Ubuntu
lxc package

lxc-start fails due to insufficient permission for creating netdev

Bug #1406925 reported by Karl-Philipp Richter on 2015-01-01

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	lxc (Ubuntu)	Invalid	High	Unassigned

Bug Description

After installing an lxc with `sudo lxc-create -n Ubuntu-12.04.5-i386 -t /usr/share/lxc/templates/lxc-ubuntu -- --release precise --mirror http://richtercloud.de:3142/de.archive.ubuntu.com/ubuntu --arch i386`, starting the container with `sudo lxc-start -n Ubuntu-12.04.5-i386 --foreground` fails due to the following error:

    lxc-start: conf.c: instanciate_veth: 2817 failed to attach 'vethY1J1I1' to the bridge 'lxcbr0' : Operation not permitted
    lxc-start: conf.c: lxc_create_network: 3100 failed to create netdev
    lxc-start: start.c: lxc_spawn: 829 failed to create the network
    lxc-start: start.c: __lxc_start: 1087 failed to spawn 'Ubuntu-12.04.5-i386'
    lxc-start: lxc_start.c: main: 337 The container failed to start.
    lxc-start: lxc_start.c: main: 341 Additional information can be obtained by setting the --logfile and --logpriority options.

It should be possible to start the container right away after installation of the apt package and handle eventually necessary setup tasks (of permissions, etc.) in `debconf`.

Currently it's necessary to comment out all `lxc.network.*` entries in the container configuration file.

ProblemType: Bug
DistroRelease: Ubuntu 14.10
Package: lxc 1.1.0~alpha2-0ubuntu3
ProcVersionSignature: Error: [Errno 2] Datei oder Verzeichnis nicht gefunden: '/proc/version_signature'
Uname: Linux 3.17.7-031707-generic x86_64
ApportVersion: 2.14.7-0ubuntu8
Architecture: amd64
CurrentDesktop: Unity
Date: Thu Jan 1 14:31:03 2015
EcryptfsInUse: Yes
InstallationDate: Installed on 2014-12-28 (4 days ago)
InstallationMedia: Ubuntu 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.2)
SourcePackage: lxc
UpgradeStatus: Upgraded to utopic on 2014-12-28 (4 days ago)
defaults.conf:
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:xx:xx:xx
upstart.lxc-net.override: manual

See original description

Tags:

Revision history for this message

Karl-Philipp Richter (krichter722) wrote on 2015-01-01:

Dependencies.txt Edit (6.8 KiB, text/plain; charset="utf-8")
KernLog.txt Edit (37.8 KiB, text/plain; charset="utf-8")
ProcEnviron.txt Edit (103 bytes, text/plain; charset="utf-8")
RelatedPackageVersions.txt Edit (192 bytes, text/plain; charset="utf-8")
lxc-net.default.txt Edit (1.3 KiB, text/plain; charset="utf-8")
lxc.default.txt Edit (430 bytes, text/plain; charset="utf-8")
lxcsyslog.txt Edit (7.7 KiB, text/plain; charset="utf-8")

description:

updated

Revision history for this message

Serge Hallyn (serge-hallyn) wrote on 2015-01-10:

Thanks for taking the time to report this bug. Certainly as root you should be able to attach devices to lxcbr0.

Could you please

1. show the result of 'ifconfig -a' and 'brctl show'
2. do 'sudo lxc-start -n Ubuntu-12.04.5-i386 -f -l trace -o lxc.debug' and attach lxc.debug here
3. try:
sudo lxc-create -t download -n p1 -- -d ubuntu -r trusty -a i386
sudo lxc-start -n p1
and let us know whether that succeeds.

Changed in lxc (Ubuntu):
importance:	Undecided → High

Revision history for this message

Serge Hallyn (serge-hallyn) wrote on 2015-01-10:

(Note that I cannot reproduce this here; sudo lxc-create -t ubuntu -n p1 -- -r precise -a i386 results in a working container for me. So we need to figure out what is differnet in your environment.)

Changed in lxc (Ubuntu):
status:	New → Incomplete

Revision history for this message

Karl-Philipp Richter (krichter722) wrote on 2015-01-10:

Download full text (6.6 KiB)

1. network configuration:

    $ env LANG=C ifconfig -a`
    eth1 Link encap:Ethernet HWaddr 00:00:0b:00:0d:8d
              inet addr:192.168.178.22 Bcast:192.168.178.255 Mask:255.255.255.0
              inet6 addr: fe80::200:bff:fe00:d8d/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
              RX packets:4614818 errors:0 dropped:0 overruns:0 frame:0
              TX packets:2617205 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:6304830899 (6.3 GB) TX bytes:265525368 (265.5 MB)

    lo Link encap:Local Loopback
              inet addr:127.0.0.1 Mask:255.0.0.0
              inet6 addr: ::1/128 Scope:Host
              UP LOOPBACK RUNNING MTU:65536 Metric:1
              RX packets:792265 errors:0 dropped:0 overruns:0 frame:0
              TX packets:792265 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:1280457921 (1.2 GB) TX bytes:1280457921 (1.2 GB)

    lxcbr0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
              inet addr:10.0.3.1 Bcast:10.0.3.255 Mask:255.255.255.0
              inet6 addr: fe80::f0cd:39ff:fe43:af4/64 Scope:Link
              UP BROADCAST MULTICAST MTU:1500 Metric:1
              RX packets:3 errors:0 dropped:0 overruns:0 frame:0
              TX packets:298 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:228 (228.0 B) TX bytes:63092 (63.0 KB)

    p2p1 Link encap:Ethernet HWaddr 20:89:84:86:6d:4f
              UP BROADCAST MULTICAST MTU:1500 Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

    virbr0 Link encap:Ethernet HWaddr be:a2:11:d1:e5:45
              inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
              UP BROADCAST MULTICAST MTU:1500 Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

    wlan0 Link encap:Ethernet HWaddr 68:17:29:77:05:42
              UP BROADCAST MULTICAST MTU:1500 Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
    $ brctl show
    bridge name bridge id STP enabled interfaces
    lxcbr0 8000.000000000000 no
    virbr0 8000.000000000000 yes
    $ sudo brctl show
    bridge name bridge id STP enabled interfaces
    lxcbr0 8000.000000000000 no
    virbr0 8000.000000000000 yes

2. starting:

    $ sudo lxc-start -n p1 -f -l trace -o lxc.debug
    lxc: cgmanager.c: lxc_cgmanager_escape: 314 call to cgmanager_move_pid_abs_sync(blkio) failed: invalid request
    lxc-start: lxc_start.c: main: 253 Failed to load rcfile

3. creation:

...

1. network configuration:

$ env LANG=C ifconfig -a`
    eth1      Link encap:Ethernet  HWaddr 00:00:0b:00:0d:8d  
              inet addr:192.168.178.22  Bcast:192.168.178.255  Mask:255.255.255.0
              inet6 addr: fe80::200:bff:fe00:d8d/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:4614818 errors:0 dropped:0 overruns:0 frame:0
              TX packets:2617205 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:6304830899 (6.3 GB)  TX bytes:265525368 (265.5 MB)

lo        Link encap:Local Loopback  
              inet addr:127.0.0.1  Mask:255.0.0.0
              inet6 addr: ::1/128 Scope:Host
              UP LOOPBACK RUNNING  MTU:65536  Metric:1
              RX packets:792265 errors:0 dropped:0 overruns:0 frame:0
              TX packets:792265 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:1280457921 (1.2 GB)  TX bytes:1280457921 (1.2 GB)

lxcbr0    Link encap:Ethernet  HWaddr 00:00:00:00:00:00  
              inet addr:10.0.3.1  Bcast:10.0.3.255  Mask:255.255.255.0
              inet6 addr: fe80::f0cd:39ff:fe43:af4/64 Scope:Link
              UP BROADCAST MULTICAST  MTU:1500  Metric:1
              RX packets:3 errors:0 dropped:0 overruns:0 frame:0
              TX packets:298 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:228 (228.0 B)  TX bytes:63092 (63.0 KB)

p2p1      Link encap:Ethernet  HWaddr 20:89:84:86:6d:4f  
              UP BROADCAST MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

virbr0    Link encap:Ethernet  HWaddr be:a2:11:d1:e5:45  
              inet addr:192.168.122.1  Bcast:192.168.122.255  Mask:255.255.255.0
              UP BROADCAST MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wlan0     Link encap:Ethernet  HWaddr 68:17:29:77:05:42  
              UP BROADCAST MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
    $ brctl show
    bridge name	bridge id		STP enabled	interfaces
    lxcbr0		8000.000000000000	no		
    virbr0		8000.000000000000	yes		
    $ sudo brctl show
    bridge name	bridge id		STP enabled	interfaces
    lxcbr0		8000.000000000000	no		
    virbr0		8000.000000000000	yes

2. starting:

3. creation:

$ sudo lxc-create -t download -n p2 -- -d ubuntu -r trusty -a i386
    lxc: cgmanager.c: lxc_cgmanager_escape: 314 call to cgmanager_move_pid_abs_sync(blkio) failed: invalid request
    Setting up the GPG keyring
    Downloading the image index
    Downloading the rootfs
    Downloading the metadata
    The image cache is now ready
    Unpacking the rootfs

---
    You just created an Ubuntu container (release=trusty, arch=i386, variant=default)

To enable sshd, run: apt-get install openssh-server

For security reason, container images ship without user accounts
    and without a root password.

Use lxc-attach or chroot directly into the rootfs to set a root password
    or create user accounts.
    $ sudo lxc-start -n p2
    lxc: cgmanager.c: lxc_cgmanager_escape: 314 call to cgmanager_move_pid_abs_sync(blkio) failed: invalid request
    lxc-start: lxc_start.c: main: 337 The container failed to start.
    lxc-start: lxc_start.c: main: 339 To get more details, run the container in foreground mode.
    lxc-start: lxc_start.c: main: 341 Additional information can be obtained by setting the --logfile and --logpriority options.
    $ sudo lxc-start -n p2 --foreground
    lxc: cgmanager.c: lxc_cgmanager_escape: 314 call to cgmanager_move_pid_abs_sync(blkio) failed: invalid request
    lxc-start: lsm/apparmor.c: apparmor_process_label_set: 186 If you really want to start this container, set
    lxc-start: lsm/apparmor.c: apparmor_process_label_set: 187 lxc.aa_allow_incomplete = 1
    lxc-start: lsm/apparmor.c: apparmor_process_label_set: 188 in your container configuration file
    lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 4
    lxc-start: start.c: __lxc_start: 1087 failed to spawn 'p2'
    lxc-start: cgfs.c: cgroup_rmdir: 207 Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/perf_event/lxc/p2-1
    lxc-start: cgfs.c: cgroup_rmdir: 207 Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/net_prio/lxc/p2-1
    lxc-start: cgfs.c: cgroup_rmdir: 207 Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/net_cls/lxc/p2-1
    lxc-start: cgfs.c: cgroup_rmdir: 207 Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/memory/lxc/p2-1
    lxc-start: cgfs.c: cgroup_rmdir: 207 Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/hugetlb/lxc/p2-1
    lxc-start: cgfs.c: cgroup_rmdir: 207 Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/freezer/lxc/p2-1
    lxc-start: cgfs.c: cgroup_rmdir: 207 Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/devices/lxc/p2-1
    lxc-start: cgfs.c: cgroup_rmdir: 207 Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpuset/lxc/p2-1
    lxc-start: cgfs.c: cgroup_rmdir: 207 Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpuacct/lxc/p2-1
    lxc-start: cgfs.c: cgroup_rmdir: 207 Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu/sys_daemon/lxc/p2-1
    lxc-start: cgfs.c: cgroup_rmdir: 207 Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/blkio/grp_1/lxc/p2-1
    lxc-start: lxc_start.c: main: 337 The container failed to start.
    lxc-start: lxc_start.c: main: 341 Additional information can be obtained by setting the --logfile and --logpriority options.

I upgraded to Linux 3.18.2 in the meantime which requires filing a new bug report in the ununderstandable Ubuntu issue tracking logic. Should I do that?

Revision history for this message

Karl-Philipp Richter (krichter722) wrote on 2015-01-10:

I just realize that I added `lxc.aa_allow_incomplete = 1` to the lxc `config` file before the initial issue. Now after adding the very same line the issue disappeared, i.e. I can start the lxc `p2`. What now?

Revision history for this message

Serge Hallyn (serge-hallyn) wrote on 2015-01-21:

Your kernel does not have the apparmor patchset to support mount restrictions. So long as tha tis the case, your workaround is the correct one. Note that (privileged) containers are less secure this way, although unprivileged containers should be ok.

Changed in lxc (Ubuntu):
status:	Incomplete → Invalid

Revision history for this message

Karl-Philipp Richter (krichter722) wrote on 2015-01-21:

It'd be nice to validate the prerequisites (e.g. in `debconf` or at start) and fail with a better feedback (either at start, through package dependencies or a debconf warning (that the program can't be used or needs to be reconfigured)) or change default settings at installation.

Revision history for this message

Serge Hallyn (serge-hallyn) wrote on 2015-01-21: Re: [Bug 1406925] Re: lxc-start fails due to insufficient permission for creating netdev

We are working around important functionality being missing from
the kernel. I'd prefer that the apparmor mount functionality go
upstream sooner, rather then spend time (and risk regressions)
working around it better.

Revision history for this message

Hansel Dunlop (hansel) wrote on 2015-02-19:

Can someone clarify exactly what the work around for this bug is? I've been bitten by it but adding "lxc.aa_allow_incomplete = 1" to either my container config or the /etc/lxc/default.conf don't seem to resolve it for me.

Revision history for this message

Serge Hallyn (serge-hallyn) wrote on 2015-02-20:

#10

Hi,

if lxc.aa_allow_incomplete=1 doesn't fix it for you, then you probably
have another bug. Would you mind filing a new bug about your issue? Please
start the container with 'lxc-start -n container_name -l trace -o debug.out'
and append the debug.out file to the new bug.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulxc package

lxc-start fails due to insufficient permission for creating netdev

Bug Description

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
lxc package