On 01/09/2011 01:25 PM, Patrick Winnertz wrote: > Hello, > > I've tried the last days hard to set up working lxc containers on a grsec > enabled kernel. However I failed everytime with several error msgs and/or > kernel oopses. > > After booting in the grsec kernel I've verified with gradm that RBAC is > disabled to start the containers first: > > gradm -D > lxc-start -n example > > however I get then first an error that /dev/pts can't be mounted and > afterwards > a kernel oops, which you can find attached to this mail - it seems to be some > troubles with veth networking. I've straced the process and this is the output > (strace-lxc1):
Hi Patrick, thanks for the detailed informations. Is it possible you add the addr2line and code context of gr_acl_handle_hidden_file ? > instance of '/dev/pts' > 336:lxc-start: failed to setup the new pts instance > 337:lxc-start: failed to setup the container Is the kernel compiled with CONFIG_DEVPTS_MULTIPLE_INSTANCES ? > 344:write(2, "failed to spawn 'web'", 21failed to spawn 'web') = 21 > 358:write(2, "Device or resource busy - failed"..., 63Device or resource busy > - failed to remove cgroup '/cgroup/web') = 63 > > After a reboot I tried again, but this time I switched into the learning mode > of grsec.. now the kernel oops is gone, however I'm getting now this error msg > (output from strace (strace-lxc2)): mmh, weird. I don't know grsec but is it possible the security prevents the creation of such pair devices ? As the pair device creation happens before the pivot_root, if that fails we exit before the pivot_root code, that can explain why you don't have the kernel oops. Can you try to create a pair device without using the containers ? ip link add veth1234 type veth peer name veth4321 > failed to create vethde3FDA-veth"..., 64failed to create vethde3FDA-vethelGBjP > : Operation not permitted) = 64 > 295:write(2, "failed to create netdev", 23failed to create netdev) = 23 > 299:write(2, "failed to create the network", 28failed to create the network) = > 28 > 305:write(2, "failed to spawn 'web'", 21failed to spawn 'web') = 21 > 319:write(2, "No such file or directory - fail"..., 65No such file or > directory > - failed to remove cgroup '/cgroup/web') = 65 > > It would be nice if someone could give me hints or advices what is going wrong > here and how to fix it. Full strace output of both lxc-start runs is also > attached to the mail > > Greetings > Patrick > > > ------------------------------------------------------------------------------ > Gaining the trust of online customers is vital for the success of any company > that requires sensitive data to be transmitted over the Web. Learn how to > best implement a security strategy that keeps consumers' information secure > and instills the confidence they need to proceed with transactions. > http://p.sf.net/sfu/oracle-sfdevnl > > > _______________________________________________ > Lxc-users mailing list > Lxc-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/lxc-users ------------------------------------------------------------------------------ Gaining the trust of online customers is vital for the success of any company that requires sensitive data to be transmitted over the Web. Learn how to best implement a security strategy that keeps consumers' information secure and instills the confidence they need to proceed with transactions. http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
