Seccomp error with 2.0.5-0ubuntu1~ubuntu16.04.1 on s390x

Bug #1635639 reported by Curtis Hovey on 2016-10-21
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
juju-ci-tools
Critical
Curtis Hovey
lxc (Ubuntu)
High
Stéphane Graber
Xenial
High
Stéphane Graber
Yakkety
High
Stéphane Graber
Zesty
High
Stéphane Graber

Bug Description

## SRU paperwork
### Rationale
LXC 2.0.5 added support for Seccomp on the s390x architecture for those kernels that support it. Unfortunately the personality handling for s390x is wrong and results in the profile being setup twice, causing a failure to start the container.

This effectively means that LXC 2.0.5 fails out of the box on s390x.

### Test case
With LXC:
 - lxc-start -n some-container -F

With LXD:
 - lxc start some-container

### Regression potential
Our own testing shows that the fix works perfectly fine. The code change itself only affects s390x (under ifdef) so can't possibly affect the other architectures.

The worst that can happen should this fix be wrong is either status quo (container won't start) or having the container start without seccomp support (status quo when compared to 2.0.4).

## Original bug report
The s390x host used to Juju testing spontaneously broke today.
The disk filled up, we restarted so that we could remove unused
kernels. We discovered that lxc1 cannot create containers any more.

$ sudo lxc-create -t ubuntu-cloud -n curtis -- -r xenial -a s390x

$ sudo lxc-start -o lxc.log -n curtis
lxc-start: tools/lxc_start.c: main: 344 The container failed to start.
lxc-start: tools/lxc_start.c: main: 346 To get more details, run the container in foreground mode.
lxc-start: tools/lxc_start.c: main: 348 Additional information can be obtained by setting the --logfile and --logpriority options.

$ cat lxc.log
      lxc-start 20161020121833.069 ERROR lxc_seccomp - seccomp.c:get_new_ctx:224 - Seccomp error -17 (File exists) adding arch: 15
      lxc-start 20161020121833.069 ERROR lxc_start - start.c:lxc_init:430 - failed loading seccomp policy
      lxc-start 20161020121833.069 ERROR lxc_start - start.c:__lxc_start:1313 - failed to initialize the container
      lxc-start 20161020121838.075 ERROR lxc_start_ui - tools/lxc_start.c:main:344 - The container failed to start.
      lxc-start 20161020121838.075 ERROR lxc_start_ui - tools/lxc_start.c:main:346 - To get more details, run the container in foreground mode.
      lxc-start 20161020121838.075 ERROR lxc_start_ui - tools/lxc_start.c:main:348 - Additional information can be obtained by setting the --logfile and --logpriority options.

# <stgraber> sinzui: checking when s390x seccomp support was added to the
# kernel, to see if it's just a missing config in our kernel that'd fix that
# cleanly or if we'd need it backported to 4.4 which would be a bit more
# annoying
# <stgraber> sinzui: config-4.4.0-45-generic is what you're running right?
# <sinzui> stgraber uname-a says 4.4.0-45-generic
# stgraber> sinzui: you can workaround it by putting a file
# with lxc.seccomp=
# in /usr/share/lxc/config/common.conf.d/, that should get you going again

WORK AROUND for LXC 1
# on the s390x-slave
sudo vim /usr/share/lxc/config/common.conf.d/10-secomp-hack.conf
$ cat /usr/share/lxc/config/common.conf.d/10-secomp-hack.conf
# Advised to stgraber to add this file after seeing lxc-start fail with
# lxc-start 20161020121833.069 ERROR lxc_seccomp - seccomp.
lxc.seccomp=

Curtis Hovey (sinzui) on 2016-10-21
affects: lxc → juju-ci-tools
Changed in juju-ci-tools:
status: New → Fix Committed
importance: Undecided → Critical
assignee: nobody → Curtis Hovey (sinzui)
Curtis Hovey (sinzui) wrote :

Current and new lxd containers are still broken. We see errors like this

lxc start xenial-manual-a xenial-manual-b xenial-manual-c
error: Error calling 'lxd forkstart xenial-manual-a /var/lib/lxd/containers /var/log/lxd/xenial-manual-a/lxc.conf': err='exit status 1'
  lxc 20161021035819.243 ERROR lxc_seccomp - seccomp.c:get_new_ctx:224 - Seccomp error -17 (File exists) adding arch: 15
  lxc 20161021035819.243 ERROR lxc_start - start.c:lxc_init:430 - failed loading seccomp policy
  lxc 20161021035819.243 ERROR lxc_start - start.c:__lxc_start:1313 - failed to initialize the container

description: updated
Curtis Hovey (sinzui) on 2016-10-21
Changed in juju-ci-tools:
status: Fix Committed → In Progress
Stéphane Graber (stgraber) wrote :

I fixed this in upstream LXC yesterday, will upload SRUs today.

Changed in lxc (Ubuntu):
assignee: nobody → Stéphane Graber (stgraber)
status: New → In Progress
importance: Undecided → High
Changed in lxc (Ubuntu):
status: In Progress → Triaged
Changed in lxc (Ubuntu Xenial):
status: New → In Progress
Changed in lxc (Ubuntu Yakkety):
status: New → In Progress
Changed in lxc (Ubuntu Xenial):
importance: Undecided → High
Changed in lxc (Ubuntu Yakkety):
importance: Undecided → High
assignee: nobody → Stéphane Graber (stgraber)
Changed in lxc (Ubuntu Xenial):
assignee: nobody → Stéphane Graber (stgraber)
description: updated

Hello Curtis, or anyone else affected,

Accepted lxc into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/lxc/2.0.5-0ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in lxc (Ubuntu Yakkety):
status: In Progress → Fix Committed
tags: added: verification-needed
Changed in lxc (Ubuntu Xenial):
status: In Progress → Fix Committed
Martin Pitt (pitti) wrote :

Hello Curtis, or anyone else affected,

Accepted lxc into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/lxc/2.0.5-0ubuntu1~ubuntu16.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Stéphane Graber (stgraber) wrote :

Confirmed on both xenial and yakkety.

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxc - 2.0.5-0ubuntu1~ubuntu16.04.2

---------------
lxc (2.0.5-0ubuntu1~ubuntu16.04.2) xenial; urgency=medium

  * Cherry-pick bugfix from upstream:
    - s390x: Fix seccomp handling of personalities (LP: #1635639)

 -- Stéphane Graber <email address hidden> Fri, 21 Oct 2016 12:39:18 -0400

Changed in lxc (Ubuntu Xenial):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for lxc has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxc - 2.0.5-0ubuntu1.1

---------------
lxc (2.0.5-0ubuntu1.1) yakkety; urgency=medium

  * Cherry-pick bugfix from upstream:
    - s390x: Fix seccomp handling of personalities (LP: #1635639)

 -- Stéphane Graber <email address hidden> Fri, 21 Oct 2016 12:40:08 -0400

Changed in lxc (Ubuntu Yakkety):
status: Fix Committed → Fix Released
Changed in lxc (Ubuntu Zesty):
status: Triaged → Fix Committed
Curtis Hovey (sinzui) on 2016-10-25
Changed in juju-ci-tools:
status: In Progress → Fix Released
Changed in lxc (Ubuntu Zesty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers