Ubuntu
lxc package

[systemd] Factorize lxcbr0 setup and use it for all init systems

Bug #1312532 reported by Martin Pitt
26
This bug affects 6 people
Affects Status Importance Assigned to Milestone
lxc (Ubuntu)
Fix Released
Low
Martin Pitt

Bug Description

With booting systemd, starting containers fails:

$ sudo lxc-start -n debci
lxc-start: failed to attach 'vethQFOOY3' to the bridge 'lxcbr0' : No such device
lxc-start: failed to create netdev
lxc-start: failed to create the network
lxc-start: failed to spawn 'debci'

Presumably that's because LXC currently only ships upstart jobs to set up the bridges:
  /etc/init/lxc.conf
  /etc/init/lxc-net.conf
  /etc/init/lxc-instance.conf

These need corresponding systemd units.

Tags: systemd-boot
Revision history for this message
Martin Pitt (pitti) wrote :

For the record: I turned /etc/init/lxc-net.conf into a shell script that you call with "start" or "stop". With that we can keep the logic in one place, and the upstart/systemd/init.d script would just call this. That sets up the lxcbr interface etc. I also ran the apparmor bits from /etc/init/lxc.conf, but even that isn't enough:

$ sudo lxc-start -n debci
lxc-start: Device or resource busy - failed to set memory.use_hierarchy to 1; continuing
lxc-start: Device or resource busy - failed to set memory.use_hierarchy to 1; continuing
lxc-start: Permission denied - Failed to make / rslave
lxc-start: Continuing...
lxc-start: Input/output error - error 5 creating /usr/lib/x86_64-linux-gnu/lxc/dev/lxc/console
lxc-start: failed to setup the console for 'debci'
lxc-start: failed to setup the container
lxc-start: invalid sequence number 1. expected 2
lxc-start: failed to spawn 'debci'

Corresponding kernel messages from that:

$ dmesg
[ 1733.458729] device veth6OE62S entered promiscuous mode
[ 1733.459332] IPv6: ADDRCONF(NETDEV_UP): veth6OE62S: link is not ready
[ 1733.503547] type=1400 audit(1398440577.278:78): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="/usr/bin/lxc-start" name="/" pid=4371 comm="lxc-start" flags="rw, rslave"
[ 1733.527581] IPv6: ADDRCONF(NETDEV_CHANGE): veth6OE62S: link becomes ready
[ 1733.527672] lxcbr0: port 1(veth6OE62S) entered forwarding state
[ 1733.527697] lxcbr0: port 1(veth6OE62S) entered forwarding state
[ 1733.947690] lxcbr0: port 1(veth6OE62S) entered disabled state
[ 1733.948400] device veth6OE62S left promiscuous mode
[ 1733.948416] lxcbr0: port 1(veth6OE62S) entered disabled state

Certainly the AppArmor violation is the crucial bit here. It might behave slightly differently when running under systemd.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

I think the apparmor issue should be filed as a separate bug. The issue there is that systemd has mounted / as MS_SHARED, so lxc is having to remount / as rslave. The apparmor policy will need to be updated to allow that. Ideally we can wait to allow that until the apparmor parser properly parses the mounts propagation mount_options, so we don't have to allow lxc-start to remount / in other ways.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in lxc (Ubuntu):
status: New → Confirmed
Revision history for this message
Martin Pitt (pitti) wrote :

For the record, this is the broken-out shell script which should factorize init.d/unit/upstart job.
I tried to run " sudo mount --make-rprivate /" to work around that AA issue. Now "sudo ./lxc-net start" fails with

$ sudo lxc-start -n debci
lxc-start: Device or resource busy - failed to set memory.use_hierarchy to 1; continuing
lxc-start: Device or resource busy - failed to set memory.use_hierarchy to 1; continuing
lxc-start: Input/output error - error 5 creating /usr/lib/x86_64-linux-gnu/lxc/dev/lxc/console
lxc-start: failed to setup the console for 'debci'
lxc-start: failed to setup the container
lxc-start: invalid sequence number 1. expected 2
lxc-start: failed to spawn 'debci'

There is no /usr/lib/x86_64-linux-gnu/lxc/dev/, and no dmesg error any more. strace:

25459 mkdir("/usr/lib/x86_64-linux-gnu/lxc/dev/lxc", 0755) = -1 EEXIST (File exists)
25459 unlink("/usr/lib/x86_64-linux-gnu/lxc/dev/console") = -1 ENOENT (No such file or directory)
25459 creat("/usr/lib/x86_64-linux-gnu/lxc/dev/lxc/console", 0660) = -1 EIO (Input/output error)

Apparently /usr/lib/x86_64-linux-gnu/lxc/dev/ is a private mount within LXC?

Martin Pitt (pitti)
summary: - [systemd] Container startup fails on missing lxcbr0
+ [systemd] Factorize lxcbr0 setup and use it for all init systems
Revision history for this message
Michael Vogt (mvo) wrote :

It seems like the importance of this bug should be increased given that we aim for systemd?

Revision history for this message
Martin Pitt (pitti) wrote :

Working on this in https://github.com/martinpitt/lxc/commits/master

Changed in lxc (Ubuntu):
assignee: nobody → Martin Pitt (pitti)
status: Confirmed → In Progress
Revision history for this message
Martin Pitt (pitti) wrote :

Patches sent to upstream ML: https://lists.linuxcontainers.org/pipermail/lxc-devel/2014-July/009889.html

Revision history for this message
Martin Pitt (pitti) wrote :

This landed in upstream git now.

Changed in lxc (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxc - 1.1.0~alpha2-0ubuntu2

---------------
lxc (1.1.0~alpha2-0ubuntu2) utopic; urgency=medium

  * Cherry-pick usptream bugfix for lxc-usernic test.
 -- Stephane Graber <email address hidden> Thu, 02 Oct 2014 15:01:56 -0400

Changed in lxc (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.