On Thu, 2017-09-14 at 09:23 +0200, Yves-Alexis Perez wrote:
> Package: lxc
> Version: 1:2.0.7-2
> Severity: normal
> 
> I'll setup a more simple container and config so I can provide it and
> some logs to you so you can reproduce.

lxc-create -n test -t debian

I added:

lxc.autodev = 1
lxc.mount.auto = proc:mixed
lxc.mount.auto = sys:mixed
lxc.mount.auto = cgroup:mixed
lxc.cap.drop = sys_admin

to the lxc configuration but I think for now only the two last line matter:
dropping CAP_SYS_ADMIN will prevent systemd to do the mounts itself,
lxc.mount.auto = cgroup:mixed should have lxc mount /sys/fs/cgroup properly
(and thus systemd should be happy), but it's not working.

I'm starting with:

lxc-start -n test -o /tmp/lxc.log -l DEBUG -F
Failed to mount tmpfs at /dev/shm: Operation not permitted
Failed to mount tmpfs at /run: Operation not permitted
Failed to mount tmpfs at /run/lock: Operation not permitted
Failed to mount tmpfs at /sys/fs/cgroup: Operation not permitted
Failed to mount cgroup at /sys/fs/cgroup/systemd: No such file or directory
[!!!!!!] Failed to mount API filesystems, freezing.
Freezing execution.

and I'm attaching the lxc.log here. There are some more errors in the console
logs because I don't setup some of the mounts, but they don't look critical
since they don't prevent the boot.

Regards,
-- 
Yves-Alexis
      lxc-start 20170914075446.754 INFO     lxc_start_ui - tools/lxc_start.c:main:275 - using rcfile /var/lib/lxc/test/config
      lxc-start 20170914075446.755 WARN     lxc_confile - confile.c:config_pivotdir:1910 - lxc.pivotdir is ignored.  It will soon become an error.
      lxc-start 20170914075446.756 INFO     lxc_lsm - lsm/lsm.c:lsm_init:48 - LSM security driver nop
      lxc-start 20170914075446.756 INFO     lxc_seccomp - seccomp.c:parse_config_v2:402 - processing: .reject_force_umount  # comment this to allow umount -f;  not recommended.
      lxc-start 20170914075446.756 INFO     lxc_seccomp - seccomp.c:parse_config_v2:567 - Adding native rule for reject_force_umount action 0.
      lxc-start 20170914075446.756 INFO     lxc_seccomp - seccomp.c:do_resolve_add_rule:251 - Setting Seccomp rule to reject force umounts.
      lxc-start 20170914075446.756 INFO     lxc_seccomp - seccomp.c:parse_config_v2:570 - Adding compat rule for reject_force_umount action 0.
      lxc-start 20170914075446.756 INFO     lxc_seccomp - seccomp.c:do_resolve_add_rule:251 - Setting Seccomp rule to reject force umounts.
      lxc-start 20170914075446.756 INFO     lxc_seccomp - seccomp.c:parse_config_v2:402 - processing: .[all].
      lxc-start 20170914075446.756 INFO     lxc_seccomp - seccomp.c:parse_config_v2:402 - processing: .kexec_load errno 1.
      lxc-start 20170914075446.756 INFO     lxc_seccomp - seccomp.c:parse_config_v2:567 - Adding native rule for kexec_load action 327681.
      lxc-start 20170914075446.756 INFO     lxc_seccomp - seccomp.c:parse_config_v2:570 - Adding compat rule for kexec_load action 327681.
      lxc-start 20170914075446.756 INFO     lxc_seccomp - seccomp.c:parse_config_v2:402 - processing: .open_by_handle_at errno 1.
      lxc-start 20170914075446.756 INFO     lxc_seccomp - seccomp.c:parse_config_v2:567 - Adding native rule for open_by_handle_at action 327681.
      lxc-start 20170914075446.756 INFO     lxc_seccomp - seccomp.c:parse_config_v2:570 - Adding compat rule for open_by_handle_at action 327681.
      lxc-start 20170914075446.756 INFO     lxc_seccomp - seccomp.c:parse_config_v2:402 - processing: .init_module errno 1.
      lxc-start 20170914075446.756 INFO     lxc_seccomp - seccomp.c:parse_config_v2:567 - Adding native rule for init_module action 327681.
      lxc-start 20170914075446.756 INFO     lxc_seccomp - seccomp.c:parse_config_v2:570 - Adding compat rule for init_module action 327681.
      lxc-start 20170914075446.756 INFO     lxc_seccomp - seccomp.c:parse_config_v2:402 - processing: .finit_module errno 1.
      lxc-start 20170914075446.756 INFO     lxc_seccomp - seccomp.c:parse_config_v2:567 - Adding native rule for finit_module action 327681.
      lxc-start 20170914075446.756 INFO     lxc_seccomp - seccomp.c:parse_config_v2:570 - Adding compat rule for finit_module action 327681.
      lxc-start 20170914075446.756 INFO     lxc_seccomp - seccomp.c:parse_config_v2:402 - processing: .delete_module errno 1.
      lxc-start 20170914075446.756 INFO     lxc_seccomp - seccomp.c:parse_config_v2:567 - Adding native rule for delete_module action 327681.
      lxc-start 20170914075446.756 INFO     lxc_seccomp - seccomp.c:parse_config_v2:570 - Adding compat rule for delete_module action 327681.
      lxc-start 20170914075446.756 INFO     lxc_seccomp - seccomp.c:parse_config_v2:580 - Merging in the compat Seccomp ctx into the main one.
      lxc-start 20170914075446.756 WARN     lxc_monitor - monitor.c:lxc_monitor_fifo_send:111 - Failed to open fifo to send message: No such file or directory.
      lxc-start 20170914075446.756 DEBUG    lxc_start - start.c:setup_signal_fd:273 - Set SIGCHLD handler with file descriptor: 5.
      lxc-start 20170914075446.757 DEBUG    console - console.c:lxc_console_peer_default:430 - opening /dev/tty for console peer
      lxc-start 20170914075446.757 DEBUG    console - console.c:lxc_console_peer_default:436 - using '/dev/tty' as console
      lxc-start 20170914075446.757 DEBUG    console - console.c:lxc_console_sigwinch_init:144 - 2156 got SIGWINCH fd 9
      lxc-start 20170914075446.757 DEBUG    console - console.c:lxc_console_winsz:71 - set winsz dstfd:6 cols:119 rows:75
      lxc-start 20170914075446.757 INFO     lxc_start - start.c:lxc_init:475 - Container "test" is initialized.
      lxc-start 20170914075446.759 DEBUG    lxc_start - start.c:__lxc_start:1317 - Not dropping CAP_SYS_BOOT or watching utmp.
      lxc-start 20170914075446.759 INFO     lxc_cgroup - cgroups/cgroup.c:cgroup_init:68 - cgroup driver cgroupfs initing for test
      lxc-start 20170914075446.765 INFO     lxc_start - start.c:lxc_spawn:1154 - Cloned CLONE_NEWNS.
      lxc-start 20170914075446.765 INFO     lxc_start - start.c:lxc_spawn:1154 - Cloned CLONE_NEWPID.
      lxc-start 20170914075446.765 INFO     lxc_start - start.c:lxc_spawn:1154 - Cloned CLONE_NEWUTS.
      lxc-start 20170914075446.766 INFO     lxc_start - start.c:lxc_spawn:1154 - Cloned CLONE_NEWIPC.
      lxc-start 20170914075446.766 INFO     lxc_start - start.c:lxc_spawn:1154 - Cloned CLONE_NEWNET.
      lxc-start 20170914075446.766 DEBUG    lxc_cgfs - cgroups/cgfs.c:do_setup_cgroup_limits:2042 - cgroup 'devices.deny' set to 'a'
      lxc-start 20170914075446.766 DEBUG    lxc_cgfs - cgroups/cgfs.c:do_setup_cgroup_limits:2042 - cgroup 'devices.allow' set to 'c *:* m'
      lxc-start 20170914075446.766 DEBUG    lxc_cgfs - cgroups/cgfs.c:do_setup_cgroup_limits:2042 - cgroup 'devices.allow' set to 'b *:* m'
      lxc-start 20170914075446.766 DEBUG    lxc_cgfs - cgroups/cgfs.c:do_setup_cgroup_limits:2042 - cgroup 'devices.allow' set to 'c 1:3 rwm'
      lxc-start 20170914075446.766 DEBUG    lxc_cgfs - cgroups/cgfs.c:do_setup_cgroup_limits:2042 - cgroup 'devices.allow' set to 'c 1:5 rwm'
      lxc-start 20170914075446.766 DEBUG    lxc_cgfs - cgroups/cgfs.c:do_setup_cgroup_limits:2042 - cgroup 'devices.allow' set to 'c 1:7 rwm'
      lxc-start 20170914075446.766 DEBUG    lxc_cgfs - cgroups/cgfs.c:do_setup_cgroup_limits:2042 - cgroup 'devices.allow' set to 'c 5:0 rwm'
      lxc-start 20170914075446.766 DEBUG    lxc_cgfs - cgroups/cgfs.c:do_setup_cgroup_limits:2042 - cgroup 'devices.allow' set to 'c 5:1 rwm'
      lxc-start 20170914075446.766 DEBUG    lxc_cgfs - cgroups/cgfs.c:do_setup_cgroup_limits:2042 - cgroup 'devices.allow' set to 'c 5:2 rwm'
      lxc-start 20170914075446.766 DEBUG    lxc_cgfs - cgroups/cgfs.c:do_setup_cgroup_limits:2042 - cgroup 'devices.allow' set to 'c 1:8 rwm'
      lxc-start 20170914075446.766 DEBUG    lxc_cgfs - cgroups/cgfs.c:do_setup_cgroup_limits:2042 - cgroup 'devices.allow' set to 'c 1:9 rwm'
      lxc-start 20170914075446.766 DEBUG    lxc_cgfs - cgroups/cgfs.c:do_setup_cgroup_limits:2042 - cgroup 'devices.allow' set to 'c 136:* rwm'
      lxc-start 20170914075446.766 DEBUG    lxc_cgfs - cgroups/cgfs.c:do_setup_cgroup_limits:2042 - cgroup 'devices.allow' set to 'c 10:229 rwm'
      lxc-start 20170914075446.766 DEBUG    lxc_cgfs - cgroups/cgfs.c:do_setup_cgroup_limits:2042 - cgroup 'devices.allow' set to 'c 254:0 rm'
      lxc-start 20170914075446.766 DEBUG    lxc_cgfs - cgroups/cgfs.c:do_setup_cgroup_limits:2042 - cgroup 'devices.allow' set to 'c 10:200 rwm'
      lxc-start 20170914075446.766 DEBUG    lxc_cgfs - cgroups/cgfs.c:do_setup_cgroup_limits:2042 - cgroup 'devices.allow' set to 'c 10:228 rwm'
      lxc-start 20170914075446.766 DEBUG    lxc_cgfs - cgroups/cgfs.c:do_setup_cgroup_limits:2042 - cgroup 'devices.allow' set to 'c 10:232 rwm'
      lxc-start 20170914075446.766 INFO     lxc_cgfs - cgroups/cgfs.c:do_setup_cgroup_limits:2046 - cgroup has been setup
      lxc-start 20170914075446.767 DEBUG    lxc_conf - conf.c:setup_rootfs:1273 - mounted '/var/lib/lxc/test/rootfs' on '/usr/lib/x86_64-linux-gnu/lxc/rootfs'
      lxc-start 20170914075446.767 INFO     lxc_conf - conf.c:setup_utsname:901 - 'test' hostname has been setup
      lxc-start 20170914075446.767 INFO     lxc_conf - conf.c:setup_network:2473 - network has been setup
      lxc-start 20170914075446.767 INFO     lxc_conf - conf.c:mount_autodev:1130 - Mounting container /dev
      lxc-start 20170914075446.768 INFO     lxc_conf - conf.c:mount_autodev:1153 - Mounted tmpfs onto /usr/lib/x86_64-linux-gnu/lxc/rootfs/dev
      lxc-start 20170914075446.768 INFO     lxc_conf - conf.c:mount_autodev:1171 - Mounted container /dev
      lxc-start 20170914075446.768 INFO     lxc_conf - conf.c:mount_entry:1704 - failed to mount '/sys/fs/fuse/connections' on '/usr/lib/x86_64-linux-gnu/lxc/rootfs/sys/fs/fuse/connections' (optional): No such file or directory
      lxc-start 20170914075446.769 INFO     lxc_conf - conf.c:mount_file_entries:1985 - mount points have been setup
      lxc-start 20170914075446.769 INFO     lxc_conf - conf.c:fill_autodev:1199 - Creating initial consoles under container /dev
      lxc-start 20170914075446.769 INFO     lxc_conf - conf.c:fill_autodev:1210 - Populating container /dev
      lxc-start 20170914075446.769 INFO     lxc_conf - conf.c:fill_autodev:1247 - Populated container /dev
      lxc-start 20170914075446.769 INFO     lxc_conf - conf.c:setup_dev_console:1495 - console has been setup
      lxc-start 20170914075446.769 INFO     lxc_utils - utils.c:mount_proc_if_needed:1785 - I am 1, /proc/self points to '1'
      lxc-start 20170914075446.783 DEBUG    lxc_conf - conf.c:setup_rootfs_pivot_root:1108 - pivot_root syscall to '/usr/lib/x86_64-linux-gnu/lxc/rootfs' successful
      lxc-start 20170914075446.784 DEBUG    lxc_conf - conf.c:lxc_create_tty:3429 - allocated pty '/dev/pts/0' (11/14)
      lxc-start 20170914075446.784 DEBUG    lxc_conf - conf.c:lxc_create_tty:3429 - allocated pty '/dev/pts/1' (15/16)
      lxc-start 20170914075446.784 DEBUG    lxc_conf - conf.c:lxc_create_tty:3429 - allocated pty '/dev/pts/2' (17/18)
      lxc-start 20170914075446.784 DEBUG    lxc_conf - conf.c:lxc_create_tty:3429 - allocated pty '/dev/pts/3' (19/20)
      lxc-start 20170914075446.784 INFO     lxc_conf - conf.c:lxc_create_tty:3440 - tty's configured
      lxc-start 20170914075446.784 INFO     lxc_conf - conf.c:setup_tty:1053 - 4 tty(s) has been setup
      lxc-start 20170914075446.784 INFO     lxc_conf - conf.c:setup_personality:1451 - set personality to '0x0'
      lxc-start 20170914075446.784 DEBUG    lxc_conf - conf.c:setup_caps:2135 - drop capability 'mac_admin' (33)
      lxc-start 20170914075446.784 DEBUG    lxc_conf - conf.c:setup_caps:2135 - drop capability 'mac_override' (32)
      lxc-start 20170914075446.784 DEBUG    lxc_conf - conf.c:setup_caps:2135 - drop capability 'sys_time' (25)
      lxc-start 20170914075446.785 DEBUG    lxc_conf - conf.c:setup_caps:2135 - drop capability 'sys_module' (16)
      lxc-start 20170914075446.785 DEBUG    lxc_conf - conf.c:setup_caps:2135 - drop capability 'sys_rawio' (17)
      lxc-start 20170914075446.785 DEBUG    lxc_conf - conf.c:setup_caps:2135 - drop capability 'sys_admin' (21)
      lxc-start 20170914075446.785 DEBUG    lxc_conf - conf.c:setup_caps:2144 - capabilities have been setup
      lxc-start 20170914075446.785 NOTICE   lxc_conf - conf.c:lxc_setup:3977 - 'test' is setup.
      lxc-start 20170914075446.785 DEBUG    lxc_cgfs - cgroups/cgfs.c:do_setup_cgroup_limits:2042 - cgroup 'devices.deny' set to 'a'
      lxc-start 20170914075446.785 DEBUG    lxc_cgfs - cgroups/cgfs.c:do_setup_cgroup_limits:2042 - cgroup 'devices.allow' set to 'c *:* m'
      lxc-start 20170914075446.785 DEBUG    lxc_cgfs - cgroups/cgfs.c:do_setup_cgroup_limits:2042 - cgroup 'devices.allow' set to 'b *:* m'
      lxc-start 20170914075446.785 DEBUG    lxc_cgfs - cgroups/cgfs.c:do_setup_cgroup_limits:2042 - cgroup 'devices.allow' set to 'c 1:3 rwm'
      lxc-start 20170914075446.785 DEBUG    lxc_cgfs - cgroups/cgfs.c:do_setup_cgroup_limits:2042 - cgroup 'devices.allow' set to 'c 1:5 rwm'
      lxc-start 20170914075446.785 DEBUG    lxc_cgfs - cgroups/cgfs.c:do_setup_cgroup_limits:2042 - cgroup 'devices.allow' set to 'c 1:7 rwm'
      lxc-start 20170914075446.785 DEBUG    lxc_cgfs - cgroups/cgfs.c:do_setup_cgroup_limits:2042 - cgroup 'devices.allow' set to 'c 5:0 rwm'
      lxc-start 20170914075446.785 DEBUG    lxc_cgfs - cgroups/cgfs.c:do_setup_cgroup_limits:2042 - cgroup 'devices.allow' set to 'c 5:1 rwm'
      lxc-start 20170914075446.785 DEBUG    lxc_cgfs - cgroups/cgfs.c:do_setup_cgroup_limits:2042 - cgroup 'devices.allow' set to 'c 5:2 rwm'
      lxc-start 20170914075446.786 DEBUG    lxc_cgfs - cgroups/cgfs.c:do_setup_cgroup_limits:2042 - cgroup 'devices.allow' set to 'c 1:8 rwm'
      lxc-start 20170914075446.786 DEBUG    lxc_cgfs - cgroups/cgfs.c:do_setup_cgroup_limits:2042 - cgroup 'devices.allow' set to 'c 1:9 rwm'
      lxc-start 20170914075446.786 DEBUG    lxc_cgfs - cgroups/cgfs.c:do_setup_cgroup_limits:2042 - cgroup 'devices.allow' set to 'c 136:* rwm'
      lxc-start 20170914075446.786 DEBUG    lxc_cgfs - cgroups/cgfs.c:do_setup_cgroup_limits:2042 - cgroup 'devices.allow' set to 'c 10:229 rwm'
      lxc-start 20170914075446.786 DEBUG    lxc_cgfs - cgroups/cgfs.c:do_setup_cgroup_limits:2042 - cgroup 'devices.allow' set to 'c 254:0 rm'
      lxc-start 20170914075446.786 DEBUG    lxc_cgfs - cgroups/cgfs.c:do_setup_cgroup_limits:2042 - cgroup 'devices.allow' set to 'c 10:200 rwm'
      lxc-start 20170914075446.786 DEBUG    lxc_cgfs - cgroups/cgfs.c:do_setup_cgroup_limits:2042 - cgroup 'devices.allow' set to 'c 10:228 rwm'
      lxc-start 20170914075446.786 DEBUG    lxc_cgfs - cgroups/cgfs.c:do_setup_cgroup_limits:2042 - cgroup 'devices.allow' set to 'c 10:232 rwm'
      lxc-start 20170914075446.786 INFO     lxc_cgfs - cgroups/cgfs.c:do_setup_cgroup_limits:2046 - cgroup has been setup
      lxc-start 20170914075446.786 INFO     lxc_start - start.c:do_start:836 - Unshared CLONE_NEWCGROUP.
      lxc-start 20170914075446.787 NOTICE   lxc_start - start.c:start:1428 - Exec'ing "/sbin/init".
      lxc-start 20170914075446.789 NOTICE   lxc_start - start.c:post_start:1439 - Started "/sbin/init" with pid "2160".
      lxc-start 20170914075446.789 WARN     lxc_monitor - monitor.c:lxc_monitor_fifo_send:111 - Failed to open fifo to send message: No such file or directory.
      lxc-start 20170914075446.789 WARN     lxc_start - start.c:signal_handler:322 - Invalid pid for SIGCHLD. Received pid 2159, expected pid 2160.

Reply via email to