| 2016-10-21 14:26:00 |
Curtis Hovey |
bug |
|
|
added bug |
| 2016-10-21 14:26:34 |
Curtis Hovey |
bug task added |
|
lxc |
|
| 2016-10-21 14:26:53 |
Curtis Hovey |
affects |
lxc |
juju-ci-tools |
|
| 2016-10-21 14:27:05 |
Curtis Hovey |
juju-ci-tools: status |
New |
Fix Committed |
|
| 2016-10-21 14:27:09 |
Curtis Hovey |
juju-ci-tools: importance |
Undecided |
Critical |
|
| 2016-10-21 14:27:12 |
Curtis Hovey |
juju-ci-tools: assignee |
|
Curtis Hovey (sinzui) |
|
| 2016-10-21 14:50:08 |
Curtis Hovey |
description |
The s390x host used to Juju testing spontaneously broke today.
The disk filled up, we restarted so that we could remove unused
kernels. We discovered that lxc1 cannot create containers any more.
$ sudo lxc-create -t ubuntu-cloud -n curtis -- -r xenial -a s390x
$ sudo lxc-start -o lxc.log -n curtis
lxc-start: tools/lxc_start.c: main: 344 The container failed to start.
lxc-start: tools/lxc_start.c: main: 346 To get more details, run the container in foreground mode.
lxc-start: tools/lxc_start.c: main: 348 Additional information can be obtained by setting the --logfile and --logpriority options.
$ cat lxc.log
lxc-start 20161020121833.069 ERROR lxc_seccomp - seccomp.c:get_new_ctx:224 - Seccomp error -17 (File exists) adding arch: 15
lxc-start 20161020121833.069 ERROR lxc_start - start.c:lxc_init:430 - failed loading seccomp policy
lxc-start 20161020121833.069 ERROR lxc_start - start.c:__lxc_start:1313 - failed to initialize the container
lxc-start 20161020121838.075 ERROR lxc_start_ui - tools/lxc_start.c:main:344 - The container failed to start.
lxc-start 20161020121838.075 ERROR lxc_start_ui - tools/lxc_start.c:main:346 - To get more details, run the container in foreground mode.
lxc-start 20161020121838.075 ERROR lxc_start_ui - tools/lxc_start.c:main:348 - Additional information can be obtained by setting the --logfile and --logpriority options.
# <stgraber> sinzui: checking when s390x seccomp support was added to the
# kernel, to see if it's just a missing config in our kernel that'd fix that
# cleanly or if we'd need it backported to 4.4 which would be a bit more
# annoying
# <stgraber> sinzui: config-4.4.0-45-generic is what you're running right?
# <sinzui> stgraber uname-a says 4.4.0-45-generic
# stgraber> sinzui: you can workaround it by putting a file
# with lxc.seccomp=
# in /usr/share/lxc/config/common.conf.d/, that should get you going again
WORK AROUND
# on the s390x-slave
sudo vim /usr/share/lxc/config/common.conf.d/10-secomp-hack.conf
$ cat /usr/share/lxc/config/common.conf.d/10-secomp-hack.conf
# Advised to stgraber to add this file after seeing lxc-start fail with
# lxc-start 20161020121833.069 ERROR lxc_seccomp - seccomp.
lxc.seccomp= |
The s390x host used to Juju testing spontaneously broke today.
The disk filled up, we restarted so that we could remove unused
kernels. We discovered that lxc1 cannot create containers any more.
$ sudo lxc-create -t ubuntu-cloud -n curtis -- -r xenial -a s390x
$ sudo lxc-start -o lxc.log -n curtis
lxc-start: tools/lxc_start.c: main: 344 The container failed to start.
lxc-start: tools/lxc_start.c: main: 346 To get more details, run the container in foreground mode.
lxc-start: tools/lxc_start.c: main: 348 Additional information can be obtained by setting the --logfile and --logpriority options.
$ cat lxc.log
lxc-start 20161020121833.069 ERROR lxc_seccomp - seccomp.c:get_new_ctx:224 - Seccomp error -17 (File exists) adding arch: 15
lxc-start 20161020121833.069 ERROR lxc_start - start.c:lxc_init:430 - failed loading seccomp policy
lxc-start 20161020121833.069 ERROR lxc_start - start.c:__lxc_start:1313 - failed to initialize the container
lxc-start 20161020121838.075 ERROR lxc_start_ui - tools/lxc_start.c:main:344 - The container failed to start.
lxc-start 20161020121838.075 ERROR lxc_start_ui - tools/lxc_start.c:main:346 - To get more details, run the container in foreground mode.
lxc-start 20161020121838.075 ERROR lxc_start_ui - tools/lxc_start.c:main:348 - Additional information can be obtained by setting the --logfile and --logpriority options.
# <stgraber> sinzui: checking when s390x seccomp support was added to the
# kernel, to see if it's just a missing config in our kernel that'd fix that
# cleanly or if we'd need it backported to 4.4 which would be a bit more
# annoying
# <stgraber> sinzui: config-4.4.0-45-generic is what you're running right?
# <sinzui> stgraber uname-a says 4.4.0-45-generic
# stgraber> sinzui: you can workaround it by putting a file
# with lxc.seccomp=
# in /usr/share/lxc/config/common.conf.d/, that should get you going again
WORK AROUND for LXC 1
# on the s390x-slave
sudo vim /usr/share/lxc/config/common.conf.d/10-secomp-hack.conf
$ cat /usr/share/lxc/config/common.conf.d/10-secomp-hack.conf
# Advised to stgraber to add this file after seeing lxc-start fail with
# lxc-start 20161020121833.069 ERROR lxc_seccomp - seccomp.
lxc.seccomp= |
|
| 2016-10-21 15:14:26 |
Curtis Hovey |
juju-ci-tools: status |
Fix Committed |
In Progress |
|
| 2016-10-21 16:01:40 |
Stéphane Graber |
lxc (Ubuntu): assignee |
|
Stéphane Graber (stgraber) |
|
| 2016-10-21 16:01:44 |
Stéphane Graber |
lxc (Ubuntu): status |
New |
In Progress |
|
| 2016-10-21 16:01:46 |
Stéphane Graber |
lxc (Ubuntu): importance |
Undecided |
High |
|
| 2016-10-21 16:41:31 |
Stéphane Graber |
lxc (Ubuntu): status |
In Progress |
Triaged |
|
| 2016-10-21 16:41:50 |
Stéphane Graber |
nominated for series |
|
Ubuntu Yakkety |
|
| 2016-10-21 16:41:50 |
Stéphane Graber |
bug task added |
|
lxc (Ubuntu Yakkety) |
|
| 2016-10-21 16:41:50 |
Stéphane Graber |
nominated for series |
|
Ubuntu Zesty |
|
| 2016-10-21 16:41:50 |
Stéphane Graber |
bug task added |
|
lxc (Ubuntu Zesty) |
|
| 2016-10-21 16:41:50 |
Stéphane Graber |
nominated for series |
|
Ubuntu Xenial |
|
| 2016-10-21 16:41:50 |
Stéphane Graber |
bug task added |
|
lxc (Ubuntu Xenial) |
|
| 2016-10-21 16:41:58 |
Stéphane Graber |
lxc (Ubuntu Xenial): status |
New |
In Progress |
|
| 2016-10-21 16:42:01 |
Stéphane Graber |
lxc (Ubuntu Yakkety): status |
New |
In Progress |
|
| 2016-10-21 16:42:05 |
Stéphane Graber |
lxc (Ubuntu Xenial): importance |
Undecided |
High |
|
| 2016-10-21 16:42:06 |
Stéphane Graber |
lxc (Ubuntu Yakkety): importance |
Undecided |
High |
|
| 2016-10-21 16:42:11 |
Stéphane Graber |
lxc (Ubuntu Yakkety): assignee |
|
Stéphane Graber (stgraber) |
|
| 2016-10-21 16:42:13 |
Stéphane Graber |
lxc (Ubuntu Xenial): assignee |
|
Stéphane Graber (stgraber) |
|
| 2016-10-21 16:46:14 |
Stéphane Graber |
description |
The s390x host used to Juju testing spontaneously broke today.
The disk filled up, we restarted so that we could remove unused
kernels. We discovered that lxc1 cannot create containers any more.
$ sudo lxc-create -t ubuntu-cloud -n curtis -- -r xenial -a s390x
$ sudo lxc-start -o lxc.log -n curtis
lxc-start: tools/lxc_start.c: main: 344 The container failed to start.
lxc-start: tools/lxc_start.c: main: 346 To get more details, run the container in foreground mode.
lxc-start: tools/lxc_start.c: main: 348 Additional information can be obtained by setting the --logfile and --logpriority options.
$ cat lxc.log
lxc-start 20161020121833.069 ERROR lxc_seccomp - seccomp.c:get_new_ctx:224 - Seccomp error -17 (File exists) adding arch: 15
lxc-start 20161020121833.069 ERROR lxc_start - start.c:lxc_init:430 - failed loading seccomp policy
lxc-start 20161020121833.069 ERROR lxc_start - start.c:__lxc_start:1313 - failed to initialize the container
lxc-start 20161020121838.075 ERROR lxc_start_ui - tools/lxc_start.c:main:344 - The container failed to start.
lxc-start 20161020121838.075 ERROR lxc_start_ui - tools/lxc_start.c:main:346 - To get more details, run the container in foreground mode.
lxc-start 20161020121838.075 ERROR lxc_start_ui - tools/lxc_start.c:main:348 - Additional information can be obtained by setting the --logfile and --logpriority options.
# <stgraber> sinzui: checking when s390x seccomp support was added to the
# kernel, to see if it's just a missing config in our kernel that'd fix that
# cleanly or if we'd need it backported to 4.4 which would be a bit more
# annoying
# <stgraber> sinzui: config-4.4.0-45-generic is what you're running right?
# <sinzui> stgraber uname-a says 4.4.0-45-generic
# stgraber> sinzui: you can workaround it by putting a file
# with lxc.seccomp=
# in /usr/share/lxc/config/common.conf.d/, that should get you going again
WORK AROUND for LXC 1
# on the s390x-slave
sudo vim /usr/share/lxc/config/common.conf.d/10-secomp-hack.conf
$ cat /usr/share/lxc/config/common.conf.d/10-secomp-hack.conf
# Advised to stgraber to add this file after seeing lxc-start fail with
# lxc-start 20161020121833.069 ERROR lxc_seccomp - seccomp.
lxc.seccomp= |
## SRU paperwork
### Rationale
LXC 2.0.5 added support for Seccomp on the s390x architecture for those kernels that support it. Unfortunately the personality handling for s390x is wrong and results in the profile being setup twice, causing a failure to start the container.
This effectively means that LXC 2.0.5 fails out of the box on s390x.
### Test case
With LXC:
- lxc-start -n some-container -F
With LXD:
- lxc start some-container
### Regression potential
Our own testing shows that the fix works perfectly fine. The code change itself only affects s390x (under ifdef) so can't possibly affect the other architectures.
The worst that can happen should this fix be wrong is either status quo (container won't start) or having the container start without seccomp support (status quo when compared to 2.0.4).
## Original bug report
The s390x host used to Juju testing spontaneously broke today.
The disk filled up, we restarted so that we could remove unused
kernels. We discovered that lxc1 cannot create containers any more.
$ sudo lxc-create -t ubuntu-cloud -n curtis -- -r xenial -a s390x
$ sudo lxc-start -o lxc.log -n curtis
lxc-start: tools/lxc_start.c: main: 344 The container failed to start.
lxc-start: tools/lxc_start.c: main: 346 To get more details, run the container in foreground mode.
lxc-start: tools/lxc_start.c: main: 348 Additional information can be obtained by setting the --logfile and --logpriority options.
$ cat lxc.log
lxc-start 20161020121833.069 ERROR lxc_seccomp - seccomp.c:get_new_ctx:224 - Seccomp error -17 (File exists) adding arch: 15
lxc-start 20161020121833.069 ERROR lxc_start - start.c:lxc_init:430 - failed loading seccomp policy
lxc-start 20161020121833.069 ERROR lxc_start - start.c:__lxc_start:1313 - failed to initialize the container
lxc-start 20161020121838.075 ERROR lxc_start_ui - tools/lxc_start.c:main:344 - The container failed to start.
lxc-start 20161020121838.075 ERROR lxc_start_ui - tools/lxc_start.c:main:346 - To get more details, run the container in foreground mode.
lxc-start 20161020121838.075 ERROR lxc_start_ui - tools/lxc_start.c:main:348 - Additional information can be obtained by setting the --logfile and --logpriority options.
# <stgraber> sinzui: checking when s390x seccomp support was added to the
# kernel, to see if it's just a missing config in our kernel that'd fix that
# cleanly or if we'd need it backported to 4.4 which would be a bit more
# annoying
# <stgraber> sinzui: config-4.4.0-45-generic is what you're running right?
# <sinzui> stgraber uname-a says 4.4.0-45-generic
# stgraber> sinzui: you can workaround it by putting a file
# with lxc.seccomp=
# in /usr/share/lxc/config/common.conf.d/, that should get you going again
WORK AROUND for LXC 1
# on the s390x-slave
sudo vim /usr/share/lxc/config/common.conf.d/10-secomp-hack.conf
$ cat /usr/share/lxc/config/common.conf.d/10-secomp-hack.conf
# Advised to stgraber to add this file after seeing lxc-start fail with
# lxc-start 20161020121833.069 ERROR lxc_seccomp - seccomp.
lxc.seccomp= |
|
| 2016-10-21 16:52:58 |
Martin Pitt |
lxc (Ubuntu Yakkety): status |
In Progress |
Fix Committed |
|
| 2016-10-21 16:53:00 |
Martin Pitt |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2016-10-21 16:53:07 |
Martin Pitt |
bug |
|
|
added subscriber SRU Verification |
| 2016-10-21 16:53:13 |
Martin Pitt |
tags |
jujuqa lxd regression s390x |
jujuqa lxd regression s390x verification-needed |
|
| 2016-10-21 16:53:50 |
Martin Pitt |
lxc (Ubuntu Xenial): status |
In Progress |
Fix Committed |
|
| 2016-10-21 23:29:35 |
Stéphane Graber |
tags |
jujuqa lxd regression s390x verification-needed |
jujuqa lxd regression s390x verification-done |
|
| 2016-10-21 23:29:57 |
Launchpad Janitor |
lxc (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
| 2016-10-21 23:30:04 |
Stéphane Graber |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2016-10-21 23:30:15 |
Launchpad Janitor |
lxc (Ubuntu Yakkety): status |
Fix Committed |
Fix Released |
|
| 2016-10-22 00:01:50 |
Stéphane Graber |
lxc (Ubuntu Zesty): status |
Triaged |
Fix Committed |
|
| 2016-10-25 19:07:44 |
Curtis Hovey |
juju-ci-tools: status |
In Progress |
Fix Released |
|
| 2016-11-01 21:29:44 |
Stéphane Graber |
lxc (Ubuntu Zesty): status |
Fix Committed |
Fix Released |
|
