So is there a workaround? In my case, I'm trying to access an OpenCL gpu from a userland container. I was assuming that the below might be enough.
lxc.mount.entry = /dev/dri/card1 dev/dri/card1 none bind,optional,create=file lxc.mount.entry = /dev/dri/renderD128 dev/dri/renderD128 none bind,optional,create=file lxc.cgroup.devices.allow = c 226:* rwm The mounts work (although owned by nobody:nobody instead of root:video) and the devices cgroup stanza in the config file generates the container boot error, as described above. The mounts are not enough to get opencl access in the container: running "clinfo" (the opencl diagnostic) in the container doesn't find the devices (I presume because of ... well, something to do with /dev/dri but don't really know) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1843490 Title: lxc.cgroup.devices.allow prevents unprivileged container from starting Status in lxc package in Ubuntu: Invalid Bug description: Adding lxc.cgroup.devices.allow directives to an unprivileged container config prevent the container from starting. These lxc-start errors look relevant: lxc-start testbox 20190910192712.171 WARN cgfsng - cgroups/cgfsng.c:get_hierarchy:204 - There is no useable devices controller lxc-start testbox 20190910192712.171 ERROR cgfsng - cgroups/cgfsng.c:cg_legacy_set_data:2191 - Failed to setup limits for the "devices" controller. The controller seems to be unused by "cgfsng" cgroup driver or not enabled on the cgroup hierarchy lxc-start testbox 20190910192712.171 WARN cgfsng - cgroups/cgfsng.c:__cg_legacy_setup_limits:2228 - Failed to set "devices.allow" to "c 10:57 rwm" It seems to me that I used lxc.cgroup.devices.allow directives without trouble a few years ago. I wonder which system upgrades broke it. To reproduce: (Note: subuid, subgid, and lxc-usernet are already configured for this user.) $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 19.04 Release: 19.04 Codename: disco $ dpkg-query --show libpam-cgfs lxc1 libpam-cgfs 3.0.3-0ubuntu1 lxc1 3.0.3-0ubuntu1 $ lxc-create -t download -n testbox -- -d ubuntu -r bionic -a amd64 The cached copy has expired, re-downloading... Setting up the GPG keyring Downloading the image index Downloading the rootfs Downloading the metadata The image cache is now ready Unpacking the rootfs --- You just created an Ubuntu bionic amd64 (20190910_07:42) container. To enable SSH, run: apt install openssh-server No default root or user password are set by LXC. $ echo "lxc.cgroup.devices.allow = c 10:57 rwm" >> lxc/testbox/config $ lxc-start -n testbox -o debug.out -l trace lxc-start: testbox: lxccontainer.c: wait_on_daemonized_start: 842 Received container state "ABORTING" instead of "RUNNING" lxc-start: testbox: tools/lxc_start.c: main: 330 The container failed to start lxc-start: testbox: tools/lxc_start.c: main: 333 To get more details, run the container in foreground mode lxc-start: testbox: tools/lxc_start.c: main: 336 Additional information can be obtained by setting the --logfile and --logpriority options $ cat debug.out lxc-start testbox 20190910192712.380 INFO confile - confile.c:set_config_idmaps:1555 - Read uid map: type u nsid 0 hostid 100000 range 65536 lxc-start testbox 20190910192712.380 INFO confile - confile.c:set_config_idmaps:1555 - Read uid map: type g nsid 0 hostid 100000 range 65536 lxc-start testbox 20190910192712.382 TRACE commands - commands.c:lxc_cmd:300 - Connection refused - Command "get_init_pid" failed to connect command socket lxc-start testbox 20190910192712.383 TRACE commands - commands.c:lxc_cmd:300 - Connection refused - Command "get_state" failed to connect command socket lxc-start testbox 20190910192712.383 TRACE start - start.c:lxc_init_handler:748 - Created anonymous pair {4,5} of unix sockets lxc-start testbox 20190910192712.383 TRACE commands - commands.c:lxc_cmd_init:1248 - Creating abstract unix socket "/home/ubuntu/lxc/testbox/command" lxc-start testbox 20190910192712.383 TRACE start - start.c:lxc_init_handler:760 - Unix domain socket 6 for command server is ready lxc-start testbox 20190910192712.388 INFO lxccontainer - lxccontainer.c:do_lxcapi_start:961 - Set process title to [lxc monitor] /home/ubuntu/lxc testbox lxc-start testbox 20190910192712.392 TRACE start - start.c:lxc_start:2052 - Doing lxc_start lxc-start testbox 20190910192712.393 INFO lsm - lsm/lsm.c:lsm_init:50 - LSM security driver AppArmor lxc-start testbox 20190910192712.393 TRACE start - start.c:lxc_init:777 - Initialized LSM lxc-start testbox 20190910192712.395 TRACE seccomp - seccomp.c:get_new_ctx:458 - Added arch 2 to main seccomp context lxc-start testbox 20190910192712.395 TRACE seccomp - seccomp.c:get_new_ctx:466 - Removed native arch from main seccomp context lxc-start testbox 20190910192712.395 TRACE seccomp - seccomp.c:get_new_ctx:458 - Added arch 3 to main seccomp context lxc-start testbox 20190910192712.395 TRACE seccomp - seccomp.c:get_new_ctx:466 - Removed native arch from main seccomp context lxc-start testbox 20190910192712.395 TRACE seccomp - seccomp.c:get_new_ctx:471 - Arch 4 already present in main seccomp context lxc-start testbox 20190910192712.395 INFO seccomp - seccomp.c:parse_config_v2:759 - Processing "reject_force_umount # comment this to allow umount -f; not recommended" lxc-start testbox 20190910192712.395 INFO seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts lxc-start testbox 20190910192712.395 INFO seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for reject_force_umount action 0(kill) lxc-start testbox 20190910192712.396 INFO seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts lxc-start testbox 20190910192712.396 INFO seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for reject_force_umount action 0(kill) lxc-start testbox 20190910192712.396 INFO seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts lxc-start testbox 20190910192712.396 INFO seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for reject_force_umount action 0(kill) lxc-start testbox 20190910192712.396 INFO seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts lxc-start testbox 20190910192712.396 INFO seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for reject_force_umount action 0(kill) lxc-start testbox 20190910192712.396 INFO seccomp - seccomp.c:parse_config_v2:759 - Processing "[all]" lxc-start testbox 20190910192712.396 INFO seccomp - seccomp.c:parse_config_v2:759 - Processing "kexec_load errno 1" lxc-start testbox 20190910192712.396 INFO seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for kexec_load action 327681(errno) lxc-start testbox 20190910192712.396 INFO seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for kexec_load action 327681(errno) lxc-start testbox 20190910192712.397 INFO seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for kexec_load action 327681(errno) lxc-start testbox 20190910192712.397 INFO seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for kexec_load action 327681(errno) lxc-start testbox 20190910192712.397 INFO seccomp - seccomp.c:parse_config_v2:759 - Processing "open_by_handle_at errno 1" lxc-start testbox 20190910192712.397 INFO seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for open_by_handle_at action 327681(errno) lxc-start testbox 20190910192712.397 INFO seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for open_by_handle_at action 327681(errno) lxc-start testbox 20190910192712.397 INFO seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for open_by_handle_at action 327681(errno) lxc-start testbox 20190910192712.398 INFO seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for open_by_handle_at action 327681(errno) lxc-start testbox 20190910192712.398 INFO seccomp - seccomp.c:parse_config_v2:759 - Processing "init_module errno 1" lxc-start testbox 20190910192712.398 INFO seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for init_module action 327681(errno) lxc-start testbox 20190910192712.398 INFO seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for init_module action 327681(errno) lxc-start testbox 20190910192712.398 INFO seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for init_module action 327681(errno) lxc-start testbox 20190910192712.398 INFO seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for init_module action 327681(errno) lxc-start testbox 20190910192712.398 INFO seccomp - seccomp.c:parse_config_v2:759 - Processing "finit_module errno 1" lxc-start testbox 20190910192712.399 INFO seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for finit_module action 327681(errno) lxc-start testbox 20190910192712.399 INFO seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for finit_module action 327681(errno) lxc-start testbox 20190910192712.399 INFO seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for finit_module action 327681(errno) lxc-start testbox 20190910192712.399 INFO seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for finit_module action 327681(errno) lxc-start testbox 20190910192712.399 INFO seccomp - seccomp.c:parse_config_v2:759 - Processing "delete_module errno 1" lxc-start testbox 20190910192712.399 INFO seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for delete_module action 327681(errno) lxc-start testbox 20190910192712.400 INFO seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for delete_module action 327681(errno) lxc-start testbox 20190910192712.400 INFO seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for delete_module action 327681(errno) lxc-start testbox 20190910192712.400 INFO seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for delete_module action 327681(errno) lxc-start testbox 20190910192712.400 INFO seccomp - seccomp.c:parse_config_v2:970 - Merging compat seccomp contexts into main context lxc-start testbox 20190910192712.400 TRACE seccomp - seccomp.c:parse_config_v2:980 - Merged first compat seccomp context into main context lxc-start testbox 20190910192712.400 TRACE seccomp - seccomp.c:parse_config_v2:996 - Merged second compat seccomp context into main context lxc-start testbox 20190910192712.400 TRACE start - start.c:lxc_init:784 - Read seccomp policy lxc-start testbox 20190910192712.400 TRACE start - start.c:lxc_serve_state_clients:466 - Set container state to STARTING lxc-start testbox 20190910192712.400 TRACE start - start.c:lxc_serve_state_clients:469 - No state clients registered lxc-start testbox 20190910192712.401 TRACE start - start.c:lxc_init:792 - Set container state to "STARTING" lxc-start testbox 20190910192712.401 TRACE start - start.c:lxc_init:855 - Set environment variables lxc-start testbox 20190910192712.402 TRACE start - start.c:lxc_init:862 - Ran pre-start hooks lxc-start testbox 20190910192712.402 TRACE start - start.c:setup_signal_fd:359 - Created signal file descriptor 7 lxc-start testbox 20190910192712.402 TRACE start - start.c:lxc_init:873 - Set up signal fd lxc-start testbox 20190910192712.412 DEBUG terminal - terminal.c:lxc_terminal_peer_default:707 - No such device - The process does not have a controlling terminal lxc-start testbox 20190910192712.412 TRACE start - start.c:lxc_init:881 - Created console lxc-start testbox 20190910192712.412 DEBUG conf - conf.c:chown_mapped_root:3166 - trying to chown "/dev/pts/2" to 1000 lxc-start testbox 20190910192712.547 TRACE terminal - terminal.c:lxc_terminal_map_ids:1225 - Chowned terminal "/dev/pts/2" lxc-start testbox 20190910192712.547 TRACE start - start.c:lxc_init:888 - Chowned console lxc-start testbox 20190910192712.549 TRACE cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1031 - basecginfo is: lxc-start testbox 20190910192712.549 TRACE cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1032 - 12:pids:/user.slice/user-1000.slice/session-4.scope 11:devices:/user.slice 10:net_cls,net_prio:/ 9:perf_event:/ 8:cpu,cpuacct:/user.slice 7:rdma:/ 6:cpuset:/ 5:hugetlb:/ 4:memory:/user.slice/user-1000.slice/session-4.scope 3:blkio:/user.slice 2:freezer:/user/ubuntu/0 1:name=systemd:/user.slice/user-1000.slice/session-4.scope 0::/user.slice/user-1000.slice/session-4.scope lxc-start testbox 20190910192712.549 TRACE cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1035 - kernel subsystem 0: pids lxc-start testbox 20190910192712.549 TRACE cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1035 - kernel subsystem 1: devices lxc-start testbox 20190910192712.549 TRACE cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1035 - kernel subsystem 2: net_cls lxc-start testbox 20190910192712.549 TRACE cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1035 - kernel subsystem 3: net_prio lxc-start testbox 20190910192712.549 TRACE cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1035 - kernel subsystem 4: perf_event lxc-start testbox 20190910192712.549 TRACE cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1035 - kernel subsystem 5: cpu lxc-start testbox 20190910192712.549 TRACE cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1035 - kernel subsystem 6: cpuacct lxc-start testbox 20190910192712.550 TRACE cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1035 - kernel subsystem 7: rdma lxc-start testbox 20190910192712.550 TRACE cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1035 - kernel subsystem 8: cpuset lxc-start testbox 20190910192712.550 TRACE cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1035 - kernel subsystem 9: hugetlb lxc-start testbox 20190910192712.550 TRACE cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1035 - kernel subsystem 10: memory lxc-start testbox 20190910192712.550 TRACE cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1035 - kernel subsystem 11: blkio lxc-start testbox 20190910192712.550 TRACE cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1035 - kernel subsystem 12: freezer lxc-start testbox 20190910192712.550 TRACE cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1035 - kernel subsystem 13: cgroup2 lxc-start testbox 20190910192712.550 TRACE cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1038 - named subsystem 0: name=systemd lxc-start testbox 20190910192712.553 TRACE cgfsng - cgroups/cgfsng.c:cg_hybrid_init:2459 - Writable cgroup hierarchies: lxc-start testbox 20190910192712.553 TRACE cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1012 - Hierarchies: lxc-start testbox 20190910192712.553 TRACE cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1017 - 0: base_cgroup: /user.slice/user-1000.slice/session-4.scope lxc-start testbox 20190910192712.553 TRACE cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1018 - mountpoint: /sys/fs/cgroup/systemd lxc-start testbox 20190910192712.553 TRACE cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1019 - controllers: lxc-start testbox 20190910192712.553 TRACE cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1021 - 0: name=systemd lxc-start testbox 20190910192712.553 TRACE cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1017 - 1: base_cgroup: /user/ubuntu/0 lxc-start testbox 20190910192712.553 TRACE cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1018 - mountpoint: /sys/fs/cgroup/freezer lxc-start testbox 20190910192712.553 TRACE cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1019 - controllers: lxc-start testbox 20190910192712.553 TRACE cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1021 - 0: freezer lxc-start testbox 20190910192712.554 TRACE cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1017 - 2: base_cgroup: /user.slice/user-1000.slice/session-4.scope lxc-start testbox 20190910192712.554 TRACE cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1018 - mountpoint: /sys/fs/cgroup/memory lxc-start testbox 20190910192712.554 TRACE cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1019 - controllers: lxc-start testbox 20190910192712.554 TRACE cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1021 - 0: memory lxc-start testbox 20190910192712.554 TRACE cgroup - cgroups/cgroup.c:cgroup_init:56 - Initialized cgroup driver cgfsng lxc-start testbox 20190910192712.554 TRACE cgroup - cgroups/cgroup.c:cgroup_init:61 - Running with hybrid cgroup layout lxc-start testbox 20190910192712.554 TRACE start - start.c:lxc_init:895 - Initialized cgroup driver lxc-start testbox 20190910192712.554 INFO start - start.c:lxc_init:897 - Container "testbox" is initialized lxc-start testbox 20190910192712.561 TRACE start - start.c:lxc_spawn:1684 - Cloned child process 8596 lxc-start testbox 20190910192712.561 INFO start - start.c:lxc_spawn:1688 - Cloned CLONE_NEWUSER lxc-start testbox 20190910192712.561 INFO start - start.c:lxc_spawn:1688 - Cloned CLONE_NEWNS lxc-start testbox 20190910192712.561 INFO start - start.c:lxc_spawn:1688 - Cloned CLONE_NEWPID lxc-start testbox 20190910192712.561 INFO start - start.c:lxc_spawn:1688 - Cloned CLONE_NEWUTS lxc-start testbox 20190910192712.561 INFO start - start.c:lxc_spawn:1688 - Cloned CLONE_NEWIPC lxc-start testbox 20190910192712.561 DEBUG start - start.c:lxc_try_preserve_namespaces:196 - Preserved user namespace via fd 14 lxc-start testbox 20190910192712.561 DEBUG start - start.c:lxc_try_preserve_namespaces:196 - Preserved mnt namespace via fd 15 lxc-start testbox 20190910192712.562 DEBUG start - start.c:lxc_try_preserve_namespaces:196 - Preserved pid namespace via fd 16 lxc-start testbox 20190910192712.562 DEBUG start - start.c:lxc_try_preserve_namespaces:196 - Preserved uts namespace via fd 17 lxc-start testbox 20190910192712.562 DEBUG start - start.c:lxc_try_preserve_namespaces:196 - Preserved ipc namespace via fd 18 lxc-start testbox 20190910192712.562 DEBUG conf - conf.c:idmaptool_on_path_and_privileged:2836 - The binary "/usr/bin/newuidmap" does have the setuid bit set lxc-start testbox 20190910192712.562 DEBUG conf - conf.c:idmaptool_on_path_and_privileged:2836 - The binary "/usr/bin/newgidmap" does have the setuid bit set lxc-start testbox 20190910192712.562 TRACE caps - caps.c:lxc_ambient_caps_up:192 - Raised = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read+eip in inheritable and ambient capability set lxc-start testbox 20190910192712.563 DEBUG conf - conf.c:lxc_map_ids:2928 - Functional newuidmap and newgidmap binary found lxc-start testbox 20190910192712.595 TRACE conf - conf.c:lxc_map_ids:3002 - newuidmap wrote mapping "newuidmap 8596 0 100000 65536" lxc-start testbox 20190910192712.626 TRACE conf - conf.c:lxc_map_ids:3002 - newgidmap wrote mapping "newgidmap 8596 0 100000 65536" lxc-start testbox 20190910192712.632 INFO start - start.c:do_start:1136 - Unshared CLONE_NEWNET lxc-start testbox 20190910192712.633 INFO cgfsng - cgroups/cgfsng.c:__cg_legacy_setup_limits:2237 - Limits for the legacy cgroup hierarchies have been setup lxc-start testbox 20190910192712.635 TRACE conf - conf.c:get_minimal_idmap:4265 - Allocated minimal idmapping lxc-start testbox 20190910192712.637 TRACE conf - conf.c:userns_exec_1:4345 - Establishing uid mapping for "8601" in new user namespace: nsuid 0 - hostid 100000 - range 65536 lxc-start testbox 20190910192712.637 TRACE conf - conf.c:userns_exec_1:4345 - Establishing uid mapping for "8601" in new user namespace: nsuid 65536 - hostid 1000 - range 1 lxc-start testbox 20190910192712.637 TRACE conf - conf.c:userns_exec_1:4345 - Establishing gid mapping for "8601" in new user namespace: nsuid 0 - hostid 100000 - range 65536 lxc-start testbox 20190910192712.637 TRACE conf - conf.c:userns_exec_1:4345 - Establishing gid mapping for "8601" in new user namespace: nsuid 65536 - hostid 1000 - range 1 lxc-start testbox 20190910192712.638 DEBUG conf - conf.c:idmaptool_on_path_and_privileged:2836 - The binary "/usr/bin/newuidmap" does have the setuid bit set lxc-start testbox 20190910192712.638 DEBUG conf - conf.c:idmaptool_on_path_and_privileged:2836 - The binary "/usr/bin/newgidmap" does have the setuid bit set lxc-start testbox 20190910192712.638 DEBUG conf - conf.c:lxc_map_ids:2928 - Functional newuidmap and newgidmap binary found lxc-start testbox 20190910192712.670 TRACE conf - conf.c:lxc_map_ids:3002 - newuidmap wrote mapping "newuidmap 8601 0 100000 65536 65536 1000 1" lxc-start testbox 20190910192712.702 TRACE conf - conf.c:lxc_map_ids:3002 - newgidmap wrote mapping "newgidmap 8601 0 100000 65536 65536 1000 1" lxc-start testbox 20190910192712.703 TRACE conf - conf.c:run_userns_fn:4091 - Calling function "chown_cgroup_wrapper" lxc-start testbox 20190910192712.709 DEBUG start - start.c:lxc_spawn:1742 - Preserved net namespace via fd 10 lxc-start testbox 20190910192712.709 WARN start - start.c:lxc_spawn:1746 - Operation not permitted - Failed to allocate new network namespace id lxc-start testbox 20190910192712.713 INFO network - network.c:lxc_create_network_unpriv_exec:2150 - Execing lxc-user-nic create /home/ubuntu/lxc testbox 8596 veth lxcbr0 (null) lxc-start testbox 20190910192712.134 TRACE network - network.c:lxc_create_network_unpriv_exec:2181 - Received output "eth0:58:vethC0OBRR:59" from lxc-user-nic lxc-start testbox 20190910192712.134 TRACE network - network.c:lxc_network_send_veth_names_to_child:3077 - Sent network device name "eth0" to child lxc-start testbox 20190910192712.134 TRACE network - network.c:lxc_network_recv_veth_names_from_parent:3102 - Received network device name "eth0" from parent lxc-start testbox 20190910192712.134 NOTICE utils - utils.c:lxc_switch_uid_gid:1378 - Switched to gid 0 lxc-start testbox 20190910192712.134 NOTICE utils - utils.c:lxc_switch_uid_gid:1387 - Switched to uid 0 lxc-start testbox 20190910192712.134 NOTICE utils - utils.c:lxc_setgroups:1400 - Dropped additional groups lxc-start testbox 20190910192712.134 INFO start - start.c:do_start:1242 - Unshared CLONE_NEWCGROUP lxc-start testbox 20190910192712.135 TRACE conf - conf.c:remount_all_slave:3349 - Remounted all mount table entries as MS_SLAVE lxc-start testbox 20190910192712.135 DEBUG storage - storage/storage.c:get_storage_by_name:231 - Detected rootfs type "dir" lxc-start testbox 20190910192712.135 TRACE dir - storage/dir.c:dir_mount:203 - Mounted "/home/ubuntu/lxc/testbox/rootfs" on "/usr/lib/x86_64-linux-gnu/lxc" lxc-start testbox 20190910192712.135 DEBUG conf - conf.c:lxc_mount_rootfs:1332 - Mounted rootfs "/home/ubuntu/lxc/testbox/rootfs" onto "/usr/lib/x86_64-linux-gnu/lxc" with options "(null)" lxc-start testbox 20190910192712.135 INFO conf - conf.c:setup_utsname:791 - Set hostname to "testbox" lxc-start testbox 20190910192712.136 DEBUG network - network.c:setup_hw_addr:2767 - Mac address "00:16:3e:0b:60:a9" on "eth0" has been setup lxc-start testbox 20190910192712.138 DEBUG network - network.c:lxc_setup_netdev_in_child_namespaces:3032 - Network device "eth0" has been setup lxc-start testbox 20190910192712.138 INFO network - network.c:lxc_setup_network_in_child_namespaces:3053 - network has been setup lxc-start testbox 20190910192712.138 INFO conf - conf.c:mount_autodev:1118 - Preparing "/dev" lxc-start testbox 20190910192712.138 TRACE conf - conf.c:mount_autodev:1142 - Mounted tmpfs on "/usr/lib/x86_64-linux-gnu/lxc/dev" lxc-start testbox 20190910192712.138 INFO conf - conf.c:mount_autodev:1165 - Prepared "/dev" lxc-start testbox 20190910192712.139 INFO conf - conf.c:run_script_argv:356 - Executing script "/usr/share/lxcfs/lxc.mount.hook" for container "testbox", config section "lxc" lxc-start testbox 20190910192712.168 INFO conf - conf.c:lxc_fill_autodev:1209 - Populating "/dev" lxc-start testbox 20190910192712.168 DEBUG conf - conf.c:lxc_fill_autodev:1282 - Bind mounted host device node "/dev/full" onto "/usr/lib/x86_64-linux-gnu/lxc/dev/full" lxc-start testbox 20190910192712.168 DEBUG conf - conf.c:lxc_fill_autodev:1282 - Bind mounted host device node "/dev/null" onto "/usr/lib/x86_64-linux-gnu/lxc/dev/null" lxc-start testbox 20190910192712.168 DEBUG conf - conf.c:lxc_fill_autodev:1282 - Bind mounted host device node "/dev/random" onto "/usr/lib/x86_64-linux-gnu/lxc/dev/random" lxc-start testbox 20190910192712.169 DEBUG conf - conf.c:lxc_fill_autodev:1282 - Bind mounted host device node "/dev/tty" onto "/usr/lib/x86_64-linux-gnu/lxc/dev/tty" lxc-start testbox 20190910192712.169 DEBUG conf - conf.c:lxc_fill_autodev:1282 - Bind mounted host device node "/dev/urandom" onto "/usr/lib/x86_64-linux-gnu/lxc/dev/urandom" lxc-start testbox 20190910192712.169 DEBUG conf - conf.c:lxc_fill_autodev:1282 - Bind mounted host device node "/dev/zero" onto "/usr/lib/x86_64-linux-gnu/lxc/dev/zero" lxc-start testbox 20190910192712.169 INFO conf - conf.c:lxc_fill_autodev:1286 - Populated "/dev" lxc-start testbox 20190910192712.169 DEBUG conf - conf.c:mount_entry:2027 - Remounting "/sys/fs/fuse/connections" on "/usr/lib/x86_64-linux-gnu/lxc/sys/fs/fuse/connections" to respect bind or remount options lxc-start testbox 20190910192712.169 DEBUG conf - conf.c:mount_entry:2048 - Flags for "/sys/fs/fuse/connections" were 4096, required extra flags are 0 lxc-start testbox 20190910192712.169 DEBUG conf - conf.c:mount_entry:2058 - Mountflags already were 4096, skipping remount lxc-start testbox 20190910192712.169 DEBUG conf - conf.c:mount_entry:2102 - Mounted "/sys/fs/fuse/connections" on "/usr/lib/x86_64-linux-gnu/lxc/sys/fs/fuse/connections" with filesystem type "none" lxc-start testbox 20190910192712.169 DEBUG conf - conf.c:mount_entry:2027 - Remounting "/sys/kernel/debug" on "/usr/lib/x86_64-linux-gnu/lxc/sys/kernel/debug" to respect bind or remount options lxc-start testbox 20190910192712.169 DEBUG conf - conf.c:mount_entry:2048 - Flags for "/sys/kernel/debug" were 4096, required extra flags are 0 lxc-start testbox 20190910192712.169 DEBUG conf - conf.c:mount_entry:2058 - Mountflags already were 4096, skipping remount lxc-start testbox 20190910192712.169 DEBUG conf - conf.c:mount_entry:2102 - Mounted "/sys/kernel/debug" on "/usr/lib/x86_64-linux-gnu/lxc/sys/kernel/debug" with filesystem type "none" lxc-start testbox 20190910192712.169 DEBUG conf - conf.c:mount_entry:2027 - Remounting "/sys/kernel/security" on "/usr/lib/x86_64-linux-gnu/lxc/sys/kernel/security" to respect bind or remount options lxc-start testbox 20190910192712.169 DEBUG conf - conf.c:mount_entry:2048 - Flags for "/sys/kernel/security" were 4110, required extra flags are 14 lxc-start testbox 20190910192712.169 DEBUG conf - conf.c:mount_entry:2102 - Mounted "/sys/kernel/security" on "/usr/lib/x86_64-linux-gnu/lxc/sys/kernel/security" with filesystem type "none" lxc-start testbox 20190910192712.169 DEBUG conf - conf.c:mount_entry:2027 - Remounting "/sys/fs/pstore" on "/usr/lib/x86_64-linux-gnu/lxc/sys/fs/pstore" to respect bind or remount options lxc-start testbox 20190910192712.169 DEBUG conf - conf.c:mount_entry:2048 - Flags for "/sys/fs/pstore" were 4110, required extra flags are 14 lxc-start testbox 20190910192712.169 DEBUG conf - conf.c:mount_entry:2102 - Mounted "/sys/fs/pstore" on "/usr/lib/x86_64-linux-gnu/lxc/sys/fs/pstore" with filesystem type "none" lxc-start testbox 20190910192712.169 DEBUG conf - conf.c:mount_entry:2102 - Mounted "mqueue" on "/usr/lib/x86_64-linux-gnu/lxc/dev/mqueue" with filesystem type "mqueue" lxc-start testbox 20190910192712.169 DEBUG conf - conf.c:mount_entry:2027 - Remounting "/sys/firmware/efi/efivars" on "/usr/lib/x86_64-linux-gnu/lxc/sys/firmware/efi/efivars" to respect bind or remount options lxc-start testbox 20190910192712.169 DEBUG conf - conf.c:mount_entry:2048 - Flags for "/sys/firmware/efi/efivars" were 4110, required extra flags are 14 lxc-start testbox 20190910192712.169 DEBUG conf - conf.c:mount_entry:2102 - Mounted "/sys/firmware/efi/efivars" on "/usr/lib/x86_64-linux-gnu/lxc/sys/firmware/efi/efivars" with filesystem type "none" lxc-start testbox 20190910192712.169 DEBUG conf - conf.c:mount_entry:2027 - Remounting "/proc/sys/fs/binfmt_misc" on "/usr/lib/x86_64-linux-gnu/lxc/proc/sys/fs/binfmt_misc" to respect bind or remount options lxc-start testbox 20190910192712.169 DEBUG conf - conf.c:mount_entry:2048 - Flags for "/proc/sys/fs/binfmt_misc" were 4096, required extra flags are 0 lxc-start testbox 20190910192712.169 DEBUG conf - conf.c:mount_entry:2058 - Mountflags already were 4096, skipping remount lxc-start testbox 20190910192712.169 DEBUG conf - conf.c:mount_entry:2102 - Mounted "/proc/sys/fs/binfmt_misc" on "/usr/lib/x86_64-linux-gnu/lxc/proc/sys/fs/binfmt_misc" with filesystem type "none" lxc-start testbox 20190910192712.169 INFO conf - conf.c:mount_file_entries:2333 - Finished setting up mounts lxc-start testbox 20190910192712.169 DEBUG conf - conf.c:lxc_setup_dev_console:1771 - Mounted pts device "/dev/pts/2" onto "/usr/lib/x86_64-linux-gnu/lxc/dev/console" lxc-start testbox 20190910192712.169 INFO utils - utils.c:lxc_mount_proc_if_needed:1231 - I am 1, /proc/self points to "1" lxc-start testbox 20190910192712.170 TRACE conf - conf.c:lxc_pivot_root:1540 - pivot_root("/usr/lib/x86_64-linux-gnu/lxc") successful lxc-start testbox 20190910192712.170 WARN conf - conf.c:lxc_setup_devpts:1616 - Invalid argument - Failed to unmount old devpts instance lxc-start testbox 20190910192712.170 DEBUG conf - conf.c:lxc_setup_devpts:1653 - Mount new devpts instance with options "gid=5,newinstance,ptmxmode=0666,mode=0620,max=1024" lxc-start testbox 20190910192712.170 DEBUG conf - conf.c:lxc_setup_devpts:1672 - Created dummy "/dev/ptmx" file as bind mount target lxc-start testbox 20190910192712.170 DEBUG conf - conf.c:lxc_setup_devpts:1677 - Bind mounted "/dev/pts/ptmx" to "/dev/ptmx" lxc-start testbox 20190910192712.170 DEBUG conf - conf.c:lxc_allocate_ttys:989 - Created tty "/dev/pts/0" with master fd 11 and slave fd 14 lxc-start testbox 20190910192712.170 DEBUG conf - conf.c:lxc_allocate_ttys:989 - Created tty "/dev/pts/1" with master fd 15 and slave fd 16 lxc-start testbox 20190910192712.170 DEBUG conf - conf.c:lxc_allocate_ttys:989 - Created tty "/dev/pts/2" with master fd 17 and slave fd 18 lxc-start testbox 20190910192712.170 DEBUG conf - conf.c:lxc_allocate_ttys:989 - Created tty "/dev/pts/3" with master fd 19 and slave fd 20 lxc-start testbox 20190910192712.170 INFO conf - conf.c:lxc_allocate_ttys:1005 - Finished creating 4 tty devices lxc-start testbox 20190910192712.170 TRACE conf - conf.c:lxc_send_ttys_to_parent:1057 - Sent tty "/dev/pts/0" with master fd 11 and slave fd 14 to parent lxc-start testbox 20190910192712.170 TRACE conf - conf.c:lxc_send_ttys_to_parent:1057 - Sent tty "/dev/pts/1" with master fd 15 and slave fd 16 to parent lxc-start testbox 20190910192712.170 TRACE conf - conf.c:lxc_send_ttys_to_parent:1057 - Sent tty "/dev/pts/2" with master fd 17 and slave fd 18 to parent lxc-start testbox 20190910192712.170 TRACE conf - conf.c:lxc_send_ttys_to_parent:1057 - Sent tty "/dev/pts/3" with master fd 19 and slave fd 20 to parent lxc-start testbox 20190910192712.170 TRACE conf - conf.c:lxc_send_ttys_to_parent:1063 - Sent 4 ttys to parent lxc-start testbox 20190910192712.170 DEBUG conf - conf.c:lxc_setup_ttys:940 - Bind mounted "/dev/pts/0" onto "/dev/tty1" lxc-start testbox 20190910192712.170 DEBUG conf - conf.c:lxc_setup_ttys:940 - Bind mounted "/dev/pts/1" onto "/dev/tty2" lxc-start testbox 20190910192712.170 DEBUG conf - conf.c:lxc_setup_ttys:940 - Bind mounted "/dev/pts/2" onto "/dev/tty3" lxc-start testbox 20190910192712.170 DEBUG conf - conf.c:lxc_setup_ttys:940 - Bind mounted "/dev/pts/3" onto "/dev/tty4" lxc-start testbox 20190910192712.170 INFO conf - conf.c:lxc_setup_ttys:949 - Finished setting up 4 /dev/tty<N> device(s) lxc-start testbox 20190910192712.170 INFO conf - conf.c:setup_personality:1716 - Set personality to "0x0" lxc-start testbox 20190910192712.170 DEBUG conf - conf.c:setup_caps:2506 - Capabilities have been setup lxc-start testbox 20190910192712.170 NOTICE conf - conf.c:lxc_setup:3692 - The container "testbox" is set up lxc-start testbox 20190910192712.170 INFO lsm - lsm/lsm.c:lsm_process_label_set_at:178 - Set AppArmor label to "lxc-container-default-cgns" lxc-start testbox 20190910192712.170 INFO apparmor - lsm/apparmor.c:apparmor_process_label_set:249 - Changed apparmor profile to lxc-container-default-cgns # # pseudo filter code start # # filter for arch x86_64 (3221225534) if ($arch == 3221225534) # filter for syscall "finit_module" (313) [priority: 65535] if ($syscall == 313) action ERRNO(1); # filter for syscall "open_by_handle_at" (304) [priority: 65535] if ($syscall == 304) action ERRNO(1); # filter for syscall "kexec_load" (246) [priority: 65535] if ($syscall == 246) action ERRNO(1); # filter for syscall "delete_module" (176) [priority: 65535] if ($syscall == 176) action ERRNO(1); # filter for syscall "init_module" (175) [priority: 65535] if ($syscall == 175) action ERRNO(1); # filter for syscall "umount2" (166) [priority: 65533] if ($syscall == 166) if ($a1.hi32 & 0x00000000 == 0) if ($a1.lo32 & 0x00000001 == 1) action ERRNO(13); # default action action ALLOW; # filter for arch x86 (1073741827) if ($arch == 1073741827) # filter for syscall "finit_module" (350) [priority: 65535] if ($syscall == 350) action ERRNO(1); # filter for syscall "open_by_handle_at" (342) [priority: 65535] if ($syscall == 342) action ERRNO(1); # filter for syscall "kexec_load" (283) [priority: 65535] if ($syscall == 283) action ERRNO(1); # filter for syscall "delete_module" (129) [priority: 65535] if ($syscall == 129) action ERRNO(1); # filter for syscall "init_module" (128) [priority: 65535] if ($syscall == 128) action ERRNO(1); # filter for syscall "umount2" (52) [priority: 65534] if ($syscall == 52) if ($a1 & 0x00000001 == 1) action ERRNO(13); # default action action ALLOW; # filter for arch x32 (3221225534) if ($arch == 3221225534) # filter for syscall "kexec_load" (1073742352) [priority: 65535] if ($syscall == 1073742352) action ERRNO(1); # filter for syscall "finit_module" (1073742137) [priority: 65535] if ($syscall == 1073742137) action ERRNO(1); # filter for syscall "open_by_handle_at" (1073742128) [priority: 65535] if ($syscall == 1073742128) action ERRNO(1); # filter for syscall "delete_module" (1073742000) [priority: 65535] if ($syscall == 1073742000) action ERRNO(1); # filter for syscall "init_module" (1073741999) [priority: 65535] if ($syscall == 1073741999) action ERRNO(1); # filter for syscall "umount2" (1073741990) [priority: 65534] if ($syscall == 1073741990) if ($a1 & 0x00000001 == 1) action ERRNO(13); # default action action ALLOW; # invalid architecture action action KILL; # # pseudo filter code end # lxc-start testbox 20190910192712.171 WARN cgfsng - cgroups/cgfsng.c:get_hierarchy:204 - There is no useable devices controller lxc-start testbox 20190910192712.171 ERROR cgfsng - cgroups/cgfsng.c:cg_legacy_set_data:2191 - Failed to setup limits for the "devices" controller. The controller seems to be unused by "cgfsng" cgroup driver or not enabled on the cgroup hierarchy lxc-start testbox 20190910192712.171 WARN cgfsng - cgroups/cgfsng.c:__cg_legacy_setup_limits:2228 - Failed to set "devices.allow" to "c 10:57 rwm" lxc-start testbox 20190910192712.171 ERROR start - start.c:lxc_spawn:1802 - Failed to setup legacy device cgroup controller limits lxc-start testbox 20190910192712.171 DEBUG network - network.c:lxc_delete_network:3180 - Deleted network devices lxc-start testbox 20190910192712.171 TRACE start - start.c:lxc_serve_state_socket_pair:536 - Sent container state "ABORTING" to 5 lxc-start testbox 20190910192712.171 TRACE start - start.c:lxc_serve_state_clients:466 - Set container state to ABORTING lxc-start testbox 20190910192712.171 TRACE start - start.c:lxc_serve_state_clients:469 - No state clients registered lxc-start testbox 20190910192712.171 DEBUG lxccontainer - lxccontainer.c:wait_on_daemonized_start:830 - First child 8588 exited lxc-start testbox 20190910192712.171 ERROR lxccontainer - lxccontainer.c:wait_on_daemonized_start:842 - Received container state "ABORTING" instead of "RUNNING" lxc-start testbox 20190910192712.171 ERROR lxc_start - tools/lxc_start.c:main:330 - The container failed to start lxc-start testbox 20190910192712.171 ERROR lxc_start - tools/lxc_start.c:main:333 - To get more details, run the container in foreground mode lxc-start testbox 20190910192712.171 ERROR lxc_start - tools/lxc_start.c:main:336 - Additional information can be obtained by setting the --logfile and --logpriority options lxc-start testbox 20190910192712.171 ERROR start - start.c:__lxc_start:1939 - Failed to spawn container "testbox" lxc-start testbox 20190910192712.171 TRACE start - start.c:lxc_serve_state_clients:466 - Set container state to STOPPING lxc-start testbox 20190910192712.171 TRACE start - start.c:lxc_serve_state_clients:469 - No state clients registered lxc-start testbox 20190910192712.171 TRACE conf - conf.c:get_minimal_idmap:4265 - Allocated minimal idmapping lxc-start testbox 20190910192712.171 TRACE conf - conf.c:userns_exec_1:4345 - Establishing uid mapping for "8669" in new user namespace: nsuid 0 - hostid 100000 - range 65536 lxc-start testbox 20190910192712.171 TRACE conf - conf.c:userns_exec_1:4345 - Establishing uid mapping for "8669" in new user namespace: nsuid 65536 - hostid 1000 - range 1 lxc-start testbox 20190910192712.171 TRACE conf - conf.c:userns_exec_1:4345 - Establishing gid mapping for "8669" in new user namespace: nsuid 0 - hostid 100000 - range 65536 lxc-start testbox 20190910192712.171 TRACE conf - conf.c:userns_exec_1:4345 - Establishing gid mapping for "8669" in new user namespace: nsuid 65536 - hostid 1000 - range 1 lxc-start testbox 20190910192712.171 DEBUG conf - conf.c:idmaptool_on_path_and_privileged:2836 - The binary "/usr/bin/newuidmap" does have the setuid bit set lxc-start testbox 20190910192712.171 DEBUG conf - conf.c:idmaptool_on_path_and_privileged:2836 - The binary "/usr/bin/newgidmap" does have the setuid bit set lxc-start testbox 20190910192712.171 DEBUG conf - conf.c:lxc_map_ids:2928 - Functional newuidmap and newgidmap binary found lxc-start testbox 20190910192712.173 TRACE conf - conf.c:lxc_map_ids:3002 - newuidmap wrote mapping "newuidmap 8669 0 100000 65536 65536 1000 1" lxc-start testbox 20190910192712.175 TRACE conf - conf.c:lxc_map_ids:3002 - newgidmap wrote mapping "newgidmap 8669 0 100000 65536 65536 1000 1" lxc-start testbox 20190910192712.175 TRACE conf - conf.c:run_userns_fn:4091 - Calling function "cgroup_rmdir_wrapper" lxc-start testbox 20190910192712.176 TRACE start - start.c:lxc_fini:1001 - Closed command socket lxc-start testbox 20190910192712.176 TRACE start - start.c:lxc_fini:1012 - Set container state to "STOPPED" lxc-start testbox 20190910192712.176 INFO conf - conf.c:run_script_argv:356 - Executing script "/usr/share/lxcfs/lxc.reboot.hook" for container "testbox", config section "lxc" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1843490/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
