Discussion:
Can't start unprivileged container in Ubuntu 14.04 with LXC 2
(too old to reply)
Ben Warren
2017-05-03 23:21:45 UTC
Permalink
Hi,

I’m stuck with Ubuntu 14.04 for now and would like to be able to run unprivileged containers that are systemd-based. I’ve found lots of examples of problems that are close, but nothing exactly matches. I got the lxc packages from trusty-backports.

Versions:

***@ben-sc:~$ lxc-ls --version
2.0.7
***@ben-sc:~$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.1 LTS"

To keep it simple, I created an unprivileged container of ‘trusty’ using the download method:

***@ben-sc:~$ lxc-create -n cd-build -t download


When I try to start the container, it won’t work:

***@ben-sc:~$ lxc-start -n cd-build -d --logfile cd-build.log
lxc-start: tools/lxc_start.c: main: 366 The container failed to start.
lxc-start: tools/lxc_start.c: main: 368 To get more details, run the container in foreground mode.
lxc-start: tools/lxc_start.c: main: 370 Additional information can be obtained by setting the --logfile and --logpriority options.

Logfile contents:

lxc-start 20170503225525.382 ERROR lxc_cgfsng - cgroups/cgfsng.c:do_secondstage_mounts_if_needed:1557 - Operation not permitted - Error remounting /usr/lib/x86_64-linux-gnu/lxc/sys/fs/cgroup/cpu read-only
lxc-start 20170503225525.382 ERROR lxc_conf - conf.c:lxc_mount_auto_mounts:839 - Operation not permitted - error mounting /sys/fs/cgroup
lxc-start 20170503225525.382 ERROR lxc_conf - conf.c:lxc_setup:3885 - failed to setup the automatic mounts for 'cd-build'
lxc-start 20170503225525.382 ERROR lxc_start - start.c:do_start:811 - Failed to setup container "cd-build".
lxc-start 20170503225525.382 ERROR lxc_sync - sync.c:__sync_wait:57 - An error occurred in another process (expected sequence number 3)
lxc-start 20170503225525.382 ERROR lxc_start - start.c:__lxc_start:1346 - Failed to spawn container "cd-build".
lxc-start 20170503225530.922 ERROR lxc_start_ui - tools/lxc_start.c:main:366 - The container failed to start.
lxc-start 20170503225530.923 ERROR lxc_start_ui - tools/lxc_start.c:main:368 - To get more details, run the container in foreground mode.
lxc-start 20170503225530.923 ERROR lxc_start_ui - tools/lxc_start.c:main:370 - Additional information can be obtained by setting the --logfile and --logpriority options.

Also:

————————————

***@ben-sc:~$ cat /proc/self/cgroup
12:name=dsystemd:/
11:name=systemd:/user/1001.user/c2.session
10:hugetlb:/user/1001.user/c2.session
9:perf_event:/user/1001.user/c2.session
8:blkio:/user/1001.user/c2.session
7:freezer:/user/1001.user/c2.session
6:devices:/user/1001.user/c2.session
5:memory:/user/1001.user/c2.session
4:cpuacct:/user/1001.user/c2.session
3:cpu:/user/1001.user/c2.session
2:cpuset:/

***@ben-sc:~$ lxc-checkconfig
Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-3.13.0-40-generic
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
Multiple /dev/pts instances: enabled

--- Control groups ---
Cgroup: enabled
Cgroup clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
Bridges: enabled
Advanced netfilter: enabled
CONFIG_NF_NAT_IPV4: enabled
CONFIG_NF_NAT_IPV6: enabled
CONFIG_IP_NF_TARGET_MASQUERADE: enabled
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled
FUSE (for use with lxcfs): enabled

--- Checkpoint/Restore ---
checkpoint restore: enabled
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: enabled
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: enabled
File capabilities: enabled

Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig

————————————

Hopefully I just missed something obvious.

thanks,
—Ben
Serge E. Hallyn
2017-05-04 16:00:13 UTC
Permalink
Post by Ben Warren
Hi,
I’m stuck with Ubuntu 14.04 for now and would like to be able to run unprivileged containers that are systemd-based. I’ve found lots of examples of problems that are close, but nothing exactly matches. I got the lxc packages from trusty-backports.
2.0.7
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.1 LTS"
lxc-start: tools/lxc_start.c: main: 366 The container failed to start.
lxc-start: tools/lxc_start.c: main: 368 To get more details, run the container in foreground mode.
lxc-start: tools/lxc_start.c: main: 370 Additional information can be obtained by setting the --logfile and --logpriority options.
lxc-start 20170503225525.382 ERROR lxc_cgfsng - cgroups/cgfsng.c:do_secondstage_mounts_if_needed:1557 - Operation not permitted - Error remounting /usr/lib/x86_64-linux-gnu/lxc/sys/fs/cgroup/cpu read-only
This is odd, not the error I would have expected.

Can you tell me the exact version and from which ppa?

Is there anything in syslog about the failed mount?

You might try some of the other cgroup auto-mount settings (see lxc.container.conf(5)0, maybe

lxc.mount.auto = cgroup:rw
Post by Ben Warren
lxc-start 20170503225525.382 ERROR lxc_conf - conf.c:lxc_mount_auto_mounts:839 - Operation not permitted - error mounting /sys/fs/cgroup
lxc-start 20170503225525.382 ERROR lxc_conf - conf.c:lxc_setup:3885 - failed to setup the automatic mounts for 'cd-build'
lxc-start 20170503225525.382 ERROR lxc_start - start.c:do_start:811 - Failed to setup container "cd-build".
lxc-start 20170503225525.382 ERROR lxc_sync - sync.c:__sync_wait:57 - An error occurred in another process (expected sequence number 3)
lxc-start 20170503225525.382 ERROR lxc_start - start.c:__lxc_start:1346 - Failed to spawn container "cd-build".
lxc-start 20170503225530.922 ERROR lxc_start_ui - tools/lxc_start.c:main:366 - The container failed to start.
lxc-start 20170503225530.923 ERROR lxc_start_ui - tools/lxc_start.c:main:368 - To get more details, run the container in foreground mode.
lxc-start 20170503225530.923 ERROR lxc_start_ui - tools/lxc_start.c:main:370 - Additional information can be obtained by setting the --logfile and --logpriority options.
————————————
12:name=dsystemd:/
11:name=systemd:/user/1001.user/c2.session
10:hugetlb:/user/1001.user/c2.session
9:perf_event:/user/1001.user/c2.session
8:blkio:/user/1001.user/c2.session
7:freezer:/user/1001.user/c2.session
6:devices:/user/1001.user/c2.session
5:memory:/user/1001.user/c2.session
4:cpuacct:/user/1001.user/c2.session
3:cpu:/user/1001.user/c2.session
2:cpuset:/
Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-3.13.0-40-generic
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
Multiple /dev/pts instances: enabled
--- Control groups ---
Cgroup: enabled
Cgroup clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled
--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
Bridges: enabled
Advanced netfilter: enabled
CONFIG_NF_NAT_IPV4: enabled
CONFIG_NF_NAT_IPV6: enabled
CONFIG_IP_NF_TARGET_MASQUERADE: enabled
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled
FUSE (for use with lxcfs): enabled
--- Checkpoint/Restore ---
checkpoint restore: enabled
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: enabled
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: enabled
File capabilities: enabled
Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig
————————————
Hopefully I just missed something obvious.
thanks,
—Ben
_______________________________________________
lxc-users mailing list
http://lists.linuxcontainers.org/listinfo/lxc-users
Ben Warren
2017-05-08 04:22:31 UTC
Permalink
Hi Serge,
Post by Serge E. Hallyn
Post by Ben Warren
Hi,
I’m stuck with Ubuntu 14.04 for now and would like to be able to run unprivileged containers that are systemd-based. I’ve found lots of examples of problems that are close, but nothing exactly matches. I got the lxc packages from trusty-backports.
ben at ben-sc:~$ lxc-ls --version
2.0.7
ben at ben-sc:~$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.1 LTS"
ben at ben-sc:~$ lxc-create -n cd-build -t download
ben at ben-sc:~$ lxc-start -n cd-build -d --logfile cd-build.log
lxc-start: tools/lxc_start.c: main: 366 The container failed to start.
lxc-start: tools/lxc_start.c: main: 368 To get more details, run the container in foreground mode.
lxc-start: tools/lxc_start.c: main: 370 Additional information can be obtained by setting the --logfile and --logpriority options.
lxc-start 20170503225525.382 ERROR lxc_cgfsng - cgroups/cgfsng.c:do_secondstage_mounts_if_needed:1557 - Operation not permitted - Error remounting /usr/lib/x86_64-linux-gnu/lxc/sys/fs/cgroup/cpu read-only
This is odd, not the error I would have expected.
Can you tell me the exact version and from which ppa?
$ dpkg -s lxc
Package: lxc
Status: install ok installed
Priority: extra
Section: oldlibs
Installed-Size: 77
Maintainer: Ubuntu Developers <ubuntu-devel-***@lists.ubuntu.com>
Architecture: all
Version: 2.0.7-0ubuntu1~14.04.1
Depends: lxc1 (>= 2.0.7-0ubuntu1~14.04.1)

I got it from here:

http://us.archive.ubuntu.com/ubuntu/ trusty-backports

Here’s what gets installed:

$ sudo apt-get install -t trusty-backports lxc
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
bridge-utils cgroup-lite cloud-image-utils debootstrap distro-info euca2ools
libgnutls28 libhogweed2 liblxc1 libseccomp2 lxc-common lxc-templates lxc1
python-distro-info python-requestbuilder python3-lxc uidmap
Suggested packages:
shunit2 gnutls-bin btrfs-tools lvm2 lxctl
Recommended packages:
lxcfs libpam-cgfs
The following NEW packages will be installed:
bridge-utils cgroup-lite cloud-image-utils debootstrap distro-info euca2ools
libgnutls28 libhogweed2 liblxc1 libseccomp2 lxc lxc-common lxc-templates
lxc1 python-distro-info python-requestbuilder python3-lxc uidmap

As for the overall environment, this is a VM that was originally set up almost 3 years ago, and as a lab machine has only been piecemeal updated over time as needed. The problem is that I have probably a hundred identical instances and am concerned that the package dependencies are maybe not quite right. I’m certainly willing to update whatever individual packages are necessary to get this going. I have the VM snapshotted before trying this, so it’s trivial to reproduce.
Post by Serge E. Hallyn
Is there anything in syslog about the failed mount?
This is all I see. It’s at lxc install time, now when trying to start the container:

May 7 21:01:01 ben-sc kernel: [ 103.486718] type=1400 audit(1494216061.420:68): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default" pid=5801 comm="apparmor_parser"
May 7 21:01:01 ben-sc kernel: [ 103.486925] type=1400 audit(1494216061.420:69): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default-cgns" pid=5801 comm="apparmor_parser"
May 7 21:01:01 ben-sc kernel: [ 103.487100] type=1400 audit(1494216061.420:70): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default-with-mounting" pid=5801 comm="apparmor_parser"
May 7 21:01:01 ben-sc kernel: [ 103.487292] type=1400 audit(1494216061.420:71): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default-with-nesting" pid=5801 comm="apparmor_parser"
May 7 21:01:01 ben-sc kernel: [ 103.519003] type=1400 audit(1494216061.452:72): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/lxc-start" pid=5835 comm="apparmor_parser"
Post by Serge E. Hallyn
You might try some of the other cgroup auto-mount settings (see lxc.container.conf(5)0, maybe
lxc.mount.auto = cgroup:rw
I tried that, and get:

lxc-start 20170508041726.340 ERROR lxc_cgfsng - cgroups/cgfsng.c:do_secondstage_mounts_if_needed:1557 - Operation not permitted - Error remounting /usr/lib/x86_64-linux-gnu/lxc/sys/fs/cgroup/cpu read-only
lxc-start 20170508041726.340 ERROR lxc_conf - conf.c:lxc_mount_auto_mounts:839 - Operation not permitted - error mounting /sys/fs/cgroup
lxc-start 20170508041726.340 ERROR lxc_conf - conf.c:lxc_setup:3885 - failed to setup the automatic mounts for 'cd-build'
lxc-start 20170508041726.340 ERROR lxc_start - start.c:do_start:811 - Failed to setup container "cd-build".
lxc-start 20170508041726.340 ERROR lxc_sync - sync.c:__sync_wait:57 - An error occurred in another process (expected sequence number 3)
lxc-start 20170508041726.340 ERROR lxc_start - start.c:__lxc_start:1346 - Failed to spawn container "cd-build".
Post by Serge E. Hallyn
Post by Ben Warren
lxc-start 20170503225525.382 ERROR lxc_conf - conf.c:lxc_mount_auto_mounts:839 - Operation not permitted - error mounting /sys/fs/cgroup
lxc-start 20170503225525.382 ERROR lxc_conf - conf.c:lxc_setup:3885 - failed to setup the automatic mounts for 'cd-build'
lxc-start 20170503225525.382 ERROR lxc_start - start.c:do_start:811 - Failed to setup container "cd-build".
lxc-start 20170503225525.382 ERROR lxc_sync - sync.c:__sync_wait:57 - An error occurred in another process (expected sequence number 3)
lxc-start 20170503225525.382 ERROR lxc_start - start.c:__lxc_start:1346 - Failed to spawn container "cd-build".
lxc-start 20170503225530.922 ERROR lxc_start_ui - tools/lxc_start.c:main:366 - The container failed to start.
lxc-start 20170503225530.923 ERROR lxc_start_ui - tools/lxc_start.c:main:368 - To get more details, run the container in foreground mode.
lxc-start 20170503225530.923 ERROR lxc_start_ui - tools/lxc_start.c:main:370 - Additional information can be obtained by setting the --logfile and --logpriority options.
————————————
ben at ben-sc:~$ cat /proc/self/cgroup
12:name=dsystemd:/
11:name=systemd:/user/1001.user/c2.session
10:hugetlb:/user/1001.user/c2.session
9:perf_event:/user/1001.user/c2.session
8:blkio:/user/1001.user/c2.session
7:freezer:/user/1001.user/c2.session
6:devices:/user/1001.user/c2.session
5:memory:/user/1001.user/c2.session
4:cpuacct:/user/1001.user/c2.session
3:cpu:/user/1001.user/c2.session
2:cpuset:/
ben at ben-sc:~$ lxc-checkconfig
Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-3.13.0-40-generic
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
Multiple /dev/pts instances: enabled
--- Control groups ---
Cgroup: enabled
Cgroup clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled
--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
Bridges: enabled
Advanced netfilter: enabled
CONFIG_NF_NAT_IPV4: enabled
CONFIG_NF_NAT_IPV6: enabled
CONFIG_IP_NF_TARGET_MASQUERADE: enabled
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled
FUSE (for use with lxcfs): enabled
--- Checkpoint/Restore ---
checkpoint restore: enabled
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: enabled
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: enabled
File capabilities: enabled
Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig
————————————
Hopefully I just missed something obvious.
thanks,
—Ben
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
regards,
Ben
Serge E. Hallyn
2017-05-08 16:41:00 UTC
Permalink
Post by Ben Warren
Hi Serge,
Post by Serge E. Hallyn
Post by Ben Warren
Hi,
I’m stuck with Ubuntu 14.04 for now and would like to be able to run unprivileged containers that are systemd-based. I’ve found lots of examples of problems that are close, but nothing exactly matches. I got the lxc packages from trusty-backports.
ben at ben-sc:~$ lxc-ls --version
2.0.7
ben at ben-sc:~$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.1 LTS"
ben at ben-sc:~$ lxc-create -n cd-build -t download
ben at ben-sc:~$ lxc-start -n cd-build -d --logfile cd-build.log
lxc-start: tools/lxc_start.c: main: 366 The container failed to start.
lxc-start: tools/lxc_start.c: main: 368 To get more details, run the container in foreground mode.
lxc-start: tools/lxc_start.c: main: 370 Additional information can be obtained by setting the --logfile and --logpriority options.
lxc-start 20170503225525.382 ERROR lxc_cgfsng - cgroups/cgfsng.c:do_secondstage_mounts_if_needed:1557 - Operation not permitted - Error remounting /usr/lib/x86_64-linux-gnu/lxc/sys/fs/cgroup/cpu read-only
This is odd, not the error I would have expected.
Can you tell me the exact version and from which ppa?
$ dpkg -s lxc
Package: lxc
Status: install ok installed
Priority: extra
Section: oldlibs
Installed-Size: 77
Architecture: all
Version: 2.0.7-0ubuntu1~14.04.1
Depends: lxc1 (>= 2.0.7-0ubuntu1~14.04.1)
http://us.archive.ubuntu.com/ubuntu/ trusty-backports
Hm, when I use that, I get

lxc-start 20170508163649.375 INFO lxc_cgroup - cgroups/cgroup.c:cgroup_init:68 - cgroup driver cgroupfs-ng initing for t1
lxc-start 20170508163649.375 DEBUG lxc_cgfsng - cgroups/cgfsng.c:filter_and_set_cpus:452 - Path: /sys/devices/system/cpu/isolated to read isolated cpus from does not exist.

which still stops the container from starting, but is different from your error.
Serge E. Hallyn
2017-05-08 18:49:03 UTC
Permalink
Post by Serge E. Hallyn
Post by Ben Warren
Hi Serge,
Post by Serge E. Hallyn
Post by Ben Warren
Hi,
I’m stuck with Ubuntu 14.04 for now and would like to be able to run unprivileged containers that are systemd-based. I’ve found lots of examples of problems that are close, but nothing exactly matches. I got the lxc packages from trusty-backports.
ben at ben-sc:~$ lxc-ls --version
2.0.7
ben at ben-sc:~$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.1 LTS"
ben at ben-sc:~$ lxc-create -n cd-build -t download
ben at ben-sc:~$ lxc-start -n cd-build -d --logfile cd-build.log
lxc-start: tools/lxc_start.c: main: 366 The container failed to start.
lxc-start: tools/lxc_start.c: main: 368 To get more details, run the container in foreground mode.
lxc-start: tools/lxc_start.c: main: 370 Additional information can be obtained by setting the --logfile and --logpriority options.
lxc-start 20170503225525.382 ERROR lxc_cgfsng - cgroups/cgfsng.c:do_secondstage_mounts_if_needed:1557 - Operation not permitted - Error remounting /usr/lib/x86_64-linux-gnu/lxc/sys/fs/cgroup/cpu read-only
This is odd, not the error I would have expected.
Can you tell me the exact version and from which ppa?
$ dpkg -s lxc
Package: lxc
Status: install ok installed
Priority: extra
Section: oldlibs
Installed-Size: 77
Architecture: all
Version: 2.0.7-0ubuntu1~14.04.1
Depends: lxc1 (>= 2.0.7-0ubuntu1~14.04.1)
http://us.archive.ubuntu.com/ubuntu/ trusty-backports
Hm, when I use that, I get
lxc-start 20170508163649.375 INFO lxc_cgroup - cgroups/cgroup.c:cgroup_init:68 - cgroup driver cgroupfs-ng initing for t1
lxc-start 20170508163649.375 DEBUG lxc_cgfsng - cgroups/cgfsng.c:filter_and_set_cpus:452 - Path: /sys/devices/system/cpu/isolated to read isolated cpus from does not exist.
which still stops the container from starting, but is different from your error.
Sorry, I misread the logfile. My networking wasn't set up right. Once I
fixed that, i was able to start a container unprivileged.
Serge E. Hallyn
2017-05-08 18:55:30 UTC
Permalink
Post by Ben Warren
Hi Serge,
Post by Serge E. Hallyn
Post by Ben Warren
Hi,
I’m stuck with Ubuntu 14.04 for now and would like to be able to run unprivileged containers that are systemd-based. I’ve found lots of examples of problems that are close, but nothing exactly matches. I got the lxc packages from trusty-backports.
ben at ben-sc:~$ lxc-ls --version
2.0.7
ben at ben-sc:~$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.1 LTS"
ben at ben-sc:~$ lxc-create -n cd-build -t download
ben at ben-sc:~$ lxc-start -n cd-build -d --logfile cd-build.log
lxc-start: tools/lxc_start.c: main: 366 The container failed to start.
lxc-start: tools/lxc_start.c: main: 368 To get more details, run the container in foreground mode.
lxc-start: tools/lxc_start.c: main: 370 Additional information can be obtained by setting the --logfile and --logpriority options.
lxc-start 20170503225525.382 ERROR lxc_cgfsng - cgroups/cgfsng.c:do_secondstage_mounts_if_needed:1557 - Operation not permitted - Error remounting /usr/lib/x86_64-linux-gnu/lxc/sys/fs/cgroup/cpu read-only
This is odd, not the error I would have expected.
Can you tell me the exact version and from which ppa?
$ dpkg -s lxc
Package: lxc
Status: install ok installed
Priority: extra
Section: oldlibs
Installed-Size: 77
Architecture: all
Version: 2.0.7-0ubuntu1~14.04.1
Depends: lxc1 (>= 2.0.7-0ubuntu1~14.04.1)
http://us.archive.ubuntu.com/ubuntu/ trusty-backports
$ sudo apt-get install -t trusty-backports lxc
Reading package lists... Done
Building dependency tree
Reading state information... Done
bridge-utils cgroup-lite cloud-image-utils debootstrap distro-info euca2ools
libgnutls28 libhogweed2 liblxc1 libseccomp2 lxc-common lxc-templates lxc1
python-distro-info python-requestbuilder python3-lxc uidmap
shunit2 gnutls-bin btrfs-tools lvm2 lxctl
lxcfs libpam-cgfs
bridge-utils cgroup-lite cloud-image-utils debootstrap distro-info euca2ools
libgnutls28 libhogweed2 liblxc1 libseccomp2 lxc lxc-common lxc-templates
lxc1 python-distro-info python-requestbuilder python3-lxc uidmap
As for the overall environment, this is a VM that was originally set up almost 3 years ago, and as a lab machine has only been piecemeal updated over time as needed. The problem is that I have probably a hundred identical instances and am concerned that the package dependencies are maybe not quite right. I’m certainly willing to update whatever individual packages are necessary to get this going. I have the VM snapshotted before trying this, so it’s trivial to reproduce.
Post by Serge E. Hallyn
Is there anything in syslog about the failed mount?
May 7 21:01:01 ben-sc kernel: [ 103.486718] type=1400 audit(1494216061.420:68): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default" pid=5801 comm="apparmor_parser"
May 7 21:01:01 ben-sc kernel: [ 103.486925] type=1400 audit(1494216061.420:69): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default-cgns" pid=5801 comm="apparmor_parser"
May 7 21:01:01 ben-sc kernel: [ 103.487100] type=1400 audit(1494216061.420:70): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default-with-mounting" pid=5801 comm="apparmor_parser"
May 7 21:01:01 ben-sc kernel: [ 103.487292] type=1400 audit(1494216061.420:71): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default-with-nesting" pid=5801 comm="apparmor_parser"
May 7 21:01:01 ben-sc kernel: [ 103.519003] type=1400 audit(1494216061.452:72): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/lxc-start" pid=5835 comm="apparmor_parser"
Post by Serge E. Hallyn
You might try some of the other cgroup auto-mount settings (see lxc.container.conf(5)0, maybe
lxc.mount.auto = cgroup:rw
lxc-start 20170508041726.340 ERROR lxc_cgfsng - cgroups/cgfsng.c:do_secondstage_mounts_if_needed:1557 - Operation not permitted - Error remounting /usr/lib/x86_64-linux-gnu/lxc/sys/fs/cgroup/cpu read-only
lxc-start 20170508041726.340 ERROR lxc_conf - conf.c:lxc_mount_auto_mounts:839 - Operation not permitted - error mounting /sys/fs/cgroup
lxc-start 20170508041726.340 ERROR lxc_conf - conf.c:lxc_setup:3885 - failed to setup the automatic mounts for 'cd-build'
lxc-start 20170508041726.340 ERROR lxc_start - start.c:do_start:811 - Failed to setup container "cd-build".
lxc-start 20170508041726.340 ERROR lxc_sync - sync.c:__sync_wait:57 - An error occurred in another process (expected sequence number 3)
lxc-start 20170508041726.340 ERROR lxc_start - start.c:__lxc_start:1346 - Failed to spawn container "cd-build".
Post by Serge E. Hallyn
Post by Ben Warren
lxc-start 20170503225525.382 ERROR lxc_conf - conf.c:lxc_mount_auto_mounts:839 - Operation not permitted - error mounting /sys/fs/cgroup
lxc-start 20170503225525.382 ERROR lxc_conf - conf.c:lxc_setup:3885 - failed to setup the automatic mounts for 'cd-build'
lxc-start 20170503225525.382 ERROR lxc_start - start.c:do_start:811 - Failed to setup container "cd-build".
lxc-start 20170503225525.382 ERROR lxc_sync - sync.c:__sync_wait:57 - An error occurred in another process (expected sequence number 3)
lxc-start 20170503225525.382 ERROR lxc_start - start.c:__lxc_start:1346 - Failed to spawn container "cd-build".
lxc-start 20170503225530.922 ERROR lxc_start_ui - tools/lxc_start.c:main:366 - The container failed to start.
lxc-start 20170503225530.923 ERROR lxc_start_ui - tools/lxc_start.c:main:368 - To get more details, run the container in foreground mode.
lxc-start 20170503225530.923 ERROR lxc_start_ui - tools/lxc_start.c:main:370 - Additional information can be obtained by setting the --logfile and --logpriority options.
————————————
ben at ben-sc:~$ cat /proc/self/cgroup
12:name=dsystemd:/
11:name=systemd:/user/1001.user/c2.session
10:hugetlb:/user/1001.user/c2.session
9:perf_event:/user/1001.user/c2.session
8:blkio:/user/1001.user/c2.session
7:freezer:/user/1001.user/c2.session
6:devices:/user/1001.user/c2.session
5:memory:/user/1001.user/c2.session
4:cpuacct:/user/1001.user/c2.session
3:cpu:/user/1001.user/c2.session
2:cpuset:/
What the heck is cuasing this? When I log in on a trusty+backports system,
I get:

***@trusty:~$ cat /proc/self/cgroup
11:hugetlb:/user/1000.user/2.session
10:perf_event:/user/1000.user/2.session
9:blkio:/user/1000.user/2.session
8:freezer:/user/1000.user/2.session
7:devices:/user/1000.user/2.session
6:memory:/user/1000.user/2.session
5:cpuacct:/user/1000.user/2.session
4:cpu:/user/1000.user/2.session
3:cpuset:/user/1000.user/2.session
2:name=systemd:/user/1000.user/2.session

(on second login)

***@trusty:~$ dpkg -l | egrep -e "(cgroup|lxc|cgfs)"
ii cgmanager 0.24-0ubuntu7.5 amd64 Central cgroup manager daemon
ii cgroup-lite 1.11~ubuntu14.04.2 all Light-weight package to set up cgroups at system boot
ii libcgmanager0:amd64 0.24-0ubuntu7.5 amd64 Central cgroup manager daemon (client library)
ii liblxc1 2.0.7-0ubuntu1~14.04.1 amd64 Linux Containers userspace tools (library)
ii libpam-cgfs 2.0.6-0ubuntu1~14.04.1 amd64 PAM module for managing cgroups for LXC
ii lxc 2.0.7-0ubuntu1~14.04.1 all Transitional package for lxc1
ii lxc-common 2.0.7-0ubuntu1~14.04.1 amd64 Linux Containers userspace tools (common tools)
ii lxc-templates 2.0.7-0ubuntu1~14.04.1 amd64 Linux Containers userspace tools (templates)
ii lxc1 2.0.7-0ubuntu1~14.04.1 amd64 Linux Containers userspace tools
ii lxcfs 2.0.6-0ubuntu1~14.04.1 amd64 FUSE based filesystem for LXC
ii python3-lxc 2.0.7-0ubuntu1~14.04.1 amd64 Linux Containers userspace tools (Python 3.x bindings)

Ah, now if I purge cgmanager, then upon login I get:

***@trusty:~$ cat /proc/self/cgroup
11:name=systemd:/user/1000.user/1.session
10:hugetlb:/user/1000.user/1.session
9:perf_event:/user/1000.user/1.session
8:blkio:/user/1000.user/1.session
7:freezer:/user/1000.user/1.session
6:devices:/user/1000.user/1.session
5:memory:/user/1000.user/1.session
4:cpuacct:/user/1000.user/1.session
3:cpu:/user/1000.user/1.session
2:cpuset:/

which looks more like yours, but my container still starts...
Serge E. Hallyn
2017-05-09 15:10:04 UTC
Permalink
Post by Ben Warren
Hi Serge,
Post by Serge E. Hallyn
Post by Ben Warren
Hi Serge,
Post by Serge E. Hallyn
Post by Ben Warren
Hi,
I’m stuck with Ubuntu 14.04 for now and would like to be able to run unprivileged containers that are systemd-based. I’ve found lots of examples of problems that are close, but nothing exactly matches. I got the lxc packages from trusty-backports.
ben at ben-sc:~$ lxc-ls --version
2.0.7
ben at ben-sc:~$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.1 LTS"
ben at ben-sc:~$ lxc-create -n cd-build -t download
ben at ben-sc:~$ lxc-start -n cd-build -d --logfile cd-build.log
lxc-start: tools/lxc_start.c: main: 366 The container failed to start.
lxc-start: tools/lxc_start.c: main: 368 To get more details, run the container in foreground mode.
lxc-start: tools/lxc_start.c: main: 370 Additional information can be obtained by setting the --logfile and --logpriority options.
lxc-start 20170503225525.382 ERROR lxc_cgfsng - cgroups/cgfsng.c:do_secondstage_mounts_if_needed:1557 - Operation not permitted - Error remounting /usr/lib/x86_64-linux-gnu/lxc/sys/fs/cgroup/cpu read-only
This is odd, not the error I would have expected.
Can you tell me the exact version and from which ppa?
$ dpkg -s lxc
Package: lxc
Status: install ok installed
Priority: extra
Section: oldlibs
Installed-Size: 77
Architecture: all
Version: 2.0.7-0ubuntu1~14.04.1
Depends: lxc1 (>= 2.0.7-0ubuntu1~14.04.1)
http://us.archive.ubuntu.com/ubuntu/ trusty-backports
$ sudo apt-get install -t trusty-backports lxc
Reading package lists... Done
Building dependency tree
Reading state information... Done
bridge-utils cgroup-lite cloud-image-utils debootstrap distro-info euca2ools
libgnutls28 libhogweed2 liblxc1 libseccomp2 lxc-common lxc-templates lxc1
python-distro-info python-requestbuilder python3-lxc uidmap
shunit2 gnutls-bin btrfs-tools lvm2 lxctl
lxcfs libpam-cgfs
bridge-utils cgroup-lite cloud-image-utils debootstrap distro-info euca2ools
libgnutls28 libhogweed2 liblxc1 libseccomp2 lxc lxc-common lxc-templates
lxc1 python-distro-info python-requestbuilder python3-lxc uidmap
As for the overall environment, this is a VM that was originally set up almost 3 years ago, and as a lab machine has only been piecemeal updated over time as needed. The problem is that I have probably a hundred identical instances and am concerned that the package dependencies are maybe not quite right. I’m certainly willing to update whatever individual packages are necessary to get this going. I have the VM snapshotted before trying this, so it’s trivial to reproduce.
Post by Serge E. Hallyn
Is there anything in syslog about the failed mount?
May 7 21:01:01 ben-sc kernel: [ 103.486718] type=1400 audit(1494216061.420:68): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default" pid=5801 comm="apparmor_parser"
May 7 21:01:01 ben-sc kernel: [ 103.486925] type=1400 audit(1494216061.420:69): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default-cgns" pid=5801 comm="apparmor_parser"
May 7 21:01:01 ben-sc kernel: [ 103.487100] type=1400 audit(1494216061.420:70): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default-with-mounting" pid=5801 comm="apparmor_parser"
May 7 21:01:01 ben-sc kernel: [ 103.487292] type=1400 audit(1494216061.420:71): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default-with-nesting" pid=5801 comm="apparmor_parser"
May 7 21:01:01 ben-sc kernel: [ 103.519003] type=1400 audit(1494216061.452:72): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/lxc-start" pid=5835 comm="apparmor_parser"
Post by Serge E. Hallyn
You might try some of the other cgroup auto-mount settings (see lxc.container.conf(5)0, maybe
lxc.mount.auto = cgroup:rw
lxc-start 20170508041726.340 ERROR lxc_cgfsng - cgroups/cgfsng.c:do_secondstage_mounts_if_needed:1557 - Operation not permitted - Error remounting /usr/lib/x86_64-linux-gnu/lxc/sys/fs/cgroup/cpu read-only
lxc-start 20170508041726.340 ERROR lxc_conf - conf.c:lxc_mount_auto_mounts:839 - Operation not permitted - error mounting /sys/fs/cgroup
lxc-start 20170508041726.340 ERROR lxc_conf - conf.c:lxc_setup:3885 - failed to setup the automatic mounts for 'cd-build'
lxc-start 20170508041726.340 ERROR lxc_start - start.c:do_start:811 - Failed to setup container "cd-build".
lxc-start 20170508041726.340 ERROR lxc_sync - sync.c:__sync_wait:57 - An error occurred in another process (expected sequence number 3)
lxc-start 20170508041726.340 ERROR lxc_start - start.c:__lxc_start:1346 - Failed to spawn container "cd-build".
Post by Serge E. Hallyn
Post by Ben Warren
lxc-start 20170503225525.382 ERROR lxc_conf - conf.c:lxc_mount_auto_mounts:839 - Operation not permitted - error mounting /sys/fs/cgroup
lxc-start 20170503225525.382 ERROR lxc_conf - conf.c:lxc_setup:3885 - failed to setup the automatic mounts for 'cd-build'
lxc-start 20170503225525.382 ERROR lxc_start - start.c:do_start:811 - Failed to setup container "cd-build".
lxc-start 20170503225525.382 ERROR lxc_sync - sync.c:__sync_wait:57 - An error occurred in another process (expected sequence number 3)
lxc-start 20170503225525.382 ERROR lxc_start - start.c:__lxc_start:1346 - Failed to spawn container "cd-build".
lxc-start 20170503225530.922 ERROR lxc_start_ui - tools/lxc_start.c:main:366 - The container failed to start.
lxc-start 20170503225530.923 ERROR lxc_start_ui - tools/lxc_start.c:main:368 - To get more details, run the container in foreground mode.
lxc-start 20170503225530.923 ERROR lxc_start_ui - tools/lxc_start.c:main:370 - Additional information can be obtained by setting the --logfile and --logpriority options.
————————————
ben at ben-sc:~$ cat /proc/self/cgroup
12:name=dsystemd:/
11:name=systemd:/user/1001.user/c2.session
10:hugetlb:/user/1001.user/c2.session
9:perf_event:/user/1001.user/c2.session
8:blkio:/user/1001.user/c2.session
7:freezer:/user/1001.user/c2.session
6:devices:/user/1001.user/c2.session
5:memory:/user/1001.user/c2.session
4:cpuacct:/user/1001.user/c2.session
3:cpu:/user/1001.user/c2.session
2:cpuset:/
What the heck is cuasing this? When I log in on a trusty+backports system,
11:hugetlb:/user/1000.user/2.session
10:perf_event:/user/1000.user/2.session
9:blkio:/user/1000.user/2.session
8:freezer:/user/1000.user/2.session
7:devices:/user/1000.user/2.session
6:memory:/user/1000.user/2.session
5:cpuacct:/user/1000.user/2.session
4:cpu:/user/1000.user/2.session
3:cpuset:/user/1000.user/2.session
2:name=systemd:/user/1000.user/2.session
(on second login)
ii cgmanager 0.24-0ubuntu7.5 amd64 Central cgroup manager daemon
ii cgroup-lite 1.11~ubuntu14.04.2 all Light-weight package to set up cgroups at system boot
ii libcgmanager0:amd64 0.24-0ubuntu7.5 amd64 Central cgroup manager daemon (client library)
ii liblxc1 2.0.7-0ubuntu1~14.04.1 amd64 Linux Containers userspace tools (library)
ii libpam-cgfs 2.0.6-0ubuntu1~14.04.1 amd64 PAM module for managing cgroups for LXC
ii lxc 2.0.7-0ubuntu1~14.04.1 all Transitional package for lxc1
ii lxc-common 2.0.7-0ubuntu1~14.04.1 amd64 Linux Containers userspace tools (common tools)
ii lxc-templates 2.0.7-0ubuntu1~14.04.1 amd64 Linux Containers userspace tools (templates)
ii lxc1 2.0.7-0ubuntu1~14.04.1 amd64 Linux Containers userspace tools
ii lxcfs 2.0.6-0ubuntu1~14.04.1 amd64 FUSE based filesystem for LXC
ii python3-lxc 2.0.7-0ubuntu1~14.04.1 amd64 Linux Containers userspace tools (Python 3.x bindings)
11:name=systemd:/user/1000.user/1.session
10:hugetlb:/user/1000.user/1.session
9:perf_event:/user/1000.user/1.session
8:blkio:/user/1000.user/1.session
7:freezer:/user/1000.user/1.session
6:devices:/user/1000.user/1.session
5:memory:/user/1000.user/1.session
4:cpuacct:/user/1000.user/1.session
3:cpu:/user/1000.user/1.session
2:cpuset:/
which looks more like yours, but my container still starts...
I’ve made some progress, but still don’t fully know what’s going on. When I build lxc from source (top-of-tree github.com:lxc/lxc) and compile with full cgmanager and libcap support, the generated binaries work, and I can start not only my ‘trusty’ container, but also ones that are farther from the host, such as ‘delian-stretch’, which is systemd-based.
The difference I see in the log is which cgroup driver is used.
lxc-start 20170509054154.989 INFO lxc_cgroup - cgroups/cgroup.c:cgroup_init:68 - cgroup driver cgroupfs-ng initing for cd-build
lxc-start 20170509053256.861 INFO lxc_cgroup - cgroups/cgroup.c:cgroup_init:68 - cgroup driver cgmanager initing for cd-build
struct cgroup_ops *cgm_ops_init(void)
{
check_supports_multiple_controllers(-1);
if (!collect_subsystems())
return NULL;
if (api_version < CGM_SUPPORTS_MULT_CONTROLLERS)
cgm_all_controllers_same = false;
// if root, try to escape to root cgroup
if (geteuid() == 0 && !cgm_escape(NULL)) {
free_subsystems();
return NULL;
}
return &cgmanager_ops;
}
I have no context for how any of this is dependent on the environment, although I’m sure you do :)
Mine were starting with cgfsng which yours is using also, so you don't *need*
the cgmanager driver. But I'm pretty sure that if you build your own with
it enabled it will work.

Is it possible that you have lxc.cgroup.use set in /etc/lxc/lxc.conf or in
~/.config/lxc/lxc.conf, and that it includes 'cpu'? If so, assuming you
don't need it, removing cpu should work around this failure.

Does adding ',cpu" to the end of the pam_cgfs.so line in /etc/pam.d/common-session
help?

The other thing is back to your core problem - why is /sys/fs/cgroup/cpu not
remountable read-only? It may be related to why you have a dsystemd cgroup
hierarchy. Do you recall setting that up and/or why it's there? Can you
show the contents of /proc/1/mounts and /proc/self/mounts on the host and a
fresh host boot log?
Ben Warren
2017-05-09 16:40:33 UTC
Permalink
<snip>
Post by Serge E. Hallyn
Post by Ben Warren
I’ve made some progress, but still don’t fully know what’s going on. When I build lxc from source (top-of-tree github.com:lxc/lxc) and compile with full cgmanager and libcap support, the generated binaries work, and I can start not only my ‘trusty’ container, but also ones that are farther from the host, such as ‘delian-stretch’, which is systemd-based.
The difference I see in the log is which cgroup driver is used.
lxc-start 20170509054154.989 INFO lxc_cgroup - cgroups/cgroup.c:cgroup_init:68 - cgroup driver cgroupfs-ng initing for cd-build
lxc-start 20170509053256.861 INFO lxc_cgroup - cgroups/cgroup.c:cgroup_init:68 - cgroup driver cgmanager initing for cd-build
struct cgroup_ops *cgm_ops_init(void)
{
check_supports_multiple_controllers(-1);
if (!collect_subsystems())
return NULL;
if (api_version < CGM_SUPPORTS_MULT_CONTROLLERS)
cgm_all_controllers_same = false;
// if root, try to escape to root cgroup
if (geteuid() == 0 && !cgm_escape(NULL)) {
free_subsystems();
return NULL;
}
return &cgmanager_ops;
}
I have no context for how any of this is dependent on the environment, although I’m sure you do :)
Mine were starting with cgfsng which yours is using also, so you don't *need*
the cgmanager driver. But I'm pretty sure that if you build your own with
it enabled it will work.
Is it possible that you have lxc.cgroup.use set in /etc/lxc/lxc.conf or in
~/.config/lxc/lxc.conf, and that it includes 'cpu'? If so, assuming you
don't need it, removing cpu should work around this failure.
Neither of these files is present. This is it for config:

***@ben-sc:~/tmp/lxc/src$ cat /etc/lxc/default.conf
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:xx:xx:xx
***@ben-sc:~/tmp/lxc/src$ cat ~/.config/lxc/default.conf
lxc.id_map = u 0 165536 65536
lxc.id_map = g 0 165536 65536
Post by Serge E. Hallyn
Does adding ',cpu" to the end of the pam_cgfs.so line in /etc/pam.d/common-session
help?
I added like this:

session optional pam_cgfs.so -c freezer,memory,cpu,name=systemd

but it doesn’t seem to make a difference
Post by Serge E. Hallyn
The other thing is back to your core problem - why is /sys/fs/cgroup/cpu not
remountable read-only? It may be related to why you have a dsystemd cgroup
hierarchy. Do you recall setting that up and/or why it's there? Can you
show the contents of /proc/1/mounts and /proc/self/mounts on the host and a
fresh host boot log?
I think the dsystemd thing was left over from me trying something else. It’s not there now, after reverting to before any LXC installation and just installing the backports version of lxc.

Here’s the current state. If I run ‘lxc-start’ runtime-linked against the ‘back ports’ shared libraries I get this message:
lxc-start 20170509161114.691 INFO lxc_conf - conf.c:mount_file_entries:1985 - mount points have been setup
lxc-start 20170509161114.691 ERROR lxc_cgfsng - cgroups/cgfsng.c:do_secondstage_mounts_if_needed:1557 - Operation not permitted - Error remounting /usr/lib/x86_64-linux-gnu/lxc/sys/fs/cgroup/cpuset read-only
lxc-start 20170509161114.691 ERROR lxc_conf - conf.c:lxc_mount_auto_mounts:839 - Operation not permitted - error mounting /sys/fs/cgroup

If I change LD_LIBRARY_PATH to use the .so that I built, the container start as previously mentioned, using cgmanager.

***@ben-sc:~$ cat /proc/self/cgroup
11:name=systemd:/user/1001.user/c2.session
10:perf_event:/user/1001.user/c2.session
9:memory:/user/1001.user/c2.session
8:hugetlb:/user/1001.user/c2.session
7:freezer:/user/1001.user/c2.session
6:devices:/user/1001.user/c2.session
5:cpuacct:/user/1001.user/c2.session
4:blkio:/user/1001.user/c2.session
3:cpu:/user/1001.user/c2.session
2:cpuset:/user/1001.user/c2.session

***@ben-sc:~$ cat /proc/1/mounts
rootfs / rootfs rw 0 0
sysfs /sys sysfs rw,nosuid,nodev,noexec,relatime 0 0
proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
udev /dev devtmpfs rw,relatime,size=4073948k,nr_inodes=1018487,mode=755 0 0
devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
tmpfs /run tmpfs rw,nosuid,noexec,relatime,size=816968k,mode=755 0 0
/dev/disk/by-uuid/0fdaee58-1394-4338-9eed-95ab207f0de6 / ext4 rw,relatime,errors=remount-ro,data=ordered 0 0
none /sys/fs/cgroup tmpfs rw,relatime,size=4k,mode=755 0 0
none /sys/fs/fuse/connections fusectl rw,relatime 0 0
none /sys/kernel/debug debugfs rw,relatime 0 0
none /sys/kernel/security securityfs rw,relatime 0 0
none /run/lock tmpfs rw,nosuid,nodev,noexec,relatime,size=5120k 0 0
none /run/shm tmpfs rw,nosuid,nodev,relatime 0 0
none /run/user tmpfs rw,nosuid,nodev,noexec,relatime,size=102400k,mode=755 0 0
none /sys/fs/pstore pstore rw,relatime 0 0
cgroup /sys/fs/cgroup/cpuset cgroup rw,relatime,cpuset,clone_children 0 0
cgroup /sys/fs/cgroup/cpu cgroup rw,relatime,cpu 0 0
cgmfs /run/cgmanager/fs tmpfs rw,relatime,size=100k,mode=755 0 0
cgroup /sys/fs/cgroup/cpuacct cgroup rw,relatime,cpuacct,release_agent=/run/cgmanager/agents/cgm-release-agent.cpuacct 0 0
cgroup /sys/fs/cgroup/memory cgroup rw,relatime,memory,release_agent=/run/cgmanager/agents/cgm-release-agent.memory 0 0
cgroup /sys/fs/cgroup/devices cgroup rw,relatime,devices,release_agent=/run/cgmanager/agents/cgm-release-agent.devices 0 0
cgroup /sys/fs/cgroup/freezer cgroup rw,relatime,freezer,release_agent=/run/cgmanager/agents/cgm-release-agent.freezer 0 0
cgroup /sys/fs/cgroup/blkio cgroup rw,relatime,blkio,release_agent=/run/cgmanager/agents/cgm-release-agent.blkio 0 0
cgroup /sys/fs/cgroup/perf_event cgroup rw,relatime,perf_event,release_agent=/run/cgmanager/agents/cgm-release-agent.perf_event 0 0
cgroup /sys/fs/cgroup/hugetlb cgroup rw,relatime,hugetlb,release_agent=/run/cgmanager/agents/cgm-release-agent.hugetlb 0 0
name=systemd /sys/fs/cgroup/systemd cgroup rw,relatime,release_agent=/run/cgmanager/agents/cgm-release-agent.systemd,name=systemd 0 0
binfmt_misc /proc/sys/fs/binfmt_misc binfmt_misc rw,nosuid,nodev,noexec,relatime 0 0
rpc_pipefs /run/rpc_pipefs rpc_pipefs rw,relatime 0 0
lxcfs /var/lib/lxcfs fuse.lxcfs rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other 0 0
gvfsd-fuse /run/user/1001/gvfs fuse.gvfsd-fuse rw,nosuid,nodev,relatime,user_id=1001,group_id=1001 0 0

***@ben-sc:~$ cat /proc/self/mounts
rootfs / rootfs rw 0 0
sysfs /sys sysfs rw,nosuid,nodev,noexec,relatime 0 0
proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
udev /dev devtmpfs rw,relatime,size=4073948k,nr_inodes=1018487,mode=755 0 0
devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
tmpfs /run tmpfs rw,nosuid,noexec,relatime,size=816968k,mode=755 0 0
/dev/disk/by-uuid/0fdaee58-1394-4338-9eed-95ab207f0de6 / ext4 rw,relatime,errors=remount-ro,data=ordered 0 0
none /sys/fs/cgroup tmpfs rw,relatime,size=4k,mode=755 0 0
none /sys/fs/fuse/connections fusectl rw,relatime 0 0
none /sys/kernel/debug debugfs rw,relatime 0 0
none /sys/kernel/security securityfs rw,relatime 0 0
none /run/lock tmpfs rw,nosuid,nodev,noexec,relatime,size=5120k 0 0
none /run/shm tmpfs rw,nosuid,nodev,relatime 0 0
none /run/user tmpfs rw,nosuid,nodev,noexec,relatime,size=102400k,mode=755 0 0
none /sys/fs/pstore pstore rw,relatime 0 0
cgroup /sys/fs/cgroup/cpuset cgroup rw,relatime,cpuset,clone_children 0 0
cgroup /sys/fs/cgroup/cpu cgroup rw,relatime,cpu 0 0
cgmfs /run/cgmanager/fs tmpfs rw,relatime,size=100k,mode=755 0 0
cgroup /sys/fs/cgroup/cpuacct cgroup rw,relatime,cpuacct,release_agent=/run/cgmanager/agents/cgm-release-agent.cpuacct 0 0
cgroup /sys/fs/cgroup/memory cgroup rw,relatime,memory,release_agent=/run/cgmanager/agents/cgm-release-agent.memory 0 0
cgroup /sys/fs/cgroup/devices cgroup rw,relatime,devices,release_agent=/run/cgmanager/agents/cgm-release-agent.devices 0 0
cgroup /sys/fs/cgroup/freezer cgroup rw,relatime,freezer,release_agent=/run/cgmanager/agents/cgm-release-agent.freezer 0 0
cgroup /sys/fs/cgroup/blkio cgroup rw,relatime,blkio,release_agent=/run/cgmanager/agents/cgm-release-agent.blkio 0 0
cgroup /sys/fs/cgroup/perf_event cgroup rw,relatime,perf_event,release_agent=/run/cgmanager/agents/cgm-release-agent.perf_event 0 0
cgroup /sys/fs/cgroup/hugetlb cgroup rw,relatime,hugetlb,release_agent=/run/cgmanager/agents/cgm-release-agent.hugetlb 0 0
name=systemd /sys/fs/cgroup/systemd cgroup rw,relatime,release_agent=/run/cgmanager/agents/cgm-release-agent.systemd,name=systemd 0 0
binfmt_misc /proc/sys/fs/binfmt_misc binfmt_misc rw,nosuid,nodev,noexec,relatime 0 0
rpc_pipefs /run/rpc_pipefs rpc_pipefs rw,relatime 0 0
lxcfs /var/lib/lxcfs fuse.lxcfs rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other 0 0
gvfsd-fuse /run/user/1001/gvfs fuse.gvfsd-fuse rw,nosuid,nodev,relatime,user_id=1001,group_id=1001 0 0
Serge Hallyn
2017-05-09 19:35:28 UTC
Permalink
after adding Cpu to common-session, did you log back in? Actually I suspect that you did, since the remount error this time is about cpuset.

You could try two more things,

1. Set lxc.cgroup.use in your ~/.config/lxc/lxc.conf to 'freezer,name=systemd

2. You could try installing cgroup-lite or cgroupfs-mount package, to make sure that /sys/fs/cgroup/controller is mounted for every controller you need. From your /proc/self/cgroup it doesn't look like they are, which could cause your problem. 


  Original Message  
From: Ben Warren
Sent: Tuesday, May 9, 2017 11:40 AM
To: Serge E. Hallyn
Cc: lxc-***@lists.linuxcontainers.org
Subject: Re: [lxc-users] Can't start unprivileged container in Ubuntu 14.04 with LXC 2
<snip>
Post by Serge E. Hallyn
I’ve made some progress, but still don’t fully know what’s going on. When I build lxc from source (top-of-tree github.com:lxc/lxc) and compile with full cgmanager and libcap support, the generated binaries work, and I can start not only my ‘trusty’ container, but also ones that are farther from the host, such as ‘delian-stretch’, which is systemd-based.
The difference I see in the log is which cgroup driver is used.
lxc-start 20170509054154.989 INFO lxc_cgroup - cgroups/cgroup.c:cgroup_init:68 - cgroup driver cgroupfs-ng initing for cd-build
lxc-start 20170509053256.861 INFO lxc_cgroup - cgroups/cgroup.c:cgroup_init:68 - cgroup driver cgmanager initing for cd-build
struct cgroup_ops *cgm_ops_init(void)
{
check_supports_multiple_controllers(-1);
if (!collect_subsystems())
return NULL;
if (api_version < CGM_SUPPORTS_MULT_CONTROLLERS)
cgm_all_controllers_same = false;
// if root, try to escape to root cgroup
if (geteuid() == 0 && !cgm_escape(NULL)) {
free_subsystems();
return NULL;
}
return &cgmanager_ops;
}
I have no context for how any of this is dependent on the environment, although I’m sure you do :)
Mine were starting with cgfsng which yours is using also, so you don't *need*
the cgmanager driver. But I'm pretty sure that if you build your own with
it enabled it will work.
Is it possible that you have lxc.cgroup.use set in /etc/lxc/lxc.conf or in
~/.config/lxc/lxc.conf, and that it includes 'cpu'? If so, assuming you
don't need it, removing cpu should work around this failure.
Neither of these files is present. This is it for config:

***@ben-sc:~/tmp/lxc/src$ cat /etc/lxc/default.conf
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:xx:xx:xx
***@ben-sc:~/tmp/lxc/src$ cat ~/.config/lxc/default.conf
lxc.id_map = u 0 165536 65536
lxc.id_map = g 0 165536 65536
Post by Serge E. Hallyn
Does adding ',cpu" to the end of the pam_cgfs.so line in /etc/pam.d/common-session
help?
I added like this:

session optional pam_cgfs.so -c freezer,memory,cpu,name=systemd

but it doesn’t seem to make a difference
Post by Serge E. Hallyn
The other thing is back to your core problem - why is /sys/fs/cgroup/cpu not
remountable read-only? It may be related to why you have a dsystemd cgroup
hierarchy. Do you recall setting that up and/or why it's there? Can you
show the contents of /proc/1/mounts and /proc/self/mounts on the host and a
fresh host boot log?
I think the dsystemd thing was left over from me trying something else. It’s not there now, after reverting to before any LXC installation and just installing the backports version of lxc.

Here’s the current state. If I run ‘lxc-start’ runtime-linked against the ‘back ports’ shared libraries I get this message:
lxc-start 20170509161114.691 INFO lxc_conf - conf.c:mount_file_entries:1985 - mount points have been setup
lxc-start 20170509161114.691 ERROR lxc_cgfsng - cgroups/cgfsng.c:do_secondstage_mounts_if_needed:1557 - Operation not permitted - Error remounting /usr/lib/x86_64-linux-gnu/lxc/sys/fs/cgroup/cpuset read-only
lxc-start 20170509161114.691 ERROR lxc_conf - conf.c:lxc_mount_auto_mounts:839 - Operation not permitted - error mounting /sys/fs/cgroup

If I change LD_LIBRARY_PATH to use the .so that I built, the container start as previously mentioned, using cgmanager.

***@ben-sc:~$ cat /proc/self/cgroup
11:name=systemd:/user/1001.user/c2.session
10:perf_event:/user/1001.user/c2.session
9:memory:/user/1001.user/c2.session
8:hugetlb:/user/1001.user/c2.session
7:freezer:/user/1001.user/c2.session
6:devices:/user/1001.user/c2.session
5:cpuacct:/user/1001.user/c2.session
4:blkio:/user/1001.user/c2.session
3:cpu:/user/1001.user/c2.session
2:cpuset:/user/1001.user/c2.session

***@ben-sc:~$ cat /proc/1/mounts
rootfs / rootfs rw 0 0
sysfs /sys sysfs rw,nosuid,nodev,noexec,relatime 0 0
proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
udev /dev devtmpfs rw,relatime,size=4073948k,nr_inodes=1018487,mode=755 0 0
devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
tmpfs /run tmpfs rw,nosuid,noexec,relatime,size=816968k,mode=755 0 0
/dev/disk/by-uuid/0fdaee58-1394-4338-9eed-95ab207f0de6 / ext4 rw,relatime,errors=remount-ro,data=ordered 0 0
none /sys/fs/cgroup tmpfs rw,relatime,size=4k,mode=755 0 0
none /sys/fs/fuse/connections fusectl rw,relatime 0 0
none /sys/kernel/debug debugfs rw,relatime 0 0
none /sys/kernel/security securityfs rw,relatime 0 0
none /run/lock tmpfs rw,nosuid,nodev,noexec,relatime,size=5120k 0 0
none /run/shm tmpfs rw,nosuid,nodev,relatime 0 0
none /run/user tmpfs rw,nosuid,nodev,noexec,relatime,size=102400k,mode=755 0 0
none /sys/fs/pstore pstore rw,relatime 0 0
cgroup /sys/fs/cgroup/cpuset cgroup rw,relatime,cpuset,clone_children 0 0
cgroup /sys/fs/cgroup/cpu cgroup rw,relatime,cpu 0 0
cgmfs /run/cgmanager/fs tmpfs rw,relatime,size=100k,mode=755 0 0
cgroup /sys/fs/cgroup/cpuacct cgroup rw,relatime,cpuacct,release_agent=/run/cgmanager/agents/cgm-release-agent.cpuacct 0 0
cgroup /sys/fs/cgroup/memory cgroup rw,relatime,memory,release_agent=/run/cgmanager/agents/cgm-release-agent.memory 0 0
cgroup /sys/fs/cgroup/devices cgroup rw,relatime,devices,release_agent=/run/cgmanager/agents/cgm-release-agent.devices 0 0
cgroup /sys/fs/cgroup/freezer cgroup rw,relatime,freezer,release_agent=/run/cgmanager/agents/cgm-release-agent.freezer 0 0
cgroup /sys/fs/cgroup/blkio cgroup rw,relatime,blkio,release_agent=/run/cgmanager/agents/cgm-release-agent.blkio 0 0
cgroup /sys/fs/cgroup/perf_event cgroup rw,relatime,perf_event,release_agent=/run/cgmanager/agents/cgm-release-agent.perf_event 0 0
cgroup /sys/fs/cgroup/hugetlb cgroup rw,relatime,hugetlb,release_agent=/run/cgmanager/agents/cgm-release-agent.hugetlb 0 0
name=systemd /sys/fs/cgroup/systemd cgroup rw,relatime,release_agent=/run/cgmanager/agents/cgm-release-agent.systemd,name=systemd 0 0
binfmt_misc /proc/sys/fs/binfmt_misc binfmt_misc rw,nosuid,nodev,noexec,relatime 0 0
rpc_pipefs /run/rpc_pipefs rpc_pipefs rw,relatime 0 0
lxcfs /var/lib/lxcfs fuse.lxcfs rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other 0 0
gvfsd-fuse /run/user/1001/gvfs fuse.gvfsd-fuse rw,nosuid,nodev,relatime,user_id=1001,group_id=1001 0 0

***@ben-sc:~$ cat /proc/self/mounts
rootfs / rootfs rw 0 0
sysfs /sys sysfs rw,nosuid,nodev,noexec,relatime 0 0
proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
udev /dev devtmpfs rw,relatime,size=4073948k,nr_inodes=1018487,mode=755 0 0
devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
tmpfs /run tmpfs rw,nosuid,noexec,relatime,size=816968k,mode=755 0 0
/dev/disk/by-uuid/0fdaee58-1394-4338-9eed-95ab207f0de6 / ext4 rw,relatime,errors=remount-ro,data=ordered 0 0
none /sys/fs/cgroup tmpfs rw,relatime,size=4k,mode=755 0 0
none /sys/fs/fuse/connections fusectl rw,relatime 0 0
none /sys/kernel/debug debugfs rw,relatime 0 0
none /sys/kernel/security securityfs rw,relatime 0 0
none /run/lock tmpfs rw,nosuid,nodev,noexec,relatime,size=5120k 0 0
none /run/shm tmpfs rw,nosuid,nodev,relatime 0 0
none /run/user tmpfs rw,nosuid,nodev,noexec,relatime,size=102400k,mode=755 0 0
none /sys/fs/pstore pstore rw,relatime 0 0
cgroup /sys/fs/cgroup/cpuset cgroup rw,relatime,cpuset,clone_children 0 0
cgroup /sys/fs/cgroup/cpu cgroup rw,relatime,cpu 0 0
cgmfs /run/cgmanager/fs tmpfs rw,relatime,size=100k,mode=755 0 0
cgroup /sys/fs/cgroup/cpuacct cgroup rw,relatime,cpuacct,release_agent=/run/cgmanager/agents/cgm-release-agent.cpuacct 0 0
cgroup /sys/fs/cgroup/memory cgroup rw,relatime,memory,release_agent=/run/cgmanager/agents/cgm-release-agent.memory 0 0
cgroup /sys/fs/cgroup/devices cgroup rw,relatime,devices,release_agent=/run/cgmanager/agents/cgm-release-agent.devices 0 0
cgroup /sys/fs/cgroup/freezer cgroup rw,relatime,freezer,release_agent=/run/cgmanager/agents/cgm-release-agent.freezer 0 0
cgroup /sys/fs/cgroup/blkio cgroup rw,relatime,blkio,release_agent=/run/cgmanager/agents/cgm-release-agent.blkio 0 0
cgroup /sys/fs/cgroup/perf_event cgroup rw,relatime,perf_event,release_agent=/run/cgmanager/agents/cgm-release-agent.perf_event 0 0
cgroup /sys/fs/cgroup/hugetlb cgroup rw,relatime,hugetlb,release_agent=/run/cgmanager/agents/cgm-release-agent.hugetlb 0 0
name=systemd /sys/fs/cgroup/systemd cgroup rw,relatime,release_agent=/run/cgmanager/agents/cgm-release-agent.systemd,name=systemd 0 0
binfmt_misc /proc/sys/fs/binfmt_misc binfmt_misc rw,nosuid,nodev,noexec,relatime 0 0
rpc_pipefs /run/rpc_pipefs rpc_pipefs rw,relatime 0 0
lxcfs /var/lib/lxcfs fuse.lxcfs rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other 0 0
gvfsd-fuse /run/user/1001/gvfs fuse.gvfsd-fuse rw,nosuid,nodev,relatime,user_id=1001,group_id=1001 0 0
Serge E. Hallyn
2017-05-09 20:34:38 UTC
Permalink
Hm, my last email (which I may have accidentally sent privately) was wrong,
/proc/$$/mounts shows cgroups in fact mounted at /sys/fs/cgroup.
Post by Ben Warren
cgroup /sys/fs/cgroup/cpuset cgroup rw,relatime,cpuset,clone_children 0 0
cgroup /sys/fs/cgroup/cpu cgroup rw,relatime,cpu 0 0
These are different from the rest,
Post by Ben Warren
cgmfs /run/cgmanager/fs tmpfs rw,relatime,size=100k,mode=755 0 0
cgroup /sys/fs/cgroup/cpuacct cgroup rw,relatime,cpuacct,release_agent=/run/cgmanager/agents/cgm-release-agent.cpuacct 0 0
cgroup /sys/fs/cgroup/memory cgroup rw,relatime,memory,release_agent=/run/cgmanager/agents/cgm-release-agent.memory 0 0
cgroup /sys/fs/cgroup/devices cgroup rw,relatime,devices,release_agent=/run/cgmanager/agents/cgm-release-agent.devices 0 0
cgroup /sys/fs/cgroup/freezer cgroup rw,relatime,freezer,release_agent=/run/cgmanager/agents/cgm-release-agent.freezer 0 0
cgroup /sys/fs/cgroup/blkio cgroup rw,relatime,blkio,release_agent=/run/cgmanager/agents/cgm-release-agent.blkio 0 0
cgroup /sys/fs/cgroup/perf_event cgroup rw,relatime,perf_event,release_agent=/run/cgmanager/agents/cgm-release-agent.perf_event 0 0
cgroup /sys/fs/cgroup/hugetlb cgroup rw,relatime,hugetlb,release_agent=/run/cgmanager/agents/cgm-release-agent.hugetlb 0 0
name=systemd /sys/fs/cgroup/systemd cgroup rw,relatime,release_agent=/run/cgmanager/agents/cgm-release-agent.systemd,name=systemd 0 0
binfmt_misc /proc/sys/fs/binfmt_misc binfmt_misc rw,nosuid,nodev,noexec,relatime 0 0
So something is pre-mounting these filesystems before cgmanager starts.
What mounted those? I thought I'd asked for this before, but I don't
see it in the thread - what does "dpkg -l | grep cgroup" show? In
particular I'm looking for cgroup-bin.
Ben Warren
2017-05-10 19:06:39 UTC
Permalink
Post by Serge E. Hallyn
Hm, my last email (which I may have accidentally sent privately) was wrong,
/proc/$$/mounts shows cgroups in fact mounted at /sys/fs/cgroup.
Post by Ben Warren
cgroup /sys/fs/cgroup/cpuset cgroup rw,relatime,cpuset,clone_children 0 0
cgroup /sys/fs/cgroup/cpu cgroup rw,relatime,cpu 0 0
These are different from the rest,
That is strange. I started from scratch again and this time only cpuset is not owned by cgmanager.
Post by Serge E. Hallyn
Post by Ben Warren
cgmfs /run/cgmanager/fs tmpfs rw,relatime,size=100k,mode=755 0 0
cgroup /sys/fs/cgroup/cpuacct cgroup rw,relatime,cpuacct,release_agent=/run/cgmanager/agents/cgm-release-agent.cpuacct 0 0
cgroup /sys/fs/cgroup/memory cgroup rw,relatime,memory,release_agent=/run/cgmanager/agents/cgm-release-agent.memory 0 0
cgroup /sys/fs/cgroup/devices cgroup rw,relatime,devices,release_agent=/run/cgmanager/agents/cgm-release-agent.devices 0 0
cgroup /sys/fs/cgroup/freezer cgroup rw,relatime,freezer,release_agent=/run/cgmanager/agents/cgm-release-agent.freezer 0 0
cgroup /sys/fs/cgroup/blkio cgroup rw,relatime,blkio,release_agent=/run/cgmanager/agents/cgm-release-agent.blkio 0 0
cgroup /sys/fs/cgroup/perf_event cgroup rw,relatime,perf_event,release_agent=/run/cgmanager/agents/cgm-release-agent.perf_event 0 0
cgroup /sys/fs/cgroup/hugetlb cgroup rw,relatime,hugetlb,release_agent=/run/cgmanager/agents/cgm-release-agent.hugetlb 0 0
name=systemd /sys/fs/cgroup/systemd cgroup rw,relatime,release_agent=/run/cgmanager/agents/cgm-release-agent.systemd,name=systemd 0 0
binfmt_misc /proc/sys/fs/binfmt_misc binfmt_misc rw,nosuid,nodev,noexec,relatime 0 0
So something is pre-mounting these filesystems before cgmanager starts.
What mounted those? I thought I'd asked for this before, but I don't
see it in the thread - what does "dpkg -l | grep cgroup" show? In
particular I'm looking for cgroup-bin.
I don’t see that one. It looks like cgroup-lite is installed, and I guess is responsible for the initial cgroup mounting? How would you go about figuring out what process created the mounts?

***@ben-sc:/etc/init$ dpkg -l | grep cgroup
ii cgmanager 0.39-2ubuntu2~ubuntu14.04.1 amd64 Central cgroup manager daemon
ii cgroup-lite 1.11~ubuntu14.04.2 all Light-weight package to set up cgroups at system boot
ii libcgmanager-dev:amd64 0.39-2ubuntu2~ubuntu14.04.1 amd64 Central cgroup manager daemon (dev)
ii libcgmanager0:amd64 0.39-2ubuntu2~ubuntu14.04.1 amd64 Central cgroup manager daemon (client library)


It was installed as a prerequisite of lxc. BTW - I’ve switched to using LXD since it seems to make management much easier, but since it still uses the same ‘liblxc1’ library, I have the same problem.

***@ben-sc:~$ lxc launch ubuntu:14.04 u1
Creating u1
Starting u1
error: Error calling 'lxd forkstart u1 /var/lib/lxd/containers /var/log/lxd/u1/lxc.conf': err='exit status 1'
lxc 20170510185615.517 ERROR lxc_cgfsng - cgroups/cgfsng.c:do_secondstage_mounts_if_needed:1557 - Operation not permitted - Error remounting /usr/lib/x86_64-linux-gnu/lxc/sys/fs/cgroup/cpuset read-only
lxc 20170510185615.517 ERROR lxc_conf - conf.c:lxc_mount_auto_mounts:839 - Operation not permitted - error mounting /sys/fs/cgroup
lxc 20170510185615.517 ERROR lxc_conf - conf.c:lxc_setup:3885 - failed to setup the automatic mounts for 'u1'

# Before installing anything:

***@ben-sc:~$ cat /proc/$$/mounts | grep cgroup
none /sys/fs/cgroup tmpfs rw,relatime,size=4k,mode=755 0 0
systemd /sys/fs/cgroup/systemd cgroup rw,nosuid,nodev,noexec,relatime,name=systemd 0 0

As with LXC, if I build from source and use the generated ‘liblxc.so.1’ file, containers start fine but it uses the cgmanager driver.
I wonder why the packaged one uses the ‘cgfsng’ driver, even when cgmanager is installed and running?

—Ben

Continue reading on narkive:
Loading...