c:parse_config_v2:624 - Merging in the compat Seccomp ctx into the main
one.
lxc-start 20171205100114.686 TRACE lxc_start - start.c:lxc_init:610 -
read seccomp policy
lxc-start 20171205100114.686 TRACE lxc_start -
start.c:lxc_serve_state_clients:360 - set container state to STARTING
lxc-start 20171205100114.686 TRACE lxc_start -
start.c:lxc_serve_state_clients:363 - no state clients registered
lxc-start 20171205100114.686 INFO lxc_utils - utils.c:get_rundir:284
- XDG_RUNTIME_DIR isn't set in the environment.
lxc-start 20171205100114.686 WARN lxc_monitor -
monitor.c:lxc_monitor_fifo_send:111 - Failed to open fifo to send message: No
such file or directory.
lxc-start 20171205100114.686 INFO lxc_utils - utils.c:get_rundir:284
- XDG_RUNTIME_DIR isn't set in the environment.
lxc-start 20171205100114.686 WARN lxc_monitor -
monitor.c:lxc_monitor_fifo_send:111 - Failed to open fifo to send message: No
such file or directory.
lxc-start 20171205100114.686 TRACE lxc_start - start.c:lxc_init:617 -
set container state to "STARTING"
lxc-start 20171205100114.686 TRACE lxc_start - start.c:lxc_init:645 -
set environment variables
lxc-start 20171205100114.686 TRACE lxc_start - start.c:lxc_init:651 -
ran pre-start hooks
lxc-start 20171205100114.686 DEBUG lxc_start -
start.c:setup_signal_fd:288 - Set SIGCHLD handler with file descriptor: 5.
lxc-start 20171205100114.686 TRACE lxc_start - start.c:lxc_init:662 -
set up signal fd
lxc-start 20171205100114.686 DEBUG console -
console.c:lxc_console_peer_default:459 - using "/dev/tty" as peer tty device
lxc-start 20171205100114.686 DEBUG console -
console.c:lxc_console_sigwinch_init:151 - process 26870 created signal fd 9 to
handle SIGWINCH events
lxc-start 20171205100114.686 DEBUG console -
console.c:lxc_console_winsz:71 - set winsz dstfd:6 cols:80 rows:24
lxc-start 20171205100114.686 TRACE lxc_start - start.c:lxc_init:669 -
created console
lxc-start 20171205100114.686 DEBUG lxc_conf -
conf.c:chown_mapped_root:2830 - trying to chown "/dev/pts/2" to 1002
lxc-start 20171205100114.740 TRACE lxc_conf -
conf.c:lxc_ttys_shift_ids:2908 - chowned console "/dev/pts/2"
lxc-start 20171205100114.740 TRACE lxc_start - start.c:lxc_init:675 -
shifted tty ids
lxc-start 20171205100114.740 INFO lxc_start - start.c:lxc_init:677 -
container "lxc-test" is initialized
lxc-start 20171205100114.741 DEBUG lxc_start -
start.c:__lxc_start:1501 - Not dropping CAP_SYS_BOOT or watching utmp.
lxc-start 20171205100114.741 INFO lxc_cgroup -
cgroups/cgroup.c:cgroup_init:67 - cgroup driver cgmanager initing for lxc-test
lxc-start 20171205100114.748 INFO lxc_start - start.c:lxc_spawn:1324
- Cloned CLONE_NEWUSER.
lxc-start 20171205100114.748 INFO lxc_start - start.c:lxc_spawn:1324
- Cloned CLONE_NEWNS.
lxc-start 20171205100114.748 INFO lxc_start - start.c:lxc_spawn:1324
- Cloned CLONE_NEWPID.
lxc-start 20171205100114.748 INFO lxc_start - start.c:lxc_spawn:1324
- Cloned CLONE_NEWUTS.
lxc-start 20171205100114.748 INFO lxc_start - start.c:lxc_spawn:1324
- Cloned CLONE_NEWIPC.
lxc-start 20171205100114.748 DEBUG lxc_conf -
conf.c:idmaptool_on_path_and_privileged:2516 - The binary "/usr/bin/newuidmap"
does have the setuid bit set.
lxc-start 20171205100114.748 DEBUG lxc_conf -
conf.c:idmaptool_on_path_and_privileged:2516 - The binary "/usr/bin/newgidmap"
does have the setuid bit set.
lxc-start 20171205100114.748 DEBUG lxc_conf - conf.c:lxc_map_ids:2604
- Functional newuidmap and newgidmap binary found.
lxc-start 20171205100114.751 TRACE lxc_conf - conf.c:lxc_map_ids:2660
- newuidmap wrote mapping "newuidmap 26879 0 531072 65536"
lxc-start 20171205100114.754 TRACE lxc_conf - conf.c:lxc_map_ids:2660
- newgidmap wrote mapping "newgidmap 26879 0 531072 65536"
lxc-start 20171205100114.755 INFO lxc_start - start.c:do_start:914 -
Unshared CLONE_NEWNET.
lxc-start 20171205100114.758 TRACE lxc_conf -
conf.c:userns_exec_1:3817 - establishing uid mapping for "26884" in new user
namespace: nsuid 0 - hostid 531072 - range 65536
lxc-start 20171205100114.758 TRACE lxc_conf -
conf.c:userns_exec_1:3817 - establishing uid mapping for "26884" in new user
namespace: nsuid 65536 - hostid 1002 - range 1
lxc-start 20171205100114.758 TRACE lxc_conf -
conf.c:userns_exec_1:3817 - establishing gid mapping for "26884" in new user
namespace: nsuid 0 - hostid 531072 - range 65536
lxc-start 20171205100114.758 TRACE lxc_conf -
conf.c:userns_exec_1:3817 - establishing gid mapping for "26884" in new user
namespace: nsuid 65536 - hostid 1002 - range 1
lxc-start 20171205100114.758 DEBUG lxc_conf -
conf.c:idmaptool_on_path_and_privileged:2516 - The binary "/usr/bin/newuidmap"
does have the setuid bit set.
lxc-start 20171205100114.758 DEBUG lxc_conf -
conf.c:idmaptool_on_path_and_privileged:2516 - The binary "/usr/bin/newgidmap"
does have the setuid bit set.
lxc-start 20171205100114.758 DEBUG lxc_conf - conf.c:lxc_map_ids:2604
- Functional newuidmap and newgidmap binary found.
_______________________________________________
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
