Hi Serge, > On May 4, 2017, at 9:00 AM, Serge E. Hallyn <serge at hallyn.com> wrote: > > Quoting Ben Warren (ben at skyportsystems.com): >> Hi, >> >> I’m stuck with Ubuntu 14.04 for now and would like to be able to run >> unprivileged containers that are systemd-based. I’ve found lots of examples >> of problems that are close, but nothing exactly matches. I got the lxc >> packages from trusty-backports. >> >> Versions: >> >> ben at ben-sc:~$ lxc-ls --version >> 2.0.7 >> ben at ben-sc:~$ cat /etc/lsb-release >> DISTRIB_ID=Ubuntu >> DISTRIB_RELEASE=14.04 >> DISTRIB_CODENAME=trusty >> DISTRIB_DESCRIPTION="Ubuntu 14.04.1 LTS" >> >> To keep it simple, I created an unprivileged container of ‘trusty’ using the >> download method: >> >> ben at ben-sc:~$ lxc-create -n cd-build -t download >> >> >> When I try to start the container, it won’t work: >> >> ben at ben-sc:~$ lxc-start -n cd-build -d --logfile cd-build.log >> lxc-start: tools/lxc_start.c: main: 366 The container failed to start. >> lxc-start: tools/lxc_start.c: main: 368 To get more details, run the >> container in foreground mode. >> lxc-start: tools/lxc_start.c: main: 370 Additional information can be >> obtained by setting the --logfile and --logpriority options. >> >> Logfile contents: >> >> lxc-start 20170503225525.382 ERROR lxc_cgfsng - >> cgroups/cgfsng.c:do_secondstage_mounts_if_needed:1557 - Operation not >> permitted - Error remounting /usr/lib/x86_64-linux-gnu/lxc/sys/fs/cgroup/cpu >> read-only > > This is odd, not the error I would have expected. > > Can you tell me the exact version and from which ppa? > $ dpkg -s lxc Package: lxc Status: install ok installed Priority: extra Section: oldlibs Installed-Size: 77 Maintainer: Ubuntu Developers <ubuntu-devel-disc...@lists.ubuntu.com> Architecture: all Version: 2.0.7-0ubuntu1~14.04.1 Depends: lxc1 (>= 2.0.7-0ubuntu1~14.04.1)
I got it from here: http://us.archive.ubuntu.com/ubuntu/ trusty-backports Here’s what gets installed: $ sudo apt-get install -t trusty-backports lxc Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: bridge-utils cgroup-lite cloud-image-utils debootstrap distro-info euca2ools libgnutls28 libhogweed2 liblxc1 libseccomp2 lxc-common lxc-templates lxc1 python-distro-info python-requestbuilder python3-lxc uidmap Suggested packages: shunit2 gnutls-bin btrfs-tools lvm2 lxctl Recommended packages: lxcfs libpam-cgfs The following NEW packages will be installed: bridge-utils cgroup-lite cloud-image-utils debootstrap distro-info euca2ools libgnutls28 libhogweed2 liblxc1 libseccomp2 lxc lxc-common lxc-templates lxc1 python-distro-info python-requestbuilder python3-lxc uidmap As for the overall environment, this is a VM that was originally set up almost 3 years ago, and as a lab machine has only been piecemeal updated over time as needed. The problem is that I have probably a hundred identical instances and am concerned that the package dependencies are maybe not quite right. I’m certainly willing to update whatever individual packages are necessary to get this going. I have the VM snapshotted before trying this, so it’s trivial to reproduce. > Is there anything in syslog about the failed mount? > This is all I see. It’s at lxc install time, now when trying to start the container: May 7 21:01:01 ben-sc kernel: [ 103.486718] type=1400 audit(1494216061.420:68): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default" pid=5801 comm="apparmor_parser" May 7 21:01:01 ben-sc kernel: [ 103.486925] type=1400 audit(1494216061.420:69): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default-cgns" pid=5801 comm="apparmor_parser" May 7 21:01:01 ben-sc kernel: [ 103.487100] type=1400 audit(1494216061.420:70): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default-with-mounting" pid=5801 comm="apparmor_parser" May 7 21:01:01 ben-sc kernel: [ 103.487292] type=1400 audit(1494216061.420:71): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default-with-nesting" pid=5801 comm="apparmor_parser" May 7 21:01:01 ben-sc kernel: [ 103.519003] type=1400 audit(1494216061.452:72): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/lxc-start" pid=5835 comm="apparmor_parser" > You might try some of the other cgroup auto-mount settings (see > lxc.container.conf(5)0, maybe > > lxc.mount.auto = cgroup:rw > I tried that, and get: lxc-start 20170508041726.340 ERROR lxc_cgfsng - cgroups/cgfsng.c:do_secondstage_mounts_if_needed:1557 - Operation not permitted - Error remounting /usr/lib/x86_64-linux-gnu/lxc/sys/fs/cgroup/cpu read-only lxc-start 20170508041726.340 ERROR lxc_conf - conf.c:lxc_mount_auto_mounts:839 - Operation not permitted - error mounting /sys/fs/cgroup lxc-start 20170508041726.340 ERROR lxc_conf - conf.c:lxc_setup:3885 - failed to setup the automatic mounts for 'cd-build' lxc-start 20170508041726.340 ERROR lxc_start - start.c:do_start:811 - Failed to setup container "cd-build". lxc-start 20170508041726.340 ERROR lxc_sync - sync.c:__sync_wait:57 - An error occurred in another process (expected sequence number 3) lxc-start 20170508041726.340 ERROR lxc_start - start.c:__lxc_start:1346 - Failed to spawn container "cd-build". >> lxc-start 20170503225525.382 ERROR lxc_conf - >> conf.c:lxc_mount_auto_mounts:839 - Operation not permitted - error mounting >> /sys/fs/cgroup >> lxc-start 20170503225525.382 ERROR lxc_conf - conf.c:lxc_setup:3885 >> - failed to setup the automatic mounts for 'cd-build' >> lxc-start 20170503225525.382 ERROR lxc_start - start.c:do_start:811 >> - Failed to setup container "cd-build". >> lxc-start 20170503225525.382 ERROR lxc_sync - sync.c:__sync_wait:57 >> - An error occurred in another process (expected sequence number 3) >> lxc-start 20170503225525.382 ERROR lxc_start - >> start.c:__lxc_start:1346 - Failed to spawn container "cd-build". >> lxc-start 20170503225530.922 ERROR lxc_start_ui - >> tools/lxc_start.c:main:366 - The container failed to start. >> lxc-start 20170503225530.923 ERROR lxc_start_ui - >> tools/lxc_start.c:main:368 - To get more details, run the container in >> foreground mode. >> lxc-start 20170503225530.923 ERROR lxc_start_ui - >> tools/lxc_start.c:main:370 - Additional information can be obtained by >> setting the --logfile and --logpriority options. >> >> Also: >> >> ———————————— >> >> ben at ben-sc:~$ cat /proc/self/cgroup >> 12:name=dsystemd:/ >> 11:name=systemd:/user/1001.user/c2.session >> 10:hugetlb:/user/1001.user/c2.session >> 9:perf_event:/user/1001.user/c2.session >> 8:blkio:/user/1001.user/c2.session >> 7:freezer:/user/1001.user/c2.session >> 6:devices:/user/1001.user/c2.session >> 5:memory:/user/1001.user/c2.session >> 4:cpuacct:/user/1001.user/c2.session >> 3:cpu:/user/1001.user/c2.session >> 2:cpuset:/ >> >> ben at ben-sc:~$ lxc-checkconfig >> Kernel configuration not found at /proc/config.gz; searching... >> Kernel configuration found at /boot/config-3.13.0-40-generic >> --- Namespaces --- >> Namespaces: enabled >> Utsname namespace: enabled >> Ipc namespace: enabled >> Pid namespace: enabled >> User namespace: enabled >> Network namespace: enabled >> Multiple /dev/pts instances: enabled >> >> --- Control groups --- >> Cgroup: enabled >> Cgroup clone_children flag: enabled >> Cgroup device: enabled >> Cgroup sched: enabled >> Cgroup cpu account: enabled >> Cgroup memory controller: enabled >> Cgroup cpuset: enabled >> >> --- Misc --- >> Veth pair device: enabled >> Macvlan: enabled >> Vlan: enabled >> Bridges: enabled >> Advanced netfilter: enabled >> CONFIG_NF_NAT_IPV4: enabled >> CONFIG_NF_NAT_IPV6: enabled >> CONFIG_IP_NF_TARGET_MASQUERADE: enabled >> CONFIG_IP6_NF_TARGET_MASQUERADE: enabled >> CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled >> FUSE (for use with lxcfs): enabled >> >> --- Checkpoint/Restore --- >> checkpoint restore: enabled >> CONFIG_FHANDLE: enabled >> CONFIG_EVENTFD: enabled >> CONFIG_EPOLL: enabled >> CONFIG_UNIX_DIAG: enabled >> CONFIG_INET_DIAG: enabled >> CONFIG_PACKET_DIAG: enabled >> CONFIG_NETLINK_DIAG: enabled >> File capabilities: enabled >> >> Note : Before booting a new kernel, you can check its configuration >> usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig >> >> ———————————— >> >> Hopefully I just missed something obvious. >> >> thanks, >> —Ben >> >> >> _______________________________________________ >> lxc-users mailing list >> lxc-users at lists.linuxcontainers.org >> http://lists.linuxcontainers.org/listinfo/lxc-users > regards, Ben _______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
