Ubuntu
lxc package

Starting Xenial lxc without cap_sysadmin fails

Bug #1713674 reported by Pierre Schweitzer
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lxc (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Dear all,

When trying to start an LXC container with Xenial on both host and container, if sys_admin capability is dropped (lxc.cap.drop = sys_admin in the config file), the container fails to start, because systemd fails to mount the cgroup filesystem in the container. The workaround is to manually mount the cgroup filesystem before starting the container (using the lxc.mount.entry in the config file), but, LXC performs the mount too early, before being in the container cgroup namespace, that means what's mounted matches host cgroup namespace, not container namespace.

The bug was already reported upstream[1][2], but didn't make it to Ubuntu yet, AFAIK.
A fix was merged in master[3], would it be possible to have it in Ubuntu Xenial?

So far, we manually patch Ubuntu LXC packages with that patch and observed no régressions.

Thanks!

Cheers,
P. Schweitzer

[1]: https://github.com/lxc/lxc/pull/1597
[2]: https://github.com/lxc/lxc/pull/1606
[3]: https://github.com/lxc/lxc/commit/c1cecfdd050818865653d7941d7bae5d755246ae

Revision history for this message
Stéphane Graber (stgraber) wrote :

This is already in our stable-2.0 branch, so both LXC 2.1 and LXC 2.0.9 will have it.

Changed in lxc (Ubuntu):
status: New → Fix Committed
Stéphane Graber (stgraber)
Changed in lxc (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.