[Bug 1386840] Re: failure to start a container
Patch to backport the fix into utopic. ** Description changed: + [Impact] + + Without this patch containers that don't have a complete apparmor + configuration fail to start. Making lxc unusable to run Debian Sid and Jessie + (at least). + + This bug is not present in Trusty, which ships 1.0.7 (Debian Sid runs + OK). + + [Test Case] + + - Create a debian sid container + $ sudo env SUITE=sid lxc-create -t debian -n sid + + - Start the container + $ sudo lxc-start -n sid + + Expected behavior: + + The container is started + + Actual behavior: + + $ sudo lxc-start -F -n sid + lxc-start: lsm/apparmor.c: mount_feature_enabled: 61 Permission denied - Error mounting securityfs + lxc-start: lsm/apparmor.c: apparmor_process_label_set: 186 If you really want to start this container, set + lxc-start: lsm/apparmor.c: apparmor_process_label_set: 187 lxc.aa_allow_incomplete = 1 + lxc-start: lsm/apparmor.c: apparmor_process_label_set: 188 in your container configuration file + lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 4 + lxc-start: start.c: __lxc_start: 1087 failed to spawn 'sid' + lxc-start: cgmanager.c: cgm_remove_cgroup: 503 call to cgmanager_remove_sync failed: invalid request + lxc-start: cgmanager.c: cgm_remove_cgroup: 505 Error removing name=systemd:lxc/sid-2 + lxc-start: cgmanager.c: cgm_remove_cgroup: 503 call to cgmanager_remove_sync failed: invalid request + lxc-start: cgmanager.c: cgm_remove_cgroup: 505 Error removing perf_event:lxc/sid-2 + lxc-start: cgmanager.c: cgm_remove_cgroup: 503 call to cgmanager_remove_sync failed: invalid request + lxc-start: cgmanager.c: cgm_remove_cgroup: 505 Error removing net_prio:lxc/sid-2 + lxc-start: cgmanager.c: cgm_remove_cgroup: 503 call to cgmanager_remove_sync failed: invalid request + lxc-start: cgmanager.c: cgm_remove_cgroup: 505 Error removing net_cls:lxc/sid-2 + lxc-start: cgmanager.c: cgm_remove_cgroup: 503 call to cgmanager_remove_sync failed: invalid request + lxc-start: cgmanager.c: cgm_remove_cgroup: 505 Error removing memory:lxc/sid-2 + lxc-start: cgmanager.c: cgm_remove_cgroup: 503 call to cgmanager_remove_sync failed: invalid request + lxc-start: cgmanager.c: cgm_remove_cgroup: 505 Error removing hugetlb:lxc/sid-2 + lxc-start: cgmanager.c: cgm_remove_cgroup: 503 call to cgmanager_remove_sync failed: invalid request + lxc-start: cgmanager.c: cgm_remove_cgroup: 505 Error removing freezer:lxc/sid-2 + lxc-start: cgmanager.c: cgm_remove_cgroup: 503 call to cgmanager_remove_sync failed: invalid request + lxc-start: cgmanager.c: cgm_remove_cgroup: 505 Error removing devices:lxc/sid-2 + lxc-start: cgmanager.c: cgm_remove_cgroup: 503 call to cgmanager_remove_sync failed: invalid request + lxc-start: cgmanager.c: cgm_remove_cgroup: 505 Error removing cpuset:lxc/sid-2 + lxc-start: cgmanager.c: cgm_remove_cgroup: 503 call to cgmanager_remove_sync failed: invalid request + lxc-start: cgmanager.c: cgm_remove_cgroup: 505 Error removing cpuacct:lxc/sid-2 + lxc-start: cgmanager.c: cgm_remove_cgroup: 503 call to cgmanager_remove_sync failed: invalid request + lxc-start: cgmanager.c: cgm_remove_cgroup: 505 Error removing cpu:lxc/sid-2 + lxc-start: cgmanager.c: cgm_remove_cgroup: 503 call to cgmanager_remove_sync failed: invalid request + lxc-start: cgmanager.c: cgm_remove_cgroup: 505 Error removing blkio:lxc/sid-2 + lxc-start: lxc_start.c: main: 337 The container failed to start. + lxc-start: lxc_start.c: main: 341 Additional information can be obtained by setting the --logfile and --logpriority options. + + + [Regression Potential] + + No regressions expected, different versions of Ubuntu and Debian containers + were tested with this patch applied. + + [Other Info] + On utopic using lxc version 1.1.0~alpha2-0ubuntu3, I was unable to start a container. $ sudo lxc-start -F -n lxc-errors lxc-start: lsm/apparmor.c: mount_feature_enabled: 61 Permission denied - Error mounting securityfs lxc-start: lsm/apparmor.c: apparmor_process_label_set: 186 If you really want to start this container, set lxc-start: lsm/apparmor.c: apparmor_process_label_set: 187 lxc.aa_allow_incomplete = 1 lxc-start: lsm/apparmor.c: apparmor_process_label_set: 188 in your container configuration file lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 4 lxc-start: start.c: __lxc_start: 1087 failed to spawn 'lxc-errors' lxc-start: cgmanager.c: cgm_remove_cgroup: 503 call to cgmanager_remove_sync failed: invalid request lxc-start: cgmanager.c: cgm_remove_cgroup: 505 Error removing name=systemd:lxc/lxc-errors-2 Switching to the version of lxc in http://ppa.launchpad.net/ubuntu- lxc/daily/ resolved the failure to start for me. ** Summary changed: - failure to start a container + [SRU] failure to start a container ** Changed in: lxc (Ubuntu Trusty) Assignee: Felipe Reyes (freyes) = (unassigned) ** Patch added: utopic_lp1386840.debdiff
[Bug 1386840] Re: failure to start a container
** Changed in: lxc (Ubuntu Trusty) Assignee: (unassigned) = Felipe Reyes (freyes) ** Changed in: lxc (Ubuntu Utopic) Assignee: (unassigned) = Felipe Reyes (freyes) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1386840 Title: failure to start a container To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1386840/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1386840] Re: failure to start a container
I am pushing lxc_1.1.0~alpha2-0ubuntu7 which should fix this bug. I'm hoping someone will SRU the patch to T and U. Note that any container which actually specifies the securityfs mount in its config (as the default unprivileged ubuntu configs do) should not have this problem. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1386840 Title: failure to start a container To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1386840/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1386840] Re: failure to start a container
This bug was fixed in the package lxc - 1.1.0~alpha2-0ubuntu7 --- lxc (1.1.0~alpha2-0ubuntu7) vivid; urgency=medium * Cherrypick 0010-apparmor-check-for-mount-feature-at-a-better-time.patch from upstream to fix startup failure with certain setups (LP: #1386840) -- Serge Hallyn serge.hal...@ubuntu.com Tue, 11 Nov 2014 14:54:44 -0600 ** Changed in: lxc (Ubuntu) Status: Triaged = Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1386840 Title: failure to start a container To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1386840/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1386840] Re: failure to start a container
This the workaround: apt-get install apparmor-utils aa-complain /usr/bin/lxc-start here, I think, there should be the solution: https://lists.linuxcontainers.org/pipermail/lxc-devel/2014-October/010662.html -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1386840 Title: failure to start a container To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1386840/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1386840] Re: failure to start a container
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: lxc (Ubuntu Utopic) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1386840 Title: failure to start a container To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1386840/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1386840] Re: failure to start a container
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: lxc (Ubuntu Trusty) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1386840 Title: failure to start a container To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1386840/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1386840] Re: failure to start a container
** Changed in: lxc (Ubuntu) Importance: Undecided = High ** Changed in: lxc (Ubuntu) Status: New = Triaged ** Also affects: lxc (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: lxc (Ubuntu Utopic) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1386840 Title: failure to start a container To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1386840/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
