On Sun, 9 Jan 2011 13:25:53 +0100, Patrick Winnertz <[email protected]> wrote: > Hello, > > I've tried the last days hard to set up working lxc containers on a grsec > enabled kernel. However I failed everytime with several error msgs and/or > kernel oopses. > > After booting in the grsec kernel I've verified with gradm that RBAC is > disabled to start the containers first: > > gradm -D > lxc-start -n example > > however I get then first an error that /dev/pts can't be mounted and > afterwards > a kernel oops, which you can find attached to this mail - it seems to be > some > troubles with veth networking. I've straced the process and this is the > output > (strace-lxc1): > > 335:read(16, lxc-start: Operation not permitted - failed to mount a new > instance of '/dev/pts' > 336:lxc-start: failed to setup the new pts instance > 337:lxc-start: failed to setup the container > 344:write(2, "failed to spawn 'web'", 21failed to spawn 'web') = 21 > 358:write(2, "Device or resource busy - failed"..., 63Device or resource > busy > - failed to remove cgroup '/cgroup/web') = 63 > > After a reboot I tried again, but this time I switched into the learning > mode > of grsec.. now the kernel oops is gone, however I'm getting now this error > msg > (output from strace (strace-lxc2)): > > failed to create vethde3FDA-veth"..., 64failed to create > vethde3FDA-vethelGBjP > : Operation not permitted) = 64 > 295:write(2, "failed to create netdev", 23failed to create netdev) = 23 > 299:write(2, "failed to create the network", 28failed to create the > network) = > 28 > 305:write(2, "failed to spawn 'web'", 21failed to spawn 'web') = 21 > 319:write(2, "No such file or directory - fail"..., 65No such file or > directory > - failed to remove cgroup '/cgroup/web') = 65 > > It would be nice if someone could give me hints or advices what is going > wrong > here and how to fix it. Full strace output of both lxc-start runs is also > attached to the mail > > Greetings > Patrick
I can tell you I ran into similar oopses, haven't tested with learning mode though. What I did was disable CONFIG_PAX_KERNEXEC, which conflicts with CONFIG_PARAVIRT_GUEST and/or CONFIG_KVM_GUEST anyway (I was running the kernel under KVM; wish this conflict would be documented anywhere). After that, I could successfully start LXC guests without crashes. It was on 2.6.32.2-grsec if it matters. Yes, it is a workaround, and it does not help security of the system, but it's the best I can suggest. ------------------------------------------------------------------------------ Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Lxc-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/lxc-users
