Ubuntu
lxc package

unprivileged lxc containers won't start, need to put sessions into "pids" cgroup controller

  1. Wily (15.10)
  2. Bug #1533833
Bug #1533833 reported by Bas Zoetekouw
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lxc (Ubuntu)
Fix Released
Medium
Unassigned
Wily
New
Medium
Unassigned
systemd (Ubuntu)
Fix Released
Medium
Unassigned
Wily
Fix Released
Medium
Martin Pitt

Bug Description

I'n trying to get (unpriviliged) lxc containers to run on wily. I create a container like this:

> lxc-create -t download -n u1 -- -d ubuntu -r wily -a amd64

that works. However, starting the container fails:

> lxc-start -n u1
lxc-start: lxc_start.c: main: 344 The container failed to start.
lxc-start: lxc_start.c: main: 346 To get more details, run the container in foreground mode.
lxc-start: lxc_start.c: main: 348 Additional information can be obtained by setting the --logfile and --logpriority options.

Setting the log priority to debug shows the following (relevant part only):

      lxc-start 1452717530.484 INFO lxc_start - start.c:lxc_init:474 - 'u1' is initialized
      lxc-start 1452717530.484 DEBUG lxc_start - start.c:__lxc_start:1186 - Not dropping cap_sys_boot or watching utmp
      lxc-start 1452717530.484 INFO lxc_start - start.c:resolve_clone_flags:883 - Cloning a new user namespace
      lxc-start 1452717530.484 INFO lxc_cgroup - cgroup.c:cgroup_init:65 - cgroup driver cgmanager initing for u1
      lxc-start 1452717530.489 ERROR lxc_cgmanager - cgmanager.c:lxc_cgmanager_enter:698 - call to cgmanager_move_pid_sync failed: invalid request
lxc-start: cgmanager.c: lxc_cgmanager_enter: 698 call to cgmanager_move_pid_sync failed: invalid request
      lxc-start 1452717530.490 ERROR lxc_start - start.c:__lxc_start:1213 - failed to spawn 'u1'
lxc-start: start.c: __lxc_start: 1213 failed to spawn 'u1'
      lxc-start 1452717530.513 ERROR lxc_start_ui - lxc_start.c:main:344 - The container failed to start.
lxc-start: lxc_start.c: main: 344 The container failed to start.
      lxc-start 1452717530.513 ERROR lxc_start_ui - lxc_start.c:main:348 - Additional information can be obtained by setting the --logfile and --logpriority options.
lxc-start: lxc_start.c: main: 348 Additional information can be obtained by setting the --logfile and --logpriority options.
      lxc-start 1452717530.484 INFO lxc_start - start.c:lxc_init:474 - 'u1' is initialized
      lxc-start 1452717530.484 DEBUG lxc_start - start.c:__lxc_start:1186 - Not dropping cap_sys_boot or watching utmp
      lxc-start 1452717530.484 INFO lxc_start - start.c:resolve_clone_flags:883 - Cloning a new user namespace
      lxc-start 1452717530.484 INFO lxc_cgroup - cgroup.c:cgroup_init:65 - cgroup driver cgmanager initing for u1
      lxc-start 1452717530.489 ERROR lxc_cgmanager - cgmanager.c:lxc_cgmanager_enter:698 - call to cgmanager_move_pid_sync failed: invalid request
lxc-start: cgmanager.c: lxc_cgmanager_enter: 698 call to cgmanager_move_pid_sync failed: invalid request
      lxc-start 1452717530.490 ERROR lxc_start - start.c:__lxc_start:1213 - failed to spawn 'u1'
lxc-start: start.c: __lxc_start: 1213 failed to spawn 'u1'
      lxc-start 1452717530.513 ERROR lxc_start_ui - lxc_start.c:main:344 - The container failed to start.
lxc-start: lxc_start.c: main: 344 The container failed to start.
      lxc-start 1452717530.513 ERROR lxc_start_ui - lxc_start.c:main:348 - Additional information can be obtained by setting the --logfile and --logpriority options.
lxc-start: lxc_start.c: main: 348 Additional information can be obtained by setting the --logfile and --logpriority options.

So it seems a cgmanager issue. Syslog shows:

Jan 13 21:37:58 miranda cgmanager[22010]: cgmanager:do_create_main: pid 25615 (uid 1000 gid 1000) may not create under /run/cgmanager/fs/pids
Jan 13 21:37:58 miranda cgmanager[22010]: cgmanager: Invalid path /run/cgmanager/fs/pids/lxc/u1
Jan 13 21:37:58 miranda cgmanager[22010]: cgmanager:per_ctrl_move_pid_main: Invalid path /run/cgmanager/fs/pids/lxc/u1
Jan 13 21:38:50 miranda cgmanager[22010]: cgmanager:do_create_main: pid 25632 (uid 1000 gid 1000) may not create under /run/cgmanager/fs/pids
Jan 13 21:38:50 miranda cgmanager[22010]: cgmanager: Invalid path /run/cgmanager/fs/pids/lxc/u1
Jan 13 21:38:50 miranda cgmanager[22010]: cgmanager:per_ctrl_move_pid_main: Invalid path /run/cgmanager/fs/pids/lxc/u1

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

You're using a newer kernel which provides the 'pids' cgroup. Systemd doesn't
know about that one and so doesn't create a cgroup for you that you own. Lxc
in turn (in wily) doesn't yet know how to handle that.

You can work around this several ways. The simplest is to do

sudo cgm create pids user
sudo cgm chown pids user $(id -u) $(id -g)
cgm movepid pids user $$

before you start the container.

Changed in lxc (Ubuntu):
importance: Undecided → Medium
status: New → Confirmed
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

systemd should be updated to know about the pids cgroup

Changed in lxc (Ubuntu):
status: Confirmed → Fix Released
Changed in systemd (Ubuntu):
status: New → Fix Released
Changed in lxc (Ubuntu Wily):
importance: Undecided → Medium
Changed in systemd (Ubuntu):
importance: Undecided → Medium
Changed in systemd (Ubuntu Wily):
importance: Undecided → Medium
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

(Note this should be properly handled in xenial, but needs fixing in wily)

Revision history for this message
Bas Zoetekouw (baszoetekouw) wrote :

Ah, right, that explains things: I'm running a xenial kernel, I think.

For completeness sake, these are the versions:

[bas@miranda]~> uname -a
Linux miranda 4.3.0-5-generic #16-Ubuntu SMP Wed Dec 16 23:33:25 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
[bas@miranda]~> dpkg -l linux-image-\* systemd
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-============-============-=================================
un linux-image-3. <none> <none> (no description available)
ii linux-image-4. 4.2.0-23.28 amd64 Linux kernel image for version 4.
ii linux-image-4. 4.3.0-5.16 amd64 Linux kernel image for version 4.
ii linux-image-ex 4.2.0-23.28 amd64 Linux kernel extra modules for ve
ii linux-image-ex 4.3.0-5.16 amd64 Linux kernel extra modules for ve
ii linux-image-ge 4.2.0.23.25 amd64 Generic Linux kernel image
ii systemd 225-1ubuntu9 amd64 system and service manager

Martin Pitt (pitti)
Changed in systemd (Ubuntu Wily):
status: New → Triaged
summary: - unprivileged lxc containers won't start
+ unprivileged lxc containers won't start, need to put sessions into
+ "pids" cgroup controlelr
summary: unprivileged lxc containers won't start, need to put sessions into
- "pids" cgroup controlelr
+ "pids" cgroup controller
Revision history for this message
Martin Pitt (pitti) wrote :

I uploaded a systemd with adding the "pids" cgroup controller to https://launchpad.net/~pitti/+archive/ubuntu/ppa . It would be great if you could test this! (Sorry, running out of time today.)

Changed in systemd (Ubuntu Wily):
assignee: nobody → Martin Pitt (pitti)
status: Triaged → In Progress
Revision history for this message
Serge Hallyn (serge-hallyn) wrote : Re: [Bug 1533833] Re: unprivileged lxc containers won't start, need to put sessions into "pids" cgroup controller

Thanks - Martin - tested that with the mainline kernel, and it did indeed
give me a pids cgroup:

ubuntu@pitti:~$ cat /proc/self/cgroup
11:hugetlb:/user.slice/user-1000.slice/session-2.scope
10:blkio:/user.slice/user-1000.slice/session-2.scope
9:devices:/user.slice/user-1000.slice/session-2.scope
8:pids:/user.slice/user-1000.slice/session-2.scope
7:memory:/user.slice/user-1000.slice/session-2.scope
6:perf_event:/user.slice/user-1000.slice/session-2.scope
5:cpuset:/user.slice/user-1000.slice/session-2.scope
4:net_cls,net_prio:/user.slice/user-1000.slice/session-2.scope
3:freezer:/user.slice/user-1000.slice/session-2.scope
2:cpu,cpuacct:/user.slice/user-1000.slice/session-2.scope
1:name=systemd:/user.slice/user-1000.slice/session-2.scope

Revision history for this message
Martin Pitt (pitti) wrote :

Tested it myself now as well. I uploaded it to the wily-proposed SRU queue.

Revision history for this message
Chris J Arges (arges) wrote : Please test proposed package

Hello Bas, or anyone else affected,

Accepted systemd into wily-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/systemd/225-1ubuntu9.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in systemd (Ubuntu Wily):
status: In Progress → Fix Committed
tags: added: verification-needed
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote : [systemd/wily] possible regression found

As a part of the Stable Release Updates quality process a search for Launchpad bug reports using the version of systemd from wily-proposed was performed and bug 1538960 was found. Please investigate this bug report to ensure that a regression will not be created by this SRU. In the event that this is not a regression remove the "verification-failed" tag from this bug report and add the tag "bot-stop-nagging" to bug 1538960 (not this bug). Thanks!

tags: added: verification-failed
Revision history for this message
Martin Pitt (pitti) wrote :

Bug 1538960 is unrelated and a local configuration error.

tags: removed: verification-failed
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

As a part of the Stable Release Updates quality process a search for Launchpad bug reports using the version of systemd from wily-proposed was performed and bug 1539488 was found. Please investigate this bug report to ensure that a regression will not be created by this SRU. In the event that this is not a regression remove the "verification-failed" tag from this bug report and add the tag "bot-stop-nagging" to bug 1539488 (not this bug). Thanks!

tags: added: verification-failed
Revision history for this message
Martin Pitt (pitti) wrote :

bug 1539488 is nothing new and not related to systemd.

tags: removed: verification-failed
Revision history for this message
Martin Pitt (pitti) wrote :

Bas, any chance to test the update in -proposed so that we can release that?

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

As a part of the Stable Release Updates quality process a search for Launchpad bug reports using the version of systemd from wily-proposed was performed and bug 1545272 was found. Please investigate this bug report to ensure that a regression will not be created by this SRU. In the event that this is not a regression remove the "verification-failed" tag from this bug report and add the tag "bot-stop-nagging" to bug 1545272 (not this bug). Thanks!

tags: added: verification-failed
Revision history for this message
Bas Zoetekouw (baszoetekouw) wrote : Re: [Bug 1533833] Re: unprivileged lxc containers won't start, need to put sessions into "pids" cgroup controller

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Martin,

On 11-02-16 10:24, Martin Pitt wrote:
> Bas, any chance to test the update in -proposed so that we can
> release that?

I'll try to test it later this week, if that's ok.

Best regards,
Bas.

- --
 And what shoulder and what art
 Could twist the sinews of thy heart?
 And when thy heart began to beat
 What dread hand and what dread feet?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWwaVGAAoJENGDpRe/qY3m3hEP/Rl0oDvDYBiVQLr8L0ziSW4B
CC19e9WaR76hhtuKnPpARqY9KteOeIOfJ2JC37DoAIi39k6I3ze5r61KGqxmB72W
Kgajvjy3AcqzWOxEAZC5wEJX9wMI/cT8vSgtUjhQT8TIsTKsGCXXDzBlICzQ51eU
CfkFtDJPrTJtkxS/IewomwvQwEy+vYM9sdBAVt/eEeBB2h0V0oNlD5k41p5p80ll
1Go9C9b0KHN0fWmkrjcT69b0GJG94/tsLbP/vMCsOpcH9f1RiLz02ruBSeNsrB8s
OUD9xi+hbB55Qvg3dtHjD0InqOn2eOxp+UOoeIwr4IbOP15IenK/7wLVQAvzi0yO
GysISesys69zRAAWOEpFHyHb/YX9DBlnRcEO+cRCRXCDV8mod4Y/CUWFPMk37Plv
+HCJhl3dlf8eZc3YKXOSCfL70ue25JXo/s+/KKoAai4cQyuWzGZ1cMk4RGQRjnhT
26WL2pOAnB02UqmVTcO4xRx452AFVZbOG0+qi1CdzvTc1zlgRYQrGZPzz2h2fsA3
/+iZzMfcd1N45kr/UMavslhWgkye6wJ5hRJdyMG+n6lyNo3oqGMLyvTuC5v8xVbV
m5UaHDULX3NDkk9d1joMsw02qzTuMIZuPdlzTHPr/VPpw15B0b+x4gzHbOxPsACx
DKLdRCkiKPUEkXMY2Fbl
=oRTc
-----END PGP SIGNATURE-----

Revision history for this message
Bas Zoetekouw (baszoetekouw) wrote :

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Martin,

> On 11-02-16 10:24, Martin Pitt wrote:
>> Bas, any chance to test the update in -proposed so that we can
>> release that?
>
> I'll try to test it later this week, if that's ok.

Unfortunately, the xenial 4.4 kernel won't boot for me at the moment
(keyboard doesn't work while inputting disk decryption key), so I
can't test if thisis fixed...

Gr,
Bas.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWw4LgAAoJENGDpRe/qY3mp+QQAM5EESKhWB5MjZUn3cvDh+ku
IGKEqKjDg+luKuHxvHHiXh1KNNCdHCffko33Qa2LSMsivX1WHNocN+n7Hvv1Wq0N
DmUHqth5b+BefemEF+sfJVz+gyV6W9r37QtJxKbjb8pUr05vnlzdMma7qF9qkZmv
rA+bOQbjP20JSuohWvMM0tRC9+gNX4GBiZYD/8Ac3WGMLA8l2FNXjnCrWFgyb+oF
hhPcgudcv9L2JAx+7JlXs7oNMoXjQ57k/d1dIQW+uyGL/24X2CV1btcEmznowYMo
lYZPP99i3PpsmhnhwAd+VYYPd1o1052HfkEYIx/dVMoK5usxgpcwl5wsdgFLaTog
hpPA/poC7RCIFdGpXFt31dhjQMIOR4mQ41NiuJtPxXrp5H3Bu5Q0bCgq3o5WJMNw
85bzJ5uxE3cGFDSeeBb/j8gxeK1yW1hqP5t051f40C98sfX4hyOyZmuKLyakKyW9
I/h8kQOFaLFi8MlmcV6MnA0E66nIO5J+ODWeSmdAeMLWAzA9b911YfecCB8PMboq
RtR/ddc0/cttmtDWgQ8sz3lO7d2vNwzWqMIJW2qDy4IexK9jOIlHiOw9CLuJdjqm
f2sfZZWhNjeGIddAJ0tZB6TKmCHuZ07XYeaiyOaFTGSTF5MhDmPtyV7/51d6pOU4
QqbgijCYBiyM1m04NNep
=HBJX
-----END PGP SIGNATURE-----

Revision history for this message
Bas Zoetekouw (baszoetekouw) wrote :

I've just tried with an upstream 4.5.0-rc4 kernel (which does boot on my laptop).

Unfortunately, it doesn't work yet.

linux-image linux-image-4.5.0-040500rc4-generic
systemd 229-1ubuntu2
lxc 1.1.5-0ubuntu0.15.10.3

starting a container gives: lxc-start 1455712091.086 DEBUG lxc_console - console.c:lxc_console_peer_default:536 - no console peer
      lxc-start 1455712091.092 INFO lxc_monitor - monitor.c:lxc_monitor_sock_name:178 - using monitor sock name lxc/1139bd77ce7a3a6c//home/bas/.local/share/lxc
      lxc-start 1455712091.132 INFO lxc_start - start.c:lxc_init:474 - 'aansluitform-deploy' is initialized
      lxc-start 1455712091.132 DEBUG lxc_start - start.c:__lxc_start:1186 - Not dropping cap_sys_boot or watching utmp
      lxc-start 1455712091.133 INFO lxc_start - start.c:resolve_clone_flags:883 - Cloning a new user namespace
      lxc-start 1455712091.133 INFO lxc_cgroup - cgroup.c:cgroup_init:65 - cgroup driver cgmanager initing for aansluitform-deploy
      lxc-start 1455712091.138 ERROR lxc_cgmanager - cgmanager.c:lxc_cgmanager_enter:698 - call to cgmanager_move_pid_sync failed: invalid request
      lxc-start 1455712091.138 ERROR lxc_start - start.c:__lxc_start:1213 - failed to spawn 'aansluitform-deploy'
      lxc-start 1455712091.163 WARN lxc_commands - commands.c:lxc_cmd_rsp_recv:172 - command get_init_pid failed to receive response
      lxc-start 1455712091.164 WARN lxc_cgmanager - cgmanager.c:cgm_get:994 - do_cgm_get exited with error
      lxc-start 1455712096.169 ERROR lxc_start_ui - lxc_start.c:main:344 - The container failed to start.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Just to be sure, can you show the systemd version you were using here? The intent was to check with systemd from wily-proposed, with the regular wily kernel. In particular, an upstream kernel would be expected to fail by default without setting an extra apparmor flag in the container configuration (though that doesn't seem to be how yours is failing)

What does /proc/self/cgroup look like?

Revision history for this message
Martin Pitt (pitti) wrote : Re: [Bug 1533833] Re: unprivileged lxc containers won't start, need to put sessions into "pids" cgroup controller

Serge Hallyn [2016-02-18 16:39 -0000]:
> Just to be sure, can you show the systemd version you were using here?
> The intent was to check with systemd from wily-proposed, with the
> regular wily kernel.

I thought the idea was to use a xenial kernel on wily?

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Oh, right, something with the pids controller enabled.

Still want to make sure he's using the right systemd version, since his appears not to be fixed otherwise.

Revision history for this message
Bas Zoetekouw (baszoetekouw) wrote :

This was systemd and kernel from xenial. I'll try again tomorrov with the wily-proposed systemd and xenial kernel.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Thanks - do make sure to log back in after the update.

The xenial systemd would fail because there you must have libpam-cgfs
to get your own cgroups for lxc. In wily iirc that should not be
required.

Revision history for this message
Bas Zoetekouw (baszoetekouw) wrote :
Download full text (3.3 KiB)

I've downgraded systemd to 225-1ubuntu9.1 from wily/proposed. Kernel is still linux-image-4.5.0-040500rc4-generic and lxc is 1.1.5-0ubuntu0.15.10.3 from wily-updates.

Unfortunately, when I now start the lxc container, I seem to hit a different bug. I get:

      lxc-start 1455870309.289 INFO lxc_conf - conf.c:setup_tty:1080 - 4 tty(s) has been setup
      lxc-start 1455870309.289 INFO lxc_conf - conf.c:setup_personality:1473 - set personality to '0x0'
      lxc-start 1455870309.289 DEBUG lxc_conf - conf.c:setup_caps:2279 - drop capability 'mac_admin' (33)
      lxc-start 1455870309.289 DEBUG lxc_conf - conf.c:setup_caps:2279 - drop capability 'mac_override' (32)
      lxc-start 1455870309.289 DEBUG lxc_conf - conf.c:setup_caps:2279 - drop capability 'sys_time' (25)
      lxc-start 1455870309.289 DEBUG lxc_conf - conf.c:setup_caps:2279 - drop capability 'sys_module' (16)
      lxc-start 1455870309.289 DEBUG lxc_conf - conf.c:setup_caps:2288 - capabilities have been setup
      lxc-start 1455870309.289 NOTICE lxc_conf - conf.c:lxc_setup:4026 - 'aansluitform-deploy' is setup.
      lxc-start 1455870309.289 WARN lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:167 - Incomplete AppArmor support in your kernel
      lxc-start 1455870309.289 ERROR lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:169 - If you really want to start this container, set
      lxc-start 1455870309.289 ERROR lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:170 - lxc.aa_allow_incomplete = 1
      lxc-start 1455870309.289 ERROR lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:171 - in your container configuration file
      lxc-start 1455870309.289 ERROR lxc_sync - sync.c:__sync_wait:51 - invalid sequence number 1. expected 4
      lxc-start 1455870309.289 ERROR lxc_start - start.c:__lxc_start:1213 - failed to spawn 'aansluitform-deploy'
      lxc-start 1455870309.290 ERROR lxc_cgmanager - cgmanager.c:cgm_remove_cgroup:523 - call to cgmanager_remove_sync failed: invalid request
      lxc-start 1455870309.290 ERROR lxc_cgmanager - cgmanager.c:cgm_remove_cgroup:525 - Error removing all:lxc/aansluitform-deploy-8
      lxc-start 1455870309.317 WARN lxc_commands - commands.c:lxc_cmd_rsp_recv:172 - command get_init_pid failed to receive response
      lxc-start 1455870309.317 WARN lxc_cgmanager - cgmanager.c:cgm_get:994 - do_cgm_get exited with error
      lxc-start 1455870314.321 ERROR lxc_start_ui - lxc_start.c:main:344 - The container failed to start.
lxc-start: lxc_start.c: main: 344 The container failed to start.
      lxc-start 1455870314.321 ERROR lxc_start_ui - lxc_start.c:main:346 - To get more details, run the container in foreground mode.
lxc-start: lxc_start.c: main: 346 To get more details, run the container in foreground mode.
      lxc-start 1455870314.321 ERROR lxc_start_ui - lxc_start.c:main:348 - Additional information can be obtained by setting the --logfile and --logpriority options.
lxc-start: lxc_start.c: main: 348 Additional information can be obtained by setting the --logfile and --logpriority options.

When add...

Read more...

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Quoting Bas Zoetekouw (<email address hidden>):
> I've downgraded systemd to 225-1ubuntu9.1 from wily/proposed. Kernel is
> still linux-image-4.5.0-040500rc4-generic and lxc is
> 1.1.5-0ubuntu0.15.10.3 from wily-updates.
>
> Unfortunately, when I now start the lxc container, I seem to hit a
> different bug. I get:
>
> lxc-start 1455870309.289 INFO lxc_conf - conf.c:setup_tty:1080 - 4 tty(s) has been setup
> lxc-start 1455870309.289 INFO lxc_conf - conf.c:setup_personality:1473 - set personality to '0x0'
> lxc-start 1455870309.289 DEBUG lxc_conf - conf.c:setup_caps:2279 - drop capability 'mac_admin' (33)
> lxc-start 1455870309.289 DEBUG lxc_conf - conf.c:setup_caps:2279 - drop capability 'mac_override' (32)
> lxc-start 1455870309.289 DEBUG lxc_conf - conf.c:setup_caps:2279 - drop capability 'sys_time' (25)
> lxc-start 1455870309.289 DEBUG lxc_conf - conf.c:setup_caps:2279 - drop capability 'sys_module' (16)
> lxc-start 1455870309.289 DEBUG lxc_conf - conf.c:setup_caps:2288 - capabilities have been setup
> lxc-start 1455870309.289 NOTICE lxc_conf - conf.c:lxc_setup:4026 - 'aansluitform-deploy' is setup.
> lxc-start 1455870309.289 WARN lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:167 - Incomplete AppArmor support in your kernel
> lxc-start 1455870309.289 ERROR lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:169 - If you really want to start this container, set

Right, that is what I was referring to in comment #18. If you use an
upstream kernel then you need to update the container configuration, as
mentioned in the next line of the error msg. You can add

lxc.aa_allow_incomplete = 1

to your configuration to proceed.

> lxc-start 1455870309.289 ERROR lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:170 - lxc.aa_allow_incomplete = 1
> lxc-start 1455870309.289 ERROR lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:171 - in your container configuration file
> lxc-start 1455870309.289 ERROR lxc_sync - sync.c:__sync_wait:51 - invalid sequence number 1. expected 4

Revision history for this message
Bas Zoetekouw (baszoetekouw) wrote :
Download full text (3.3 KiB)

strangely enough, adding the aa_allow_incomplete option doesn't seem to make a difference; container startup keeps failing at the same point.

In any case, it does seem to initialize the container correctly, and I seem to hit a different issue. The entire cgroup thing seems to work now, at least:

lxc-start 1455916829.396 INFO lxc_start - start.c:lxc_init:474 - 'aansluitform-deploy' is initialized
      lxc-start 1455916829.396 DEBUG lxc_start - start.c:__lxc_start:1186 - Not dropping cap_sys_boot or watching utmp
      lxc-start 1455916829.396 INFO lxc_start - start.c:resolve_clone_flags:883 - Cloning a new user namespace
      lxc-start 1455916829.396 INFO lxc_cgroup - cgroup.c:cgroup_init:65 - cgroup driver cgmanager initing for aansluitform-deploy
      lxc-start 1455916829.507 NOTICE lxc_start - start.c:do_start:699 - switching to gid/uid 0 in new user namespace
      lxc-start 1455916829.509 DEBUG lxc_conf - conf.c:setup_rootfs:1295 - mounted '/home/bas/.local/share/lxc/aansluitform-deploy/rootfs' on '/usr/lib/x86_64-linux-gnu/lxc'
      lxc-start 1455916829.509 INFO lxc_conf - conf.c:setup_utsname:928 - 'aansluitform-deploy' hostname has been setup
      lxc-start 1455916829.509 DEBUG lxc_conf - conf.c:setup_netdev:2595 - 'eth0' has been setup
      lxc-start 1455916829.509 INFO lxc_conf - conf.c:setup_network:2616 - network has been setup
      lxc-start 1455916829.509 INFO lxc_conf - conf.c:mount_autodev:1157 - Mounting container /dev
      lxc-start 1455916829.509 INFO lxc_conf - conf.c:mount_autodev:1179 - Mounted tmpfs onto /usr/lib/x86_64-linux-gnu/lxc/dev
      lxc-start 1455916829.509 INFO lxc_conf - conf.c:mount_autodev:1197 - Mounted container /dev

which seems to pass the point where it failed before.

A little bit later, it now fails with

    lxc-start 1455916829.616 WARN lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:167 - Incomplete AppArmor support in your kernel
      lxc-start 1455916829.616 ERROR lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:183 - No such file or directory - failed to change apparmor profile to lxc-container-default
      lxc-start 1455916829.616 ERROR lxc_sync - sync.c:__sync_wait:51 - invalid sequence number 1. expected 4
      lxc-start 1455916829.616 ERROR lxc_start - start.c:__lxc_start:1213 - failed to spawn 'aansluitform-deploy'
      lxc-start 1455916829.616 WARN lxc_commands - commands.c:lxc_cmd_rsp_recv:172 - command get_init_pid failed to receive response
      lxc-start 1455916829.616 WARN lxc_cgmanager - cgmanager.c:cgm_get:994 - do_cgm_get exited with error
      lxc-start 1455916829.616 ERROR lxc_cgmanager - cgmanager.c:cgm_remove_cgroup:523 - call to cgmanager_remove_sync failed: invalid request
      lxc-start 1455916829.616 ERROR lxc_cgmanager - cgmanager.c:cgm_remove_cgroup:525 - Error removing all:lxc/aansluitform-deploy-10
      lxc-start 1455916834.621 ERROR lxc_start_ui - lxc_start.c:main:344 - The container failed to start.
      lxc-start 1455916834.621 ERROR lxc_start_ui - lxc_start.c:main:346 - To get more details, run the container in foreground mode.
      lxc-start 14559...

Read more...

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Marking verification-done bc the pids cgroup problem is addressed. If you continue to have a problem with the apparmor profile, please file a new bug.

tags: added: verification-done
removed: verification-failed verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package systemd - 225-1ubuntu9.1

---------------
systemd (225-1ubuntu9.1) wily-proposed; urgency=medium

  * Add "pids" cgroup controller to user LXC support patch. Fixes running with
    newer kernels. (LP: #1533833)

 -- Martin Pitt <email address hidden> Mon, 18 Jan 2016 21:54:41 +0100

Changed in systemd (Ubuntu Wily):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for systemd has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.