[Touch-packages] [Bug 1843490] Re: lxc.cgroup.devices.allow prevents unprivileged container from starting
So is there a workaround? In my case, I'm trying to access an OpenCL gpu
from a userland container. I was assuming that the below might be
enough.
lxc.mount.entry = /dev/dri/card1 dev/dri/card1 none bind,optional,create=file
lxc.mount.entry = /dev/dri/renderD128 dev/dri/renderD128 none
bind,optional,create=file
lxc.cgroup.devices.allow = c 226:* rwm
The mounts work (although owned by nobody:nobody instead of root:video)
and the devices cgroup stanza in the config file generates the container
boot error, as described above. The mounts are not enough to get opencl
access in the container: running "clinfo" (the opencl diagnostic) in the
container doesn't find the devices (I presume because of ... well,
something to do with /dev/dri but don't really know)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1843490
Title:
lxc.cgroup.devices.allow prevents unprivileged container from starting
Status in lxc package in Ubuntu:
Invalid
Bug description:
Adding lxc.cgroup.devices.allow directives to an unprivileged
container config prevent the container from starting. These lxc-start
errors look relevant:
lxc-start testbox 20190910192712.171 WARN cgfsng -
cgroups/cgfsng.c:get_hierarchy:204 - There is no useable devices controller
lxc-start testbox 20190910192712.171 ERRORcgfsng -
cgroups/cgfsng.c:cg_legacy_set_data:2191 - Failed to setup limits for the
"devices" controller. The controller seems to be unused by "cgfsng" cgroup
driver or not enabled on the cgroup hierarchy
lxc-start testbox 20190910192712.171 WARN cgfsng -
cgroups/cgfsng.c:__cg_legacy_setup_limits:2228 - Failed to set "devices.allow"
to "c 10:57 rwm"
It seems to me that I used lxc.cgroup.devices.allow directives without
trouble a few years ago. I wonder which system upgrades broke it.
To reproduce:
(Note: subuid, subgid, and lxc-usernet are already configured for this
user.)
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 19.04
Release: 19.04
Codename: disco
$ dpkg-query --show libpam-cgfs lxc1
libpam-cgfs 3.0.3-0ubuntu1
lxc1 3.0.3-0ubuntu1
$ lxc-create -t download -n testbox -- -d ubuntu -r bionic -a amd64
The cached copy has expired, re-downloading...
Setting up the GPG keyring
Downloading the image index
Downloading the rootfs
Downloading the metadata
The image cache is now ready
Unpacking the rootfs
---
You just created an Ubuntu bionic amd64 (20190910_07:42) container.
To enable SSH, run: apt install openssh-server
No default root or user password are set by LXC.
$ echo "lxc.cgroup.devices.allow = c 10:57 rwm" >> lxc/testbox/config
$ lxc-start -n testbox -o debug.out -l trace
lxc-start: testbox: lxccontainer.c: wait_on_daemonized_start: 842 Received
container state "ABORTING" instead of "RUNNING"
lxc-start: testbox: tools/lxc_start.c: main: 330 The container failed to start
lxc-start: testbox: tools/lxc_start.c: main: 333 To get more details, run the
container in foreground mode
lxc-start: testbox: tools/lxc_start.c: main: 336 Additional information can
be obtained by setting the --logfile and --logpriority options
$ cat debug.out
lxc-start testbox 20190910192712.380 INFO confile -
confile.c:set_config_idmaps:1555 - Read uid map: type u nsid 0 hostid 10
range 65536
lxc-start testbox 20190910192712.380 INFO confile -
confile.c:set_config_idmaps:1555 - Read uid map: type g nsid 0 hostid 10
range 65536
lxc-start testbox 20190910192712.382 TRACEcommands -
commands.c:lxc_cmd:300 - Connection refused - Command "get_init_pid" failed to
connect command socket
lxc-start testbox 20190910192712.383 TRACEcommands -
commands.c:lxc_cmd:300 - Connection refused - Command "get_state" failed to
connect command socket
lxc-start testbox 20190910192712.383 TRACEstart -
start.c:lxc_init_handler:748 - Created anonymous pair {4,5} of unix sockets
lxc-start testbox 20190910192712.383 TRACEcommands -
commands.c:lxc_cmd_init:1248 - Creating abstract unix socket
"/home/ubuntu/lxc/testbox/command"
lxc-start testbox 20190910192712.383 TRACEstart -
start.c:lxc_init_handler:760 - Unix domain socket 6 for command server is ready
lxc-start testbox 20190910192712.388 INFO lxccontainer -
lxccontainer.c:do_lxcapi_start:961 - Set process title to [lxc monitor]
/home/ubuntu/lxc testbox
lxc-start testbox 20190910192712.392 TRACEstart - start.c:lxc_start:2052
- Doing lxc_start
lxc-start testbox 20190910192712.393 INFO lsm - lsm/lsm.c:lsm_init:50 -
LSM security driver AppArmor
lxc-start testbox 20190910192712.393 TRACEstart - start.c:lxc_init:777 -
Initialized LSM
lxc-start testbox 20190910192712.395 TRACEseccomp -
seccomp.c:get_new_ctx:458 - Added arch 2 to main seccomp context
[Touch-packages] [Bug 1843490] Re: lxc.cgroup.devices.allow prevents unprivileged container from starting
"lxc.cgroup.devices" is meaningless for unprivileged containers as those
can never create those devices anyway, so they'll only ever have access
to whatever devices lxc provides and nothing more. All our own default
configs specifically do not set that cgroup controller for unprivileged
containers.
The error you're getting specifically suggests that the cgroups that are
delegated to your unprivileged users do not include the devices
controller which does match what I'm seeing in /proc/self/cgroup on my
system here.
If you wanted to be able to write to the devices cgroup, you would need
your user session to have the devices cgroup in /proc/self/cgroup point
to a path that your user can write to. At which point the config should
work, though still effectively be meaningless.
** Changed in: lxc (Ubuntu)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1843490
Title:
lxc.cgroup.devices.allow prevents unprivileged container from starting
Status in lxc package in Ubuntu:
Invalid
Bug description:
Adding lxc.cgroup.devices.allow directives to an unprivileged
container config prevent the container from starting. These lxc-start
errors look relevant:
lxc-start testbox 20190910192712.171 WARN cgfsng -
cgroups/cgfsng.c:get_hierarchy:204 - There is no useable devices controller
lxc-start testbox 20190910192712.171 ERRORcgfsng -
cgroups/cgfsng.c:cg_legacy_set_data:2191 - Failed to setup limits for the
"devices" controller. The controller seems to be unused by "cgfsng" cgroup
driver or not enabled on the cgroup hierarchy
lxc-start testbox 20190910192712.171 WARN cgfsng -
cgroups/cgfsng.c:__cg_legacy_setup_limits:2228 - Failed to set "devices.allow"
to "c 10:57 rwm"
It seems to me that I used lxc.cgroup.devices.allow directives without
trouble a few years ago. I wonder which system upgrades broke it.
To reproduce:
(Note: subuid, subgid, and lxc-usernet are already configured for this
user.)
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 19.04
Release: 19.04
Codename: disco
$ dpkg-query --show libpam-cgfs lxc1
libpam-cgfs 3.0.3-0ubuntu1
lxc1 3.0.3-0ubuntu1
$ lxc-create -t download -n testbox -- -d ubuntu -r bionic -a amd64
The cached copy has expired, re-downloading...
Setting up the GPG keyring
Downloading the image index
Downloading the rootfs
Downloading the metadata
The image cache is now ready
Unpacking the rootfs
---
You just created an Ubuntu bionic amd64 (20190910_07:42) container.
To enable SSH, run: apt install openssh-server
No default root or user password are set by LXC.
$ echo "lxc.cgroup.devices.allow = c 10:57 rwm" >> lxc/testbox/config
$ lxc-start -n testbox -o debug.out -l trace
lxc-start: testbox: lxccontainer.c: wait_on_daemonized_start: 842 Received
container state "ABORTING" instead of "RUNNING"
lxc-start: testbox: tools/lxc_start.c: main: 330 The container failed to start
lxc-start: testbox: tools/lxc_start.c: main: 333 To get more details, run the
container in foreground mode
lxc-start: testbox: tools/lxc_start.c: main: 336 Additional information can
be obtained by setting the --logfile and --logpriority options
$ cat debug.out
lxc-start testbox 20190910192712.380 INFO confile -
confile.c:set_config_idmaps:1555 - Read uid map: type u nsid 0 hostid 10
range 65536
lxc-start testbox 20190910192712.380 INFO confile -
confile.c:set_config_idmaps:1555 - Read uid map: type g nsid 0 hostid 10
range 65536
lxc-start testbox 20190910192712.382 TRACEcommands -
commands.c:lxc_cmd:300 - Connection refused - Command "get_init_pid" failed to
connect command socket
lxc-start testbox 20190910192712.383 TRACEcommands -
commands.c:lxc_cmd:300 - Connection refused - Command "get_state" failed to
connect command socket
lxc-start testbox 20190910192712.383 TRACEstart -
start.c:lxc_init_handler:748 - Created anonymous pair {4,5} of unix sockets
lxc-start testbox 20190910192712.383 TRACEcommands -
commands.c:lxc_cmd_init:1248 - Creating abstract unix socket
"/home/ubuntu/lxc/testbox/command"
lxc-start testbox 20190910192712.383 TRACEstart -
start.c:lxc_init_handler:760 - Unix domain socket 6 for command server is ready
lxc-start testbox 20190910192712.388 INFO lxccontainer -
lxccontainer.c:do_lxcapi_start:961 - Set process title to [lxc monitor]
/home/ubuntu/lxc testbox
lxc-start testbox 20190910192712.392 TRACEstart - start.c:lxc_start:2052
- Doing lxc_start
lxc-start testbox 20190910192712.393 INFO lsm - lsm/lsm.c:lsm_init:50 -
LSM security driver AppArmor
lxc-start testbox 20190910192712.393 TRACEstart - start.c:lxc_init:777 -
Initialized LSM
lxc-start testbox 20190910192712.395 TRACEseccomp
