[pkg-lxc-devel] Bug#888647: lxc: unprivileged container doesn't boot due to cgroup ownership

Andrea Villa andreakarimodm at gmail.com
Sun Jan 28 10:34:03 UTC 2018 

Package: lxc
Version: 1:2.0.7-2+deb9u1
Severity: normal
Tags: patch

Dear Maintainer,

   * What led up to the situation?

   Just create a simple user unprivileged lxc container after following the
official Debian documentation https://wiki.debian.org/LXC#
Unprivileged_container.

   Container fails when started with:

   ----------------
         lxc-start 20170124115651.107 ERROR    lxc_cgfs -
cgroups/cgfs.c:lxc_cgroupfs_create:909 - Could not set clone_children to 1
for cpuset hierarchy in parent cgroup.
         lxc-start 20170124115651.107 ERROR    lxc_cgfs -
cgroups/cgfs.c:cgroup_rmdir:209 - Read-only file system - cgroup_rmdir:
failed to delete /sys/fs/cgroup/perf_event/
         lxc-start 20170124115651.107 ERROR    lxc_cgfs -
cgroups/cgfs.c:cgroup_rmdir:209 - Read-only file system - cgroup_rmdir:
failed to delete /sys/fs/cgroup/cpuset/
         lxc-start 20170124115651.107 ERROR    lxc_cgfs -
cgroups/cgfs.c:cgroup_rmdir:209 - Read-only file system - cgroup_rmdir:
failed to delete /sys/fs/cgroup/net_cls,net_prio/
         lxc-start 20170124115651.107 ERROR    lxc_cgfs -
cgroups/cgfs.c:cgroup_rmdir:209 - Permission denied - cgroup_rmdir: failed
to delete /sys/fs/cgroup/pids/user.slice/user-1000.slice/session-2.scope
         lxc-start 20170124115651.108 ERROR    lxc_cgfs -
cgroups/cgfs.c:cgroup_rmdir:209 - Permission denied - cgroup_rmdir: failed
to delete /sys/fs/cgroup/memory/user.slice
         lxc-start 20170124115651.108 ERROR    lxc_cgfs -
cgroups/cgfs.c:cgroup_rmdir:209 - Read-only file system - cgroup_rmdir:
failed to delete /sys/fs/cgroup/freezer/
         lxc-start 20170124115651.108 ERROR    lxc_cgfs -
cgroups/cgfs.c:cgroup_rmdir:209 - Permission denied - cgroup_rmdir: failed
to delete /sys/fs/cgroup/blkio/user.slice
         lxc-start 20170124115651.108 ERROR    lxc_cgfs -
cgroups/cgfs.c:cgroup_rmdir:209 - Permission denied - cgroup_rmdir: failed
to delete /sys/fs/cgroup/cpu,cpuacct/user.slice
         lxc-start 20170124115651.109 ERROR    lxc_cgfs -
cgroups/cgfs.c:cgroup_rmdir:209 - Permission denied - cgroup_rmdir: failed
to delete /sys/fs/cgroup/devices/user.slice
         lxc-start 20170124115651.109 ERROR    lxc_cgfs -
cgroups/cgfs.c:cgroup_rmdir:209 - Permission denied - cgroup_rmdir: failed
to delete /sys/fs/cgroup/systemd/user.slice/user-1000.slice/session-2.scope
         lxc-start 20170124115651.109 ERROR    lxc_start -
start.c:lxc_spawn:1108 - Failed creating cgroups.
         lxc-start 20170124115651.109 ERROR    lxc_start -
start.c:__lxc_start:1346 - Failed to spawn container "ubuntu".
         lxc-start 20170124115651.616 ERROR    lxc_start_ui -
tools/lxc_start.c:main:366 - The container failed to start.
         lxc-start 20170124115651.616 ERROR    lxc_start_ui -
tools/lxc_start.c:main:370 - Additional information can be obtained by
setting the --logfile and --logpriority options.
   ----------------

   * What exactly did you do (or not do) that was effective (or
     ineffective)?

   I have found this thread on LXC forums https://discuss.
linuxcontainers.org/t/failed-creating-cgroups/272/4 that suggests to use
the Ubuntu's version of the libpam-cgfs package.
   The Ubuntu version of the package seems to include some patches that
properly set user's CGroups permission upon user's login.

   * What was the outcome of this action?

         Installing the Ubuntu version of the libpam-cgfs fixes the problem.


I was not sure if I should have posted the bug here on in libpam-cfgs. I
hope you don't mind my choice.

Bests,

Andrea


-- System Information:
Debian Release: 9.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable'), (400, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.14.0-0.bpo.3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages lxc depends on:
ii  init-system-helpers  1.48
ii  libapparmor1         2.11.0-3
ii  libc6                2.24-11+deb9u1
ii  libcap2              1:2.25-1
ii  libgnutls30          3.5.8-5+deb9u3
ii  liblxc1              1:2.0.7-2+deb9u1
ii  libseccomp2          2.3.1-2.1
ii  libselinux1          2.6-3+b3
ii  lsb-base             9.20161125
ii  python3              3.5.3-1
ii  python3-lxc          1:2.0.7-2+deb9u1

Versions of packages lxc recommends:
ii  bridge-utils  1.5-13+deb9u1
ii  debootstrap   1.0.92~bpo9+1
ii  dirmngr       2.1.18-8~deb9u1
ii  dnsmasq-base  2.76-5+deb9u1
ii  gnupg         2.1.18-8~deb9u1
ii  iptables      1.6.1-2~bpo9+1
ii  libpam-cgfs   2.0.7-1
ii  lxcfs         2.0.7-1
ii  openssl       1.1.0f-3+deb9u1
ii  rsync         3.1.2-1+deb9u1
ii  uidmap        1:4.4-4.1

Versions of packages lxc suggests:
ii  apparmor     2.11.0-3
pn  btrfs-tools  <none>
ii  lvm2         2.02.168-2

-- Configuration Files:
/etc/lxc/default.conf changed [not included]

-- no debconf information
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-lxc-devel/attachments/20180128/2766590e/attachment.html>

More information about the Pkg-lxc-devel mailing list