Bug#766390: [Pkg-libvirt-maintainers] Bug#766390: libvirt0: fails unprivileged lxc domain with /proc/sys re-mount error
Hi, To further the bug report, I installed fedora 20, tried the container again, it fails with not understanding how to deal with sys or proc mount points, libvirt version was too low. I then updated the system to latest virt repo which is the same version number as debian's 1.2.9. tried again, fails in the same way as it does on debian, so thats good / bad news, at least we are consistent! I have now installed a debian system at jessie level with kernel 3.14.2 (from d-i usb install), got my test container working with idmap: good result! Upgraded all packages to sid, container still starts: good result! Updated to linux-image-amd64 (brings in linux-image-3.16.0-4-amd64 == 3.16.7 , no idea why the kernel team has changed their package names recently), container fails to start. Looking back at the fedora installation, it too is a 3.16 kernel. I am rather surprised the fedora folks haven't noticed, I doubt fedora 21 will work with idmap libvirt_lxc either. I posted on libvir mailing list [1] about possible issues with kernel / libvirt needing to be synced for mounting proc, but nobody replied. So in conclusion, seems the kernel did break somewhere after 3.14.2. I will try later kernels but fishing in the dark as to where to look for the relevant changes, git bisect is a little beyond me. Do I open a bug with the kernel or should this bug just be re-assigned ? Regards, Adrian [1] https://www.redhat.com/archives/libvir-list/2014-October/msg00483.html -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#766390: [Pkg-libvirt-maintainers] Bug#766390: libvirt0: fails unprivileged lxc domain with /proc/sys re-mount error
On Thu, Oct 23, 2014 at 08:34:50PM +0100, Adrian Davey wrote: I tried without the unprivileged_userns_clone before doing the change as by default the debian linux kernel doesn't set it The only difference I can spot is, that I'm not using butterfs. I'm also using systemd outside of the container. I'm not using selinux or apparmor. Cheers, -- Guido -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#766390: [Pkg-libvirt-maintainers] Bug#766390: libvirt0: fails unprivileged lxc domain with /proc/sys re-mount error
On 24/10/2014 08:09, Guido Günther wrote: On Thu, Oct 23, 2014 at 08:34:50PM +0100, Adrian Davey wrote: I tried without the unprivileged_userns_clone before doing the change as by default the debian linux kernel doesn't set it The only difference I can spot is, that I'm not using butterfs. I'm also using systemd outside of the container. I'm not using selinux or apparmor. Cheers, -- Guido Hi, I pulled out an old HP N36L Microserver and did a fresh Jessie base install via d-i onto ext4. Then dist-upgraded to sid, installed the same packages to enable libvirt deployment, same result as before. So it's not a btrfs vs ext4 issue :/ root@holly2:~# mount sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime) proc on /proc type proc (rw,nosuid,nodev,noexec,relatime) udev on /dev type devtmpfs (rw,relatime,size=10240k,nr_inodes=248327,mode=755) devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000) tmpfs on /run type tmpfs (rw,nosuid,relatime,size=398492k,mode=755) /dev/sda1 on / type ext4 (rw,relatime,errors=remount-ro,data=ordered) securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime) tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev) tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k) tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,mode=755) cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd) pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime) cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset) cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct) cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory) cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices) cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer) cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls,net_prio) cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio) cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event) systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=21,pgrp=1,timeout=300,minproto=5,maxproto=5,direct) hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime) mqueue on /dev/mqueue type mqueue (rw,relatime) debugfs on /sys/kernel/debug type debugfs (rw,relatime) tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,size=199248k,mode=700,uid=1000,gid=1000) fusectl on /sys/fs/fuse/connections type fusectl (rw,relatime) root@holly2:~# cat /proc/cmdline BOOT_IMAGE=/boot/vmlinuz-3.16-3-amd64 root=UUID=32338814-6c6a-4329-96a1-6cea2e4f8f4d ro cgroup_enable=memory quiet List of installed packages and versions on the host uploaded at a text file rather than make this bug report too long. Regards, Adrian acl 2.2.52-2 acpi 1.7-1 acpi-support-base 0.142-5 acpid 1:2.0.23-1 adduser 3.113+nmu3 amd64-microcode 2.20131007.1+really20130710.1 apt 1.0.9.3 apt-utils 1.0.9.3 augeas-lenses 1.2.0-0.2 base-files 7.8 base-passwd 3.5.36 bash 4.3-11 binutils 2.24.90.20141023-1 bridge-utils 1.5-9 bsdmainutils 9.0.6 bsdutils 1:2.25.1-5 busybox 1:1.22.0-9 bzip2 1.0.6-7 console-setup 1.113 console-setup-linux 1.113 coreutils 8.23-2 cpio 2.11+dfsg-2 cron 3.0pl1-124.2 dash 0.5.7-4 dbus 1.8.8-2 debconf 1.5.53 debconf-i18n 1.5.53 debian-archive-keyring 2014.1 debianutils 4.4 debootstrap 1.0.64 dictionaries-common 1.23.14 diffutils 1:3.3-1 discover 2.1.2-7 discover-data 2.2013.01.11 dmidecode 2.12-3 dmsetup 2:1.02.90-2 dnsmasq-base 2.72-2 dpkg 1.17.20 dpkg-dev 1.17.20 e2fslibs:amd64 1.42.12-1 e2fsprogs 1.42.12-1 e3 1:2.71-1 eatmydata 82-2 ebtables 2.0.10.4-3 emacsen-common 2.0.8 findutils 4.4.2-9 firmware-linux 0.43 firmware-linux-free 3.3 firmware-linux-nonfree 0.43 gcc-4.7-base:amd64 4.7.4-3 gcc-4.8-base:amd64 4.8.3-13 gcc-4.9-base:amd64 4.9.1-18 gettext-base 0.19.3-1 gnupg 1.4.18-4 gpgv 1.4.18-4 grep 2.20-4 groff-base 1.22.2-8 grub-common 2.02~beta2-15 grub-pc 2.02~beta2-15 grub-pc-bin 2.02~beta2-15 grub2-common 2.02~beta2-15 gzip 1.6-4 hostname 3.15 iamerican 3.3.02-6 ibritish 3.3.02-6 ienglish-common 3.3.02-6 ifupdown 0.7.49 init 1.21 init-system-helpers 1.21 initramfs-tools 0.118 initscripts 2.88dsf-53.4 insserv 1.14.0-5 installation-report 2.57 iproute2 3.16.0-2 iptables 1.4.21-2 iputils-ping 3:20121221-5+b1 isc-dhcp-client 4.3.1-5 isc-dhcp-common 4.3.1-5 ispell 3.3.02-6 kbd 1.15.5-1 keyboard-configuration 1.113 klibc-utils 2.0.4-2 kmod 18-3 less 458-3 laptop-detect 0.13.7 libacl1:amd64 2.2.52-2 libapparmor1:amd64 2.9.0-1 libapt-inst1.5:amd64 1.0.9.3 libapt-pkg4.12:amd64 1.0.9.3 libasprintf0c2:amd64 0.19.3-1 libattr1:amd64 1:2.4.47-2 libaudit-common 1:2.4-1 libaudit1:amd64 1:2.4-1 libaugeas0 1.2.0-0.2
Bug#766390: [Pkg-libvirt-maintainers] Bug#766390: libvirt0: fails unprivileged lxc domain with /proc/sys re-mount error
On Wed, Oct 22, 2014 at 07:42:04PM +0100, Adrian Davey wrote: Package: libvirt0 Version: 1.2.9-3 Severity: normal Dear Maintainer, Launching a libvirt_lxc domain with idmap enabled using virsh fails: virsh # start testvm error: Failed to start domain testvm error: internal error: guest failed to start: Failed to re-mount /proc/sys on /proc/sys flags=1021: Operation not permitted I tried to reproduce and used the attached config, did a sudo ./uidmapshift -b /my/lxc/containers/lxc-test2 0 10 1000 (from nsexec, currently not packaged in Debian) and could happily start the container. The bash process also shows the uid mapping. Note that I did not set: echo 1 /proc/sys/kernel/unprivileged_userns_clone since my kernel doesn't have it. Can you check if this works for you too? Cheers, -- Guido -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#766390: [Pkg-libvirt-maintainers] Bug#766390: libvirt0: fails unprivileged lxc domain with /proc/sys re-mount error
On 23/10/2014 13:03, Guido Günther wrote: On Wed, Oct 22, 2014 at 07:42:04PM +0100, Adrian Davey wrote: Package: libvirt0 Version: 1.2.9-3 Severity: normal Dear Maintainer, Launching a libvirt_lxc domain with idmap enabled using virsh fails: virsh # start testvm error: Failed to start domain testvm error: internal error: guest failed to start: Failed to re-mount /proc/sys on /proc/sys flags=1021: Operation not permitted I tried to reproduce and used the attached config, did a sudo ./uidmapshift -b /my/lxc/containers/lxc-test2 0 10 1000 (from nsexec, currently not packaged in Debian) and could happily start the container. The bash process also shows the uid mapping. Note that I did not set: echo 1 /proc/sys/kernel/unprivileged_userns_clone since my kernel doesn't have it. Can you check if this works for you too? Cheers, -- Guido I tried without the unprivileged_userns_clone before doing the change as by default the debian linux kernel doesn't set it I have just tried again without it set, exactly the same issue. I have tried a debootstrap installation then using uidmapshift, same result. I have tried an LXC download template for sid/amd64 that does the id shift, same result. (echo 1 /proc/sys/kernel/unprivileged_userns_clone, is required to make sure the download template operation finishes) If it works for you then there must be something different between our setups, I guess it's a case of trying to identify what is different easily. Which kernel are you using ? Do you have anything in libvirt conf that is not the default that could be related ? Do normal LXC unprivileged domains work for you? I find that LXC doesn't work either as cgroups have issues as described in [1] and then /dev/.lxc/ errors [2]. These rootfs live on btrfs filesystem with default mount options. I was hoping systemd with libvirt would sort out my original cgroups issue and just work to compliment my qemu side of libvirt. Cheers, Adrian [1] https://lists.linuxcontainers.org/pipermail/lxc-users/2014-September/007776.html [2] https://lists.linuxcontainers.org/pipermail/lxc-users/2014-September/007860.html -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org