Re/starting an lxc container corrupts all network namespaces on the same physical host

To reproduce:

sudo lxc-create --name test -t ubuntu-cloud
sudo ip netns add test
sudo ip netns exec test ip addr
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
sudo lxc-start -d --name test
sudo ip netns exec test-tests ip addr
seting the network namespace "test-tests" failed: Invalid argument

Confirmed on utopic as well.

 sudo ip netns exec test ip addr

Confirmed on vivid as well.

I had assumed that "test-test" was a type and saw the same result after starting the container with "test", too. So somehow starting an lxc container seems to have an impact on netns. Not sure whether the apparmor message may relate which seems to trigger when lxc-start tries to mount /run/netns.

Hm, as a data-point. It seems for the testing one can set /usr/bin/lxc-start to complain mode:

aa-complain /usr/bin/lxc-start

and when I did that the test netns is still usable after lxc-start.

Can you please attach the output of

  apparmor_parser -p /etc/apparmor.d/usr.bin.lxc-start

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1401148

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

So for now I added also a task for the kernel, though the truth (if such a thing exists) could be somewhere between. Serge, Stephane, what we probably need to figure out is what exactly lxc-start tries to get done when slave mounting /run/netns. And somehow it might be possible that it needs improvement for the case that this is denied or fails. Looking at it from the outside it feels like going on assuming it got its own space but actually continuing to use the host space.
The other thing would be that this sound like lxc-start would require a rule to actually allow it to do that mount of /run/netns.

Stop the bot.

so I think it's some systemd handling which does that. LXC unshares the mnt namespace which gets it a copy of the host's, then it's doing some magic (rprivate I believe) to get things working under systemd, then mounts what it needs, unmounts everything else and pivot_root.

lxc itself has no code to deal with /run/netns, so it's not special casing it.

When stracing lxc-start one of the sub-processes is doing the access. This is the strace of that sub-process.

This is the output of "apparmor_parser -p /etc/apparmor.d/usr.bin.lxc-start" on Vivid with 3.16 kernel.

lxc-start.strace.3093:clone(child_stack=0x7fff7fbc0290, flags=CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWNET|SIGCHLD) = 3131
lxc-start.strace.3093:open("/proc/3131/ns/net", O_RDONLY) = 16
lxc-start.strace.3093:waitid(P_PID, 3131, {}, WNOHANG|WEXITED|WNOWAIT, NULL) =

Is this only happening when systemd is in the container, or when systemd is on the host?

I would have assumed systemd is on neither. Since it seems to be the same all the way since Trusty (at least).

The only way I can get this to work is to add

"mount,"

to /etc/apparmor.d/abstractions/lxc/start-container

If I add something like

"mount options=slave"
"remount options=slave"

that does not suffice.

It appears that as tyhicks pointed out this is a dup of bug 1350947.

hah, as pointed out in comment #4 of that bug. Marking this as a dup

James if you'd like to increase the priority of bug 1350947 please do so.

Status changed to 'Confirmed' because the bug affects multiple users.