On Feb 18, 2014, at 12:16 AM, Serge Hallyn <serge.hal...@ubuntu.com> wrote:
>> Ah, that's the ticket: >> >> lambda@gherkin:~$ cat /proc/sys/kernel/unprivileged_userns_clone >> 0 >> >> Looks like this is a Debian specific patch, > > *cough* pls not to ask how i knew to query it kthx > >> which is why looking at the upstream kernel source left me puzzled about why >> I'd be getting an EPERM. >> >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712870 >> >> * namespaces: Enable USER_NS (Closes: #712870) >> - Restrict creation of user namespaces to root (CAP_SYS_ADMIN) by >> default (sysctl: kernel.unprivileged_userns_clone) >> >> Works much better when I flip that to 1! >> >> lambda@gherkin:lxc$ lxc-create -l DEBUG -o lxc.log --name precise-test -t >> download -- -d ubuntu -r precise -a amd64Setting up the GPG keyring >> Downloading the image index >> Downloading the rootfs >> Downloading the metadata >> The image cache is now ready >> Unpacking the rootfs >> >> --- >> You just created an Ubuntu container (release=precise, arch=amd64). >> The default username/password is: ubuntu / ubuntu >> To gain root privileges, please use sudo. >> >> Now I need to figure out what is required for the setup of cgroups, >> since now that's failing. It looks like it's trying to clear out the >> cgroup hierarchy to be able to set it up differently, but obviously >> doesn't have permissions to do so. I'm running systemd, which uses the >> cgroup hierarchy already. I've seen references to cgroup-lite, >> cgroup-bin, and cgroup-tools; do I need one of these to packages to >> set up cgroups appropriately for unprivileged containers? Or is it >> possible to do natively with systemd? >> >> lambda@gherkin:lxc$ lxc-start -n precise-test >> lxc_container: Could not set clone_children to 1 for cpuset hierarchy in >> parent cgroup. > > I thought we'd stopped doing that, but I guess not fully. > Could you try this patch? > > Subject: [PATCH 1/1] continue if we cannot set cpuset.clonechildren > > Signed-off-by: Serge Hallyn <serge.hal...@ubuntu.com> It does get rid of that specific error, but still goes on to fail: lambda@gherkin:lxc (master)$ lxc-start -n precise-test lxc_container: Permission denied - Could not create cgroup /precise-test lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/perf_event/ lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/blkio/ lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/net_cls/ lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/freezer/ lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/devices/ lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/cups.service lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/gdomap.service lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/cups-browsed.service lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/netatalk.service lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/udisks2.service lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/colord.service lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/upower.service lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/winbind.service lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/smbd.service lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/console-kit-daemon.service lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/acpid.service lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/polkitd.service lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/gdm3.service lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/getty@.service/getty@tty1.service lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/getty@.service lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/accounts-daemon.service lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/network-manager.service lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/dbus.service lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/rsyslog.service lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/systemd-logind.service lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/ntp.service lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/ssh.service lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/cron.service lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/nmbd.service lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/avahi-daemon.service lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/incron.service lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/atd.service lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/minissdpd.service lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/exim4.service lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/mdadm.service lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/ifup@.service lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/nfs-common.service lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/rpcbind.service lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/systemd-fsck@.service lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/systemd-udevd.service lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system/systemd-journald.service lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct//system lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct/ lxc_container: Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpuset/ lxc_container: failed creating cgroups lxc_container: failed to spawn 'precise-test' _______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
