Discussion:
Unable to boot unprivileged container
(too old to reply)
Robert Pendell
2014-05-03 16:18:07 UTC
Permalink
OS: Ubuntu 14.04 LTS x86_64
Kernel: Host-Supplied 3.14.1
Provider: Linode
Host Virtualization: Xen Paravirtualized
LXC Version: 1.0.3-0ubuntu3

When I attempt to boot an unprivileged container I get the error
"lxc_container: command get_cgroup failed to receive response". This
appears to be due to missing cgroup however it is mounted and is using
cgmanager as was recently changed (output seen later). For
troubleshooting I switched to the distribution supplied kernel (host
supports pv-grub) and it does the same thing. Host has apparmor
disabled and when I was running the distribution kernel I verified
that apparmor was enabled and running so in this case it made no
difference.

I was able to run a privileged container even with the host-supplied
kernel however this won't meet my individual requirements.

Any assistance will be greatly appreciated.

Debug output: http://pastebin.com/xLHmezLw

shinji at icarus:~$ mount
/dev/xvda on / type ext3 (rw,noatime,errors=remount-ro)
proc on /proc type proc (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,noexec,nosuid,nodev)
sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
none on /sys/fs/cgroup type tmpfs (rw)
none on /sys/fs/fuse/connections type fusectl (rw)
devtmpfs on /dev type devtmpfs (rw,mode=0755)
none on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=0620)
none on /run type tmpfs (rw,noexec,nosuid,size=10%,mode=0755)
none on /run/lock type tmpfs (rw,noexec,nosuid,nodev,size=5242880)
none on /run/shm type tmpfs (rw,nosuid,nodev)
none on /run/user type tmpfs (rw,noexec,nosuid,nodev,size=104857600,mode=0755)

Robert Pendell
shinji at elite-systems.org
A perfect world is one of chaos.
Serge Hallyn
2014-05-05 12:50:27 UTC
Permalink
Please show us the contents of outfile after running
lxc-start -n <container> -l info -o outfile

and show us the contaienr configuration file as well as /etc/subuid
and /etc/subgid.

-serge
Post by Robert Pendell
OS: Ubuntu 14.04 LTS x86_64
Kernel: Host-Supplied 3.14.1
Provider: Linode
Host Virtualization: Xen Paravirtualized
LXC Version: 1.0.3-0ubuntu3
When I attempt to boot an unprivileged container I get the error
"lxc_container: command get_cgroup failed to receive response". This
appears to be due to missing cgroup however it is mounted and is using
cgmanager as was recently changed (output seen later). For
troubleshooting I switched to the distribution supplied kernel (host
supports pv-grub) and it does the same thing. Host has apparmor
disabled and when I was running the distribution kernel I verified
that apparmor was enabled and running so in this case it made no
difference.
I was able to run a privileged container even with the host-supplied
kernel however this won't meet my individual requirements.
Any assistance will be greatly appreciated.
Debug output: http://pastebin.com/xLHmezLw
shinji at icarus:~$ mount
/dev/xvda on / type ext3 (rw,noatime,errors=remount-ro)
proc on /proc type proc (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,noexec,nosuid,nodev)
sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
none on /sys/fs/cgroup type tmpfs (rw)
none on /sys/fs/fuse/connections type fusectl (rw)
devtmpfs on /dev type devtmpfs (rw,mode=0755)
none on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=0620)
none on /run type tmpfs (rw,noexec,nosuid,size=10%,mode=0755)
none on /run/lock type tmpfs (rw,noexec,nosuid,nodev,size=5242880)
none on /run/shm type tmpfs (rw,nosuid,nodev)
none on /run/user type tmpfs (rw,noexec,nosuid,nodev,size=104857600,mode=0755)
Robert Pendell
shinji at elite-systems.org
A perfect world is one of chaos.
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
Robert Pendell
2014-05-05 13:23:43 UTC
Permalink
Here is the information as you requested.

lxc-start -n <container> -l info -o outfile
lxc-start 1399295274.692 INFO lxc_start_ui - using rcfile
/home/shinji/.local/share/lxc/utest/config
lxc-start 1399295274.692 INFO lxc_utils - XDG_RUNTIME_DIR
isn't set in the environment.
lxc-start 1399295274.692 INFO lxc_confile - read uid map:
type u nsid 0 hostid 100000 range 65536
lxc-start 1399295274.692 INFO lxc_confile - read uid map:
type g nsid 0 hostid 100000 range 65536
lxc-start 1399295274.692 WARN lxc_log - lxc_log_init called
with log already initialized
lxc-start 1399295274.692 INFO lxc_lsm - LSM security driver nop
lxc-start 1399295274.692 INFO lxc_utils - XDG_RUNTIME_DIR
isn't set in the environment.
lxc-start 1399295274.693 INFO lxc_conf - tty's configured
lxc-start 1399295275.060 INFO lxc_start - 'utest' is initialized
lxc-start 1399295275.072 INFO lxc_start - Cloning a new user namespace
lxc-start 1399295275.072 INFO lxc_cgroup - cgroup driver
cgmanager initing for utest
lxc-start 1399295275.073 ERROR lxc_cgmanager - call to
cgmanager_create_sync failed: invalid request
lxc-start 1399295275.073 ERROR lxc_cgmanager - Failed to
create cpuset:utest
lxc-start 1399295275.073 ERROR lxc_cgmanager - Error creating
cgroup cpuset:utest
lxc-start 1399295275.073 INFO lxc_cgmanager - cgroup removal
attempt: cpuset:utest did not exist
lxc-start 1399295275.073 INFO lxc_cgmanager - cgroup removal
attempt: debug:utest did not exist
lxc-start 1399295275.074 INFO lxc_cgmanager - cgroup removal
attempt: cpu:utest did not exist
lxc-start 1399295275.074 INFO lxc_cgmanager - cgroup removal
attempt: cpuacct:utest did not exist
lxc-start 1399295275.074 INFO lxc_cgmanager - cgroup removal
attempt: devices:utest did not exist
lxc-start 1399295275.074 INFO lxc_cgmanager - cgroup removal
attempt: freezer:utest did not exist
lxc-start 1399295275.074 INFO lxc_cgmanager - cgroup removal
attempt: net_cls:utest did not exist
lxc-start 1399295275.074 INFO lxc_cgmanager - cgroup removal
attempt: blkio:utest did not exist
lxc-start 1399295275.074 INFO lxc_cgmanager - cgroup removal
attempt: perf_event:utest did not exist
lxc-start 1399295275.075 INFO lxc_cgmanager - cgroup removal
attempt: net_prio:utest did not exist
lxc-start 1399295275.075 ERROR lxc_start - failed creating cgroups
lxc-start 1399295275.075 INFO lxc_utils - XDG_RUNTIME_DIR
isn't set in the environment.
lxc-start 1399295275.075 ERROR lxc_start - failed to spawn 'utest'
lxc-start 1399295275.075 INFO lxc_utils - XDG_RUNTIME_DIR
isn't set in the environment.
lxc-start 1399295275.075 INFO lxc_utils - XDG_RUNTIME_DIR
isn't set in the environment.


shinji at icarus:~$ cat ~/.local/share/lxc/utest/config
# Template used to create this container: /usr/share/lxc/templates/lxc-download
# Parameters passed to the template:
# For additional config options, please look at lxc.conf(5)

# Distribution configuration
lxc.include = /usr/share/lxc/config/ubuntu.common.conf
lxc.include = /usr/share/lxc/config/ubuntu.userns.conf
lxc.arch = x86

# Container specific configuration
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536
lxc.rootfs = /home/shinji/.local/share/lxc/utest/rootfs
lxc.utsname = utest

# Network configuration
lxc.network.type = veth
lxc.network.link = lxcbr0

shinji at icarus:~$ cat /etc/subuid
shinji:100000:65536

shinji at icarus:~$ cat /etc/subgid
shinji:100000:65536
Robert Pendell
shinji at elite-systems.org
A perfect world is one of chaos.
Post by Serge Hallyn
Please show us the contents of outfile after running
lxc-start -n <container> -l info -o outfile
and show us the contaienr configuration file as well as /etc/subuid
and /etc/subgid.
-serge
Post by Robert Pendell
OS: Ubuntu 14.04 LTS x86_64
Kernel: Host-Supplied 3.14.1
Provider: Linode
Host Virtualization: Xen Paravirtualized
LXC Version: 1.0.3-0ubuntu3
When I attempt to boot an unprivileged container I get the error
"lxc_container: command get_cgroup failed to receive response". This
appears to be due to missing cgroup however it is mounted and is using
cgmanager as was recently changed (output seen later). For
troubleshooting I switched to the distribution supplied kernel (host
supports pv-grub) and it does the same thing. Host has apparmor
disabled and when I was running the distribution kernel I verified
that apparmor was enabled and running so in this case it made no
difference.
I was able to run a privileged container even with the host-supplied
kernel however this won't meet my individual requirements.
Any assistance will be greatly appreciated.
Debug output: http://pastebin.com/xLHmezLw
shinji at icarus:~$ mount
/dev/xvda on / type ext3 (rw,noatime,errors=remount-ro)
proc on /proc type proc (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,noexec,nosuid,nodev)
sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
none on /sys/fs/cgroup type tmpfs (rw)
none on /sys/fs/fuse/connections type fusectl (rw)
devtmpfs on /dev type devtmpfs (rw,mode=0755)
none on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=0620)
none on /run type tmpfs (rw,noexec,nosuid,size=10%,mode=0755)
none on /run/lock type tmpfs (rw,noexec,nosuid,nodev,size=5242880)
none on /run/shm type tmpfs (rw,nosuid,nodev)
none on /run/user type tmpfs (rw,noexec,nosuid,nodev,size=104857600,mode=0755)
Robert Pendell
shinji at elite-systems.org
A perfect world is one of chaos.
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
Serge Hallyn
2014-05-05 16:25:10 UTC
Permalink
Post by Robert Pendell
Here is the information as you requested.
lxc-start -n <container> -l info -o outfile
lxc-start 1399295274.692 INFO lxc_start_ui - using rcfile
/home/shinji/.local/share/lxc/utest/config
lxc-start 1399295274.692 INFO lxc_utils - XDG_RUNTIME_DIR
isn't set in the environment.
type u nsid 0 hostid 100000 range 65536
type g nsid 0 hostid 100000 range 65536
lxc-start 1399295274.692 WARN lxc_log - lxc_log_init called
with log already initialized
lxc-start 1399295274.692 INFO lxc_lsm - LSM security driver nop
lxc-start 1399295274.692 INFO lxc_utils - XDG_RUNTIME_DIR
isn't set in the environment.
lxc-start 1399295274.693 INFO lxc_conf - tty's configured
lxc-start 1399295275.060 INFO lxc_start - 'utest' is initialized
lxc-start 1399295275.072 INFO lxc_start - Cloning a new user namespace
lxc-start 1399295275.072 INFO lxc_cgroup - cgroup driver
cgmanager initing for utest
lxc-start 1399295275.073 ERROR lxc_cgmanager - call to
cgmanager_create_sync failed: invalid request
lxc-start 1399295275.073 ERROR lxc_cgmanager - Failed to
create cpuset:utest
Thanks - so the problem is here. Chances are you are not in a cgroup
that you own. The easiest way to fix this is

sudo cgm create all shinji
sudo cgm chown all shinji $(id -u) $(id -g)
cgm movepid all shinji $$

Now the lxc-start should work (or at least go on to the next problem)

-serge
Robert Pendell
2014-05-05 16:42:30 UTC
Permalink
Post by Serge Hallyn
Post by Robert Pendell
Here is the information as you requested.
lxc-start -n <container> -l info -o outfile
lxc-start 1399295274.692 INFO lxc_start_ui - using rcfile
/home/shinji/.local/share/lxc/utest/config
lxc-start 1399295274.692 INFO lxc_utils - XDG_RUNTIME_DIR
isn't set in the environment.
type u nsid 0 hostid 100000 range 65536
type g nsid 0 hostid 100000 range 65536
lxc-start 1399295274.692 WARN lxc_log - lxc_log_init called
with log already initialized
lxc-start 1399295274.692 INFO lxc_lsm - LSM security driver nop
lxc-start 1399295274.692 INFO lxc_utils - XDG_RUNTIME_DIR
isn't set in the environment.
lxc-start 1399295274.693 INFO lxc_conf - tty's configured
lxc-start 1399295275.060 INFO lxc_start - 'utest' is initialized
lxc-start 1399295275.072 INFO lxc_start - Cloning a new user namespace
lxc-start 1399295275.072 INFO lxc_cgroup - cgroup driver
cgmanager initing for utest
lxc-start 1399295275.073 ERROR lxc_cgmanager - call to
cgmanager_create_sync failed: invalid request
lxc-start 1399295275.073 ERROR lxc_cgmanager - Failed to
create cpuset:utest
Thanks - so the problem is here. Chances are you are not in a cgroup
that you own. The easiest way to fix this is
sudo cgm create all shinji
sudo cgm chown all shinji $(id -u) $(id -g)
cgm movepid all shinji $$
Now the lxc-start should work (or at least go on to the next problem)
Ok. So I had determined that before (I didn't realize it until after
I sent them message) however I had found a different way of handling
it. Yours is more elegant. Now then to the 2nd issue.

This doesn't persist between server reboots or login sessions. Is
there supposed to be a script that runs that makes this persistent or
does one have to move themselves manually whenever they want to run
unprivileged containers?
Serge Hallyn
2014-05-05 18:14:13 UTC
Permalink
Post by Robert Pendell
Post by Serge Hallyn
Post by Robert Pendell
Here is the information as you requested.
lxc-start -n <container> -l info -o outfile
lxc-start 1399295274.692 INFO lxc_start_ui - using rcfile
/home/shinji/.local/share/lxc/utest/config
lxc-start 1399295274.692 INFO lxc_utils - XDG_RUNTIME_DIR
isn't set in the environment.
type u nsid 0 hostid 100000 range 65536
type g nsid 0 hostid 100000 range 65536
lxc-start 1399295274.692 WARN lxc_log - lxc_log_init called
with log already initialized
lxc-start 1399295274.692 INFO lxc_lsm - LSM security driver nop
lxc-start 1399295274.692 INFO lxc_utils - XDG_RUNTIME_DIR
isn't set in the environment.
lxc-start 1399295274.693 INFO lxc_conf - tty's configured
lxc-start 1399295275.060 INFO lxc_start - 'utest' is initialized
lxc-start 1399295275.072 INFO lxc_start - Cloning a new user namespace
lxc-start 1399295275.072 INFO lxc_cgroup - cgroup driver
cgmanager initing for utest
lxc-start 1399295275.073 ERROR lxc_cgmanager - call to
cgmanager_create_sync failed: invalid request
lxc-start 1399295275.073 ERROR lxc_cgmanager - Failed to
create cpuset:utest
Thanks - so the problem is here. Chances are you are not in a cgroup
that you own. The easiest way to fix this is
sudo cgm create all shinji
sudo cgm chown all shinji $(id -u) $(id -g)
cgm movepid all shinji $$
Now the lxc-start should work (or at least go on to the next problem)
Ok. So I had determined that before (I didn't realize it until after
I sent them message) however I had found a different way of handling
it. Yours is more elegant. Now then to the 2nd issue.
This doesn't persist between server reboots or login sessions. Is
there supposed to be a script that runs that makes this persistent or
does one have to move themselves manually whenever they want to run
unprivileged containers?
logind should be putting you into a cgroup that you own when you log
in. I think it's the libpam-systemd package which provides that.

-serge
Robert Pendell
2014-05-05 18:45:20 UTC
Permalink
Post by Serge Hallyn
Post by Robert Pendell
Post by Serge Hallyn
Post by Robert Pendell
Here is the information as you requested.
lxc-start -n <container> -l info -o outfile
lxc-start 1399295274.692 INFO lxc_start_ui - using rcfile
/home/shinji/.local/share/lxc/utest/config
lxc-start 1399295274.692 INFO lxc_utils - XDG_RUNTIME_DIR
isn't set in the environment.
type u nsid 0 hostid 100000 range 65536
type g nsid 0 hostid 100000 range 65536
lxc-start 1399295274.692 WARN lxc_log - lxc_log_init called
with log already initialized
lxc-start 1399295274.692 INFO lxc_lsm - LSM security driver nop
lxc-start 1399295274.692 INFO lxc_utils - XDG_RUNTIME_DIR
isn't set in the environment.
lxc-start 1399295274.693 INFO lxc_conf - tty's configured
lxc-start 1399295275.060 INFO lxc_start - 'utest' is initialized
lxc-start 1399295275.072 INFO lxc_start - Cloning a new user namespace
lxc-start 1399295275.072 INFO lxc_cgroup - cgroup driver
cgmanager initing for utest
lxc-start 1399295275.073 ERROR lxc_cgmanager - call to
cgmanager_create_sync failed: invalid request
lxc-start 1399295275.073 ERROR lxc_cgmanager - Failed to
create cpuset:utest
Thanks - so the problem is here. Chances are you are not in a cgroup
that you own. The easiest way to fix this is
sudo cgm create all shinji
sudo cgm chown all shinji $(id -u) $(id -g)
cgm movepid all shinji $$
Now the lxc-start should work (or at least go on to the next problem)
Ok. So I had determined that before (I didn't realize it until after
I sent them message) however I had found a different way of handling
it. Yours is more elegant. Now then to the 2nd issue.
This doesn't persist between server reboots or login sessions. Is
there supposed to be a script that runs that makes this persistent or
does one have to move themselves manually whenever they want to run
unprivileged containers?
logind should be putting you into a cgroup that you own when you log
in. I think it's the libpam-systemd package which provides that.
Wow! Thanks alot. You have been a great help. I mentioned my
provider up front earlier because I thought there might be missing
packages and I was hoping I would get that eventually and you just
gave me the missing link. Doing that made great progress. Now after
doing so new sessions seem to update the cgroup that I'm sitting in
however it isn't doing it fully.

When attempting to start I still get an error but it is later on (an
issue I had before once I figured out it was the cgroup scope at
issue).

shinji at icarus:/etc/systemd$ lxc-start -n utest
lxc_container: call to cgmanager_create_sync failed: invalid request
lxc_container: Failed to create debug:utest
lxc_container: Error creating cgroup debug:utest
lxc_container: failed creating cgroups
lxc_container: failed to spawn 'utest'

I'm not even sure where "debug" cgroup is coming from but I suspect it
is due to the way the host is compiling the kernel?

This is how my /proc/self/cgroup looks after server reboot and relogin.

shinji at icarus:/etc/systemd$ cat /proc/self/cgroup
12:net_prio:/
11:perf_event:/user/1000.user/1.session
10:blkio:/user/1000.user/1.session
9:net_cls:/
8:freezer:/user/1000.user/1.session
7:devices:/user/1000.user/1.session
6:cpuacct:/user/1000.user/1.session
5:cpu:/user/1000.user/1.session
4:debug:/
3:cpuset:/user/1000.user/1.session
2:name=systemd:/user/1000.user/1.session

I checked the Controllers setting in /etc/systemd/logind.conf and it
is lacking debug, net_cls, and net_prio listed above. Would it be
sufficient to add those 3 to that conf file and relogin?
Serge Hallyn
2014-05-05 18:49:37 UTC
Permalink
Post by Robert Pendell
Post by Serge Hallyn
Post by Robert Pendell
Post by Serge Hallyn
Post by Robert Pendell
Here is the information as you requested.
lxc-start -n <container> -l info -o outfile
lxc-start 1399295274.692 INFO lxc_start_ui - using rcfile
/home/shinji/.local/share/lxc/utest/config
lxc-start 1399295274.692 INFO lxc_utils - XDG_RUNTIME_DIR
isn't set in the environment.
type u nsid 0 hostid 100000 range 65536
type g nsid 0 hostid 100000 range 65536
lxc-start 1399295274.692 WARN lxc_log - lxc_log_init called
with log already initialized
lxc-start 1399295274.692 INFO lxc_lsm - LSM security driver nop
lxc-start 1399295274.692 INFO lxc_utils - XDG_RUNTIME_DIR
isn't set in the environment.
lxc-start 1399295274.693 INFO lxc_conf - tty's configured
lxc-start 1399295275.060 INFO lxc_start - 'utest' is initialized
lxc-start 1399295275.072 INFO lxc_start - Cloning a new user namespace
lxc-start 1399295275.072 INFO lxc_cgroup - cgroup driver
cgmanager initing for utest
lxc-start 1399295275.073 ERROR lxc_cgmanager - call to
cgmanager_create_sync failed: invalid request
lxc-start 1399295275.073 ERROR lxc_cgmanager - Failed to
create cpuset:utest
Thanks - so the problem is here. Chances are you are not in a cgroup
that you own. The easiest way to fix this is
sudo cgm create all shinji
sudo cgm chown all shinji $(id -u) $(id -g)
cgm movepid all shinji $$
Now the lxc-start should work (or at least go on to the next problem)
Ok. So I had determined that before (I didn't realize it until after
I sent them message) however I had found a different way of handling
it. Yours is more elegant. Now then to the 2nd issue.
This doesn't persist between server reboots or login sessions. Is
there supposed to be a script that runs that makes this persistent or
does one have to move themselves manually whenever they want to run
unprivileged containers?
logind should be putting you into a cgroup that you own when you log
in. I think it's the libpam-systemd package which provides that.
Wow! Thanks alot. You have been a great help. I mentioned my
provider up front earlier because I thought there might be missing
packages and I was hoping I would get that eventually and you just
gave me the missing link. Doing that made great progress. Now after
doing so new sessions seem to update the cgroup that I'm sitting in
however it isn't doing it fully.
When attempting to start I still get an error but it is later on (an
issue I had before once I figured out it was the cgroup scope at
issue).
shinji at icarus:/etc/systemd$ lxc-start -n utest
lxc_container: call to cgmanager_create_sync failed: invalid request
lxc_container: Failed to create debug:utest
lxc_container: Error creating cgroup debug:utest
lxc_container: failed creating cgroups
lxc_container: failed to spawn 'utest'
I'm not even sure where "debug" cgroup is coming from but I suspect it
is due to the way the host is compiling the kernel?
This is how my /proc/self/cgroup looks after server reboot and relogin.
shinji at icarus:/etc/systemd$ cat /proc/self/cgroup
12:net_prio:/
11:perf_event:/user/1000.user/1.session
10:blkio:/user/1000.user/1.session
9:net_cls:/
8:freezer:/user/1000.user/1.session
7:devices:/user/1000.user/1.session
6:cpuacct:/user/1000.user/1.session
5:cpu:/user/1000.user/1.session
4:debug:/
3:cpuset:/user/1000.user/1.session
2:name=systemd:/user/1000.user/1.session
I checked the Controllers setting in /etc/systemd/logind.conf and it
is lacking debug, net_cls, and net_prio listed above. Would it be
sufficient to add those 3 to that conf file and relogin?
Yup, that should be the correct solution.
Robert Pendell
2014-05-05 18:58:42 UTC
Permalink
Post by Serge Hallyn
Post by Robert Pendell
Post by Serge Hallyn
Post by Robert Pendell
Post by Serge Hallyn
Post by Robert Pendell
Here is the information as you requested.
lxc-start -n <container> -l info -o outfile
lxc-start 1399295274.692 INFO lxc_start_ui - using rcfile
/home/shinji/.local/share/lxc/utest/config
lxc-start 1399295274.692 INFO lxc_utils - XDG_RUNTIME_DIR
isn't set in the environment.
type u nsid 0 hostid 100000 range 65536
type g nsid 0 hostid 100000 range 65536
lxc-start 1399295274.692 WARN lxc_log - lxc_log_init called
with log already initialized
lxc-start 1399295274.692 INFO lxc_lsm - LSM security driver nop
lxc-start 1399295274.692 INFO lxc_utils - XDG_RUNTIME_DIR
isn't set in the environment.
lxc-start 1399295274.693 INFO lxc_conf - tty's configured
lxc-start 1399295275.060 INFO lxc_start - 'utest' is initialized
lxc-start 1399295275.072 INFO lxc_start - Cloning a new user namespace
lxc-start 1399295275.072 INFO lxc_cgroup - cgroup driver
cgmanager initing for utest
lxc-start 1399295275.073 ERROR lxc_cgmanager - call to
cgmanager_create_sync failed: invalid request
lxc-start 1399295275.073 ERROR lxc_cgmanager - Failed to
create cpuset:utest
Thanks - so the problem is here. Chances are you are not in a cgroup
that you own. The easiest way to fix this is
sudo cgm create all shinji
sudo cgm chown all shinji $(id -u) $(id -g)
cgm movepid all shinji $$
Now the lxc-start should work (or at least go on to the next problem)
Ok. So I had determined that before (I didn't realize it until after
I sent them message) however I had found a different way of handling
it. Yours is more elegant. Now then to the 2nd issue.
This doesn't persist between server reboots or login sessions. Is
there supposed to be a script that runs that makes this persistent or
does one have to move themselves manually whenever they want to run
unprivileged containers?
logind should be putting you into a cgroup that you own when you log
in. I think it's the libpam-systemd package which provides that.
Wow! Thanks alot. You have been a great help. I mentioned my
provider up front earlier because I thought there might be missing
packages and I was hoping I would get that eventually and you just
gave me the missing link. Doing that made great progress. Now after
doing so new sessions seem to update the cgroup that I'm sitting in
however it isn't doing it fully.
When attempting to start I still get an error but it is later on (an
issue I had before once I figured out it was the cgroup scope at
issue).
shinji at icarus:/etc/systemd$ lxc-start -n utest
lxc_container: call to cgmanager_create_sync failed: invalid request
lxc_container: Failed to create debug:utest
lxc_container: Error creating cgroup debug:utest
lxc_container: failed creating cgroups
lxc_container: failed to spawn 'utest'
I'm not even sure where "debug" cgroup is coming from but I suspect it
is due to the way the host is compiling the kernel?
This is how my /proc/self/cgroup looks after server reboot and relogin.
shinji at icarus:/etc/systemd$ cat /proc/self/cgroup
12:net_prio:/
11:perf_event:/user/1000.user/1.session
10:blkio:/user/1000.user/1.session
9:net_cls:/
8:freezer:/user/1000.user/1.session
7:devices:/user/1000.user/1.session
6:cpuacct:/user/1000.user/1.session
5:cpu:/user/1000.user/1.session
4:debug:/
3:cpuset:/user/1000.user/1.session
2:name=systemd:/user/1000.user/1.session
I checked the Controllers setting in /etc/systemd/logind.conf and it
is lacking debug, net_cls, and net_prio listed above. Would it be
sufficient to add those 3 to that conf file and relogin?
Yup, that should be the correct solution.
Once again Thank you very much for your great assistance. I'm going
to post this on the linode forums for others to see as well so that
they are aware.

Basically for Linode users it is the following for them (on
unprivileged containers)

1) Ensure either using PV-Grub with latest distribution kernel _or_
using most recent host-provided kernel (They officially support Docker
and LXC by inheritance)
2) Install the base LXC package
3) (at least on Ubuntu 14.04) install libpam-systemd
4) Update /etc/systemd/logind.conf and append "debug net_cls net_prio"
to the end of the Controllers setting.

Of course if they don't need or want unprivileged containers then it
is sufficient to just stop at step 2 since there is sufficient support
otherwise.

:)

Continue reading on narkive:
Loading...