[Touch-packages] [Bug 1843490] Re: lxc.cgroup.devices.allow prevents unprivileged container from starting
So is there a workaround? In my case, I'm trying to access an OpenCL gpu from a userland container. I was assuming that the below might be enough. lxc.mount.entry = /dev/dri/card1 dev/dri/card1 none bind,optional,create=file lxc.mount.entry = /dev/dri/renderD128 dev/dri/renderD128 none bind,optional,create=file lxc.cgroup.devices.allow = c 226:* rwm The mounts work (although owned by nobody:nobody instead of root:video) and the devices cgroup stanza in the config file generates the container boot error, as described above. The mounts are not enough to get opencl access in the container: running "clinfo" (the opencl diagnostic) in the container doesn't find the devices (I presume because of ... well, something to do with /dev/dri but don't really know) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1843490 Title: lxc.cgroup.devices.allow prevents unprivileged container from starting Status in lxc package in Ubuntu: Invalid Bug description: Adding lxc.cgroup.devices.allow directives to an unprivileged container config prevent the container from starting. These lxc-start errors look relevant: lxc-start testbox 20190910192712.171 WARN cgfsng - cgroups/cgfsng.c:get_hierarchy:204 - There is no useable devices controller lxc-start testbox 20190910192712.171 ERRORcgfsng - cgroups/cgfsng.c:cg_legacy_set_data:2191 - Failed to setup limits for the "devices" controller. The controller seems to be unused by "cgfsng" cgroup driver or not enabled on the cgroup hierarchy lxc-start testbox 20190910192712.171 WARN cgfsng - cgroups/cgfsng.c:__cg_legacy_setup_limits:2228 - Failed to set "devices.allow" to "c 10:57 rwm" It seems to me that I used lxc.cgroup.devices.allow directives without trouble a few years ago. I wonder which system upgrades broke it. To reproduce: (Note: subuid, subgid, and lxc-usernet are already configured for this user.) $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 19.04 Release: 19.04 Codename: disco $ dpkg-query --show libpam-cgfs lxc1 libpam-cgfs 3.0.3-0ubuntu1 lxc1 3.0.3-0ubuntu1 $ lxc-create -t download -n testbox -- -d ubuntu -r bionic -a amd64 The cached copy has expired, re-downloading... Setting up the GPG keyring Downloading the image index Downloading the rootfs Downloading the metadata The image cache is now ready Unpacking the rootfs --- You just created an Ubuntu bionic amd64 (20190910_07:42) container. To enable SSH, run: apt install openssh-server No default root or user password are set by LXC. $ echo "lxc.cgroup.devices.allow = c 10:57 rwm" >> lxc/testbox/config $ lxc-start -n testbox -o debug.out -l trace lxc-start: testbox: lxccontainer.c: wait_on_daemonized_start: 842 Received container state "ABORTING" instead of "RUNNING" lxc-start: testbox: tools/lxc_start.c: main: 330 The container failed to start lxc-start: testbox: tools/lxc_start.c: main: 333 To get more details, run the container in foreground mode lxc-start: testbox: tools/lxc_start.c: main: 336 Additional information can be obtained by setting the --logfile and --logpriority options $ cat debug.out lxc-start testbox 20190910192712.380 INFO confile - confile.c:set_config_idmaps:1555 - Read uid map: type u nsid 0 hostid 10 range 65536 lxc-start testbox 20190910192712.380 INFO confile - confile.c:set_config_idmaps:1555 - Read uid map: type g nsid 0 hostid 10 range 65536 lxc-start testbox 20190910192712.382 TRACEcommands - commands.c:lxc_cmd:300 - Connection refused - Command "get_init_pid" failed to connect command socket lxc-start testbox 20190910192712.383 TRACEcommands - commands.c:lxc_cmd:300 - Connection refused - Command "get_state" failed to connect command socket lxc-start testbox 20190910192712.383 TRACEstart - start.c:lxc_init_handler:748 - Created anonymous pair {4,5} of unix sockets lxc-start testbox 20190910192712.383 TRACEcommands - commands.c:lxc_cmd_init:1248 - Creating abstract unix socket "/home/ubuntu/lxc/testbox/command" lxc-start testbox 20190910192712.383 TRACEstart - start.c:lxc_init_handler:760 - Unix domain socket 6 for command server is ready lxc-start testbox 20190910192712.388 INFO lxccontainer - lxccontainer.c:do_lxcapi_start:961 - Set process title to [lxc monitor] /home/ubuntu/lxc testbox lxc-start testbox 20190910192712.392 TRACEstart - start.c:lxc_start:2052 - Doing lxc_start lxc-start testbox 20190910192712.393 INFO lsm - lsm/lsm.c:lsm_init:50 - LSM security driver AppArmor lxc-start testbox 20190910192712.393 TRACEstart - start.c:lxc_init:777 - Initialized LSM lxc-start testbox 20190910192712.395 TRACEseccomp - seccomp.c:get_new_ctx:458 - Added arch 2 to main seccomp context
[Touch-packages] [Bug 1843490] Re: lxc.cgroup.devices.allow prevents unprivileged container from starting
"lxc.cgroup.devices" is meaningless for unprivileged containers as those can never create those devices anyway, so they'll only ever have access to whatever devices lxc provides and nothing more. All our own default configs specifically do not set that cgroup controller for unprivileged containers. The error you're getting specifically suggests that the cgroups that are delegated to your unprivileged users do not include the devices controller which does match what I'm seeing in /proc/self/cgroup on my system here. If you wanted to be able to write to the devices cgroup, you would need your user session to have the devices cgroup in /proc/self/cgroup point to a path that your user can write to. At which point the config should work, though still effectively be meaningless. ** Changed in: lxc (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1843490 Title: lxc.cgroup.devices.allow prevents unprivileged container from starting Status in lxc package in Ubuntu: Invalid Bug description: Adding lxc.cgroup.devices.allow directives to an unprivileged container config prevent the container from starting. These lxc-start errors look relevant: lxc-start testbox 20190910192712.171 WARN cgfsng - cgroups/cgfsng.c:get_hierarchy:204 - There is no useable devices controller lxc-start testbox 20190910192712.171 ERRORcgfsng - cgroups/cgfsng.c:cg_legacy_set_data:2191 - Failed to setup limits for the "devices" controller. The controller seems to be unused by "cgfsng" cgroup driver or not enabled on the cgroup hierarchy lxc-start testbox 20190910192712.171 WARN cgfsng - cgroups/cgfsng.c:__cg_legacy_setup_limits:2228 - Failed to set "devices.allow" to "c 10:57 rwm" It seems to me that I used lxc.cgroup.devices.allow directives without trouble a few years ago. I wonder which system upgrades broke it. To reproduce: (Note: subuid, subgid, and lxc-usernet are already configured for this user.) $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 19.04 Release: 19.04 Codename: disco $ dpkg-query --show libpam-cgfs lxc1 libpam-cgfs 3.0.3-0ubuntu1 lxc1 3.0.3-0ubuntu1 $ lxc-create -t download -n testbox -- -d ubuntu -r bionic -a amd64 The cached copy has expired, re-downloading... Setting up the GPG keyring Downloading the image index Downloading the rootfs Downloading the metadata The image cache is now ready Unpacking the rootfs --- You just created an Ubuntu bionic amd64 (20190910_07:42) container. To enable SSH, run: apt install openssh-server No default root or user password are set by LXC. $ echo "lxc.cgroup.devices.allow = c 10:57 rwm" >> lxc/testbox/config $ lxc-start -n testbox -o debug.out -l trace lxc-start: testbox: lxccontainer.c: wait_on_daemonized_start: 842 Received container state "ABORTING" instead of "RUNNING" lxc-start: testbox: tools/lxc_start.c: main: 330 The container failed to start lxc-start: testbox: tools/lxc_start.c: main: 333 To get more details, run the container in foreground mode lxc-start: testbox: tools/lxc_start.c: main: 336 Additional information can be obtained by setting the --logfile and --logpriority options $ cat debug.out lxc-start testbox 20190910192712.380 INFO confile - confile.c:set_config_idmaps:1555 - Read uid map: type u nsid 0 hostid 10 range 65536 lxc-start testbox 20190910192712.380 INFO confile - confile.c:set_config_idmaps:1555 - Read uid map: type g nsid 0 hostid 10 range 65536 lxc-start testbox 20190910192712.382 TRACEcommands - commands.c:lxc_cmd:300 - Connection refused - Command "get_init_pid" failed to connect command socket lxc-start testbox 20190910192712.383 TRACEcommands - commands.c:lxc_cmd:300 - Connection refused - Command "get_state" failed to connect command socket lxc-start testbox 20190910192712.383 TRACEstart - start.c:lxc_init_handler:748 - Created anonymous pair {4,5} of unix sockets lxc-start testbox 20190910192712.383 TRACEcommands - commands.c:lxc_cmd_init:1248 - Creating abstract unix socket "/home/ubuntu/lxc/testbox/command" lxc-start testbox 20190910192712.383 TRACEstart - start.c:lxc_init_handler:760 - Unix domain socket 6 for command server is ready lxc-start testbox 20190910192712.388 INFO lxccontainer - lxccontainer.c:do_lxcapi_start:961 - Set process title to [lxc monitor] /home/ubuntu/lxc testbox lxc-start testbox 20190910192712.392 TRACEstart - start.c:lxc_start:2052 - Doing lxc_start lxc-start testbox 20190910192712.393 INFO lsm - lsm/lsm.c:lsm_init:50 - LSM security driver AppArmor lxc-start testbox 20190910192712.393 TRACEstart - start.c:lxc_init:777 - Initialized LSM lxc-start testbox 20190910192712.395 TRACEseccomp