Re: [lxc-users] using cgroups
On Thursday, 30 June 2016, 10:36, Serge E. Hallyn <se...@hallyn.com> wrote: Quoting Rob Edgerton (redger...@yahoo.com.au): > hi,I have the same problem (cgroups not working as expected) on a clean > Xenial build (lxc PPA NOT installed, LXD not installed)In my case I have some > Ubuntu Trusty containers I really need to use on Xenial, but they won't start > because I use cgroups.If I change the existing containers to remove the > "lxc.cgroup" clauses from config they start, but not otherwise.Similarly, I > created a new Xenial container for testing. It works, until I add > "lxc.cgroups" clauses at which point it also fails to start.@virt-host:~$ > lxc-start -n trusty_unp_ibvpn -F -l debug -o lxc.log > lxc-start: cgfsng.c: cgfsng_setup_limits: 1662 No such file or directory - > Error setting cpuset.cpus to 1-3 for trusty_unp_ibvpn > lxc-start: start.c: lxc_spawn: 1180 failed to setup the cgroup limits for > 'trusty_unp_ibvpn' > lxc-start: start.c: __lxc_start: 1353 failed to spawn 'trusty_unp_ibvpn' > lxc-start: lxc_start.c: main: 344 The container failed to start. > lxc-start: lxc_start.c: main: 348 Additional information can be obtained by > setting the --logfile and --logpriority options. > > Logfile Contents= > lxc-start 20160628155820.562 INFO lxc_start_ui - > lxc_start.c:main:264 - using rcfile > /mnt/lxc_images/containers/trusty_unp_ibvpn/config > lxc-start 20160628155820.562 WARN lxc_confile - > confile.c:config_pivotdir:1879 - lxc.pivotdir is ignored. It will soon > become an error. > lxc-start 20160628155820.562 INFO lxc_confile - > confile.c:config_idmap:1500 - read uid map: type u nsid 0 hostid 10 range > 65536 > lxc-start 20160628155820.562 INFO lxc_confile - > confile.c:config_idmap:1500 - read uid map: type g nsid 0 hostid 10 range > 65536 > lxc-start 20160628155820.564 INFO lxc_lsm - lsm/lsm.c:lsm_init:48 - > LSM security driver AppArmor > lxc-start 20160628155820.564 INFO lxc_seccomp - > seccomp.c:parse_config_v2:342 - processing: .reject_force_umount # comment > this to allow umount -f; not recommended. > lxc-start 20160628155820.564 INFO lxc_seccomp - > seccomp.c:parse_config_v2:446 - Adding native rule for reject_force_umount > action 0 > lxc-start 20160628155820.564 INFO lxc_seccomp - > seccomp.c:do_resolve_add_rule:216 - Setting seccomp rule to reject force > umounts > > lxc-start 20160628155820.564 INFO lxc_seccomp - > seccomp.c:parse_config_v2:449 - Adding compat rule for reject_force_umount > action 0 > lxc-start 20160628155820.564 INFO lxc_seccomp - > seccomp.c:do_resolve_add_rule:216 - Setting seccomp rule to reject force > umounts > > lxc-start 20160628155820.564 INFO lxc_seccomp - > seccomp.c:parse_config_v2:342 - processing: .[all]. > lxc-start 20160628155820.564 INFO lxc_seccomp - > seccomp.c:parse_config_v2:342 - processing: .kexec_load errno 1. > lxc-start 20160628155820.564 INFO lxc_seccomp - > seccomp.c:parse_config_v2:446 - Adding native rule for kexec_load action > 327681 > lxc-start 20160628155820.564 INFO lxc_seccomp - > seccomp.c:parse_config_v2:449 - Adding compat rule for kexec_load action > 327681 > lxc-start 20160628155820.564 INFO lxc_seccomp - > seccomp.c:parse_config_v2:342 - processing: .open_by_handle_at errno 1. > lxc-start 20160628155820.564 INFO lxc_seccomp - > seccomp.c:parse_config_v2:446 - Adding native rule for open_by_handle_at > action 327681 > lxc-start 20160628155820.564 INFO lxc_seccomp - > seccomp.c:parse_config_v2:449 - Adding compat rule for open_by_handle_at > action 327681 > lxc-start 20160628155820.564 INFO lxc_seccomp - > seccomp.c:parse_config_v2:342 - processing: .init_module errno 1. > lxc-start 20160628155820.564 INFO lxc_seccomp - > seccomp.c:parse_config_v2:446 - Adding native rule for init_module action > 327681 > lxc-start 20160628155820.564 INFO lxc_seccomp - > seccomp.c:parse_config_v2:449 - Adding compat rule for init_module action > 327681 > lxc-start 20160628155820.564 INFO lxc_seccomp - > seccomp.c:parse_config_v2:342 - processing: .finit_module errno 1. > lxc-start 20160628155820.564 INFO lxc_seccomp - > seccomp.c:parse_config_v2:446 - Adding native rule for finit_module action > 327681 > lxc-start 20160628155820.564 INFO lxc_seccomp - > seccomp.c:parse_config_v2:449 - Adding compat rule for finit_module action > 327681 > lxc-start 20160628155820.564 INFO lxc_seccomp - > seccomp.c:parse_config_v2:342 - processing: .dele
Re: [lxc-users] using cgroups
On Thursday, 30 June 2016, 11:36, Serge E. Hallyn <se...@hallyn.com> wrote: On Thu, Jun 30, 2016 at 11:24:25AM +1000, Rob wrote: > On 30/06/2016 10:36 AM, Serge E. Hallyn wrote: > >Quoting Rob Edgerton (redger...@yahoo.com.au): > >> lxc-start 20160628155820.614 ERROR lxc_cgfsng - > >>cgfsng.c:cgfsng_setup_limits:1662 - No such file or directory - Error > >>setting cpuset.cpus to 1-3 for trusty_unp_ibvpn > >ENOENT - that's unexpected... > > > >> lxc-start 20160628155820.615 ERROR lxc_start - > >>start.c:lxc_spawn:1180 - failed to setup the cgroup limits for > >>@virt-host:~$cgm --version > >>0.29 > >Can you show 'dpkg -l | grep cgmanager' ? > > > >as well as cat /etc/*release > > > >Hi, For /proc/self/cgroup and /proc/self/mountinfo, we actually > >need to see the contents. Can you show 'cat /proc/self/cgroup' and > >'cat /proc/self/mountinfo'? -serge > >___ lxc-users mailing > >list lxc-users@lists.linuxcontainers.org > >http://lists.linuxcontainers.org/listinfo/lxc-users > hi Serge, > here is the follow up info (note that I cut the msg above in order > to reduce size) > > $ dpkg -l | grep cgmanager > ii cgmanager 0.39-2ubuntu5 amd64 > Central cgroup manager daemon > ii libcgmanager0:amd64 0.39-2ubuntu5 > amd64 Central cgroup manager daemon (client library) > > $ cat /etc/*release > DISTRIB_ID=Ubuntu > DISTRIB_RELEASE=16.04 > DISTRIB_CODENAME=xenial > DISTRIB_DESCRIPTION="Ubuntu 16.04 LTS" > NAME="Ubuntu" > VERSION="16.04 LTS (Xenial Xerus)" > ID=ubuntu > ID_LIKE=debian > PRETTY_NAME="Ubuntu 16.04 LTS" > VERSION_ID="16.04" > HOME_URL="http://www.ubuntu.com/; > SUPPORT_URL="http://help.ubuntu.com/; > BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/; > UBUNTU_CODENAME=xenial > > > $ cat /proc/self/cgroup > 11:blkio:/user.slice > 10:hugetlb:/ > 9:freezer:/user/redger/1 > 8:pids:/user.slice/user-1000.slice > 7:perf_event:/ > 6:cpu,cpuacct:/user.slice > 5:net_cls,net_prio:/ > 4:devices:/user.slice > 3:memory:/user/redger/1 > 2:cpuset:/ Oh, ok. I'm sorry, this should have been obvious to me from the start. You need to edit /etc/pam.d/common-session and change the line that's something like session optional pam_cgfs.so -c freezer,memory,name=systemd to add ",cpuset" at the end, i.e. session optional pam_cgfs.so -c freezer,memory,name=systemd,cpuset It has been removed from the default because on systems which do a lot of cpu hotplugging it can be a problem: with the legacy (non-unified) cpuset hierarchy, when you unplug a cpu that is part of /user, it gets removed, but when you re-plug it it does not get re-added. hi Serge,thanks for the response. I updated pam.d/common-session# = RE Changed = # #session optional pam_cgfs.so -c freezer,memory,name=systemd session optional pam_cgfs.so -c freezer,memory,name=systemd,cpuset # = RE Changed = # then restarted, with similar result. Further, the config contains auth for using USB devices too# USB devices lxc.cgroup.devices.allow = c 10:200 rwm# CPU & Memory limits lxc.cgroup.cpuset.cpus = 1-3 lxc.cgroup.cpu.shares = 256 lxc.cgroup.memory.limit_in_bytes = 4G lxc.cgroup.blkio.weight = 500 Commenting out the first line still results in start failure, as do the other lines. Even just uncommenting the memory.limit lines leads to failure with$ lxc-start -n trusty_unp_ibvpn -F lxc-start: cgfsng.c: cgfsng_setup_limits: 1645 No devices cgroup setup for trusty_unp_ibvpn lxc-start: start.c: lxc_spawn: 1226 failed to setup the devices cgroup for 'trusty_unp_ibvpn' lxc-start: start.c: __lxc_start: 1353 failed to spawn 'trusty_unp_ibvpn' lxc-start: lxc_start.c: main: 344 The container failed to start. lxc-start: lxc_start.c: main: 348 Additional information can be obtained by setting the --logfile and --logpriority options. here's a sample log sequence where ONLY "lxc.cgroup.memory.limit_in_bytes = 4G" was uncommented lxc-start 20160630023739.583 INFO lxc_conf - conf.c:lxc_create_tty:3303 - tty's configured lxc-start 20160630023739.583 INFO lxc_conf - conf.c:setup_tty:995 - 4 tty(s) has been setup lxc-start 20160630023739.583 INFO lxc_conf - conf.c:setup_personality:1393 - set personality to '0x0' lxc-start 20160630023739.583 DEBUG lxc_conf - conf.c:setup_caps:2056 - drop capability 'mac_admin' (33) lxc-start 20160630023739.583 DEBUG lxc_conf - conf.c:setup_caps:2056 - drop capability 'mac_override' (32) lxc-start 20160630023739.583 DEBUG
Re: [lxc-users] using cgroups
hi,I have the same problem (cgroups not working as expected) on a clean Xenial build (lxc PPA NOT installed, LXD not installed)In my case I have some Ubuntu Trusty containers I really need to use on Xenial, but they won't start because I use cgroups.If I change the existing containers to remove the "lxc.cgroup" clauses from config they start, but not otherwise.Similarly, I created a new Xenial container for testing. It works, until I add "lxc.cgroups" clauses at which point it also fails to start.@virt-host:~$ lxc-start -n trusty_unp_ibvpn -F -l debug -o lxc.log lxc-start: cgfsng.c: cgfsng_setup_limits: 1662 No such file or directory - Error setting cpuset.cpus to 1-3 for trusty_unp_ibvpn lxc-start: start.c: lxc_spawn: 1180 failed to setup the cgroup limits for 'trusty_unp_ibvpn' lxc-start: start.c: __lxc_start: 1353 failed to spawn 'trusty_unp_ibvpn' lxc-start: lxc_start.c: main: 344 The container failed to start. lxc-start: lxc_start.c: main: 348 Additional information can be obtained by setting the --logfile and --logpriority options. Logfile Contents= lxc-start 20160628155820.562 INFO lxc_start_ui - lxc_start.c:main:264 - using rcfile /mnt/lxc_images/containers/trusty_unp_ibvpn/config lxc-start 20160628155820.562 WARN lxc_confile - confile.c:config_pivotdir:1879 - lxc.pivotdir is ignored. It will soon become an error. lxc-start 20160628155820.562 INFO lxc_confile - confile.c:config_idmap:1500 - read uid map: type u nsid 0 hostid 10 range 65536 lxc-start 20160628155820.562 INFO lxc_confile - confile.c:config_idmap:1500 - read uid map: type g nsid 0 hostid 10 range 65536 lxc-start 20160628155820.564 INFO lxc_lsm - lsm/lsm.c:lsm_init:48 - LSM security driver AppArmor lxc-start 20160628155820.564 INFO lxc_seccomp - seccomp.c:parse_config_v2:342 - processing: .reject_force_umount # comment this to allow umount -f; not recommended. lxc-start 20160628155820.564 INFO lxc_seccomp - seccomp.c:parse_config_v2:446 - Adding native rule for reject_force_umount action 0 lxc-start 20160628155820.564 INFO lxc_seccomp - seccomp.c:do_resolve_add_rule:216 - Setting seccomp rule to reject force umounts lxc-start 20160628155820.564 INFO lxc_seccomp - seccomp.c:parse_config_v2:449 - Adding compat rule for reject_force_umount action 0 lxc-start 20160628155820.564 INFO lxc_seccomp - seccomp.c:do_resolve_add_rule:216 - Setting seccomp rule to reject force umounts lxc-start 20160628155820.564 INFO lxc_seccomp - seccomp.c:parse_config_v2:342 - processing: .[all]. lxc-start 20160628155820.564 INFO lxc_seccomp - seccomp.c:parse_config_v2:342 - processing: .kexec_load errno 1. lxc-start 20160628155820.564 INFO lxc_seccomp - seccomp.c:parse_config_v2:446 - Adding native rule for kexec_load action 327681 lxc-start 20160628155820.564 INFO lxc_seccomp - seccomp.c:parse_config_v2:449 - Adding compat rule for kexec_load action 327681 lxc-start 20160628155820.564 INFO lxc_seccomp - seccomp.c:parse_config_v2:342 - processing: .open_by_handle_at errno 1. lxc-start 20160628155820.564 INFO lxc_seccomp - seccomp.c:parse_config_v2:446 - Adding native rule for open_by_handle_at action 327681 lxc-start 20160628155820.564 INFO lxc_seccomp - seccomp.c:parse_config_v2:449 - Adding compat rule for open_by_handle_at action 327681 lxc-start 20160628155820.564 INFO lxc_seccomp - seccomp.c:parse_config_v2:342 - processing: .init_module errno 1. lxc-start 20160628155820.564 INFO lxc_seccomp - seccomp.c:parse_config_v2:446 - Adding native rule for init_module action 327681 lxc-start 20160628155820.564 INFO lxc_seccomp - seccomp.c:parse_config_v2:449 - Adding compat rule for init_module action 327681 lxc-start 20160628155820.564 INFO lxc_seccomp - seccomp.c:parse_config_v2:342 - processing: .finit_module errno 1. lxc-start 20160628155820.564 INFO lxc_seccomp - seccomp.c:parse_config_v2:446 - Adding native rule for finit_module action 327681 lxc-start 20160628155820.564 INFO lxc_seccomp - seccomp.c:parse_config_v2:449 - Adding compat rule for finit_module action 327681 lxc-start 20160628155820.564 INFO lxc_seccomp - seccomp.c:parse_config_v2:342 - processing: .delete_module errno 1. lxc-start 20160628155820.564 INFO lxc_seccomp - seccomp.c:parse_config_v2:446 - Adding native rule for delete_module action 327681 lxc-start 20160628155820.565 INFO lxc_seccomp - seccomp.c:parse_config_v2:449 - Adding compat rule for delete_module action 327681 lxc-start 20160628155820.565 INFO lxc_seccomp - seccomp.c:parse_config_v2:456 - Merging in the compat seccomp ctx into the main one lxc-start 20160628155820.565 DEBUG lxc_start - start.c:setup_signal_fd:289 - sigchild handler set lxc-start 20160628155820.565 DEBUG