Public bug reported: Dear all,
When trying to start an LXC container with Xenial on both host and container, if sys_admin capability is dropped (lxc.cap.drop = sys_admin in the config file), the container fails to start, because systemd fails to mount the cgroup filesystem in the container. The workaround is to manually mount the cgroup filesystem before starting the container (using the lxc.mount.entry in the config file), but, LXC performs the mount too early, before being in the container cgroup namespace, that means what's mounted matches host cgroup namespace, not container namespace. The bug was already reported upstream[1][2], but didn't make it to Ubuntu yet, AFAIK. A fix was merged in master[3], would it be possible to have it in Ubuntu Xenial? So far, we manually patch Ubuntu LXC packages with that patch and observed no régressions. Thanks! Cheers, P. Schweitzer [1]: https://github.com/lxc/lxc/pull/1597 [2]: https://github.com/lxc/lxc/pull/1606 [3]: https://github.com/lxc/lxc/commit/c1cecfdd050818865653d7941d7bae5d755246ae ** Affects: lxc (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1713674 Title: Starting Xenial lxc without cap_sysadmin fails Status in lxc package in Ubuntu: New Bug description: Dear all, When trying to start an LXC container with Xenial on both host and container, if sys_admin capability is dropped (lxc.cap.drop = sys_admin in the config file), the container fails to start, because systemd fails to mount the cgroup filesystem in the container. The workaround is to manually mount the cgroup filesystem before starting the container (using the lxc.mount.entry in the config file), but, LXC performs the mount too early, before being in the container cgroup namespace, that means what's mounted matches host cgroup namespace, not container namespace. The bug was already reported upstream[1][2], but didn't make it to Ubuntu yet, AFAIK. A fix was merged in master[3], would it be possible to have it in Ubuntu Xenial? So far, we manually patch Ubuntu LXC packages with that patch and observed no régressions. Thanks! Cheers, P. Schweitzer [1]: https://github.com/lxc/lxc/pull/1597 [2]: https://github.com/lxc/lxc/pull/1606 [3]: https://github.com/lxc/lxc/commit/c1cecfdd050818865653d7941d7bae5d755246ae To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1713674/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
