"cgroupfs failed to detect cgroup metadata"

LXC
1

I am trying to create and start Debian in container under Sabayon Linux.
Kernel version is

uname -a

Linux sabayon.local 5.4.0-sabayon #1 SMP Wed Jan 22 18:17:45 UTC 2020 x86_64 Intel® Core™2 Quad CPU Q9650 @ 3.00GHz GenuineIntel GNU/Linux

The start command is
$ sudo lxc-start -n “anotherworld” --foreground --logfile=aw.log
$ cat aw.log
lxc-start anotherworld 20200315035414.724 ERROR lxc_cgfs - cgroups/cgfs.c:cgfs_init:2364 - cgroupfs failed to detect cgroup metadata
lxc-start anotherworld 20200315035414.724 ERROR lxc_start - start.c:lxc_spawn:1214 - Failed initializing cgroup support.
lxc-start anotherworld 20200315035414.724 ERROR lxc_start - start.c:__lxc_start:1459 - Failed to spawn container “anotherworld”.
lxc-start anotherworld 20200315035415.228 ERROR lxc_start_ui - tools/lxc_start.c:main:371 - The container failed to start.

$ lxc-checkconfig

--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled

--- Control groups ---
Cgroups: enabled

Cgroup v1 mount points: 


Cgroup v2 mount points: 
/sys/fs/cgroup

Cgroup v1 systemd controller: /usr/bin/lxc-checkconfig: line 156: printf \033[1;31m: command not found

Cgroup v1 freezer controller: /usr/bin/lxc-checkconfig: line 163: printf \033[1;31m: command not found

Cgroup namespace: required
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled, loaded
Macvlan: enabled, not loaded
Vlan: enabled, not loaded
Bridges: enabled, loaded
Advanced netfilter: enabled, loaded
CONFIG_NF_NAT_IPV4: missing
CONFIG_NF_NAT_IPV6: missing
CONFIG_IP_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled, not loadedCONFIG_NETFILTER_XT_MATCH_COMMENT: enabled, not loaded
FUSE (for use with lxcfs): enabled, loaded

--- Checkpoint/Restore ---
checkpoint restore: enabled
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: enabled
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: enabled
File capabilities: enabled

Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig

mount | grep cgroup

cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime)

cat /proc/1/mountinfo | grep cgroup

28 20 0:23 / /sys/fs/cgroup rw,nosuid,nodev,noexec,relatime shared:8 - cgroup2 cgroup2 rw

cat /proc/self/cgroup

0::/user.slice/user-1000.slice/session-2.scope

I don’t want to use cgroup v1, or “unified” hierarchy.

What I need to check and reconfigure to start that container?

2

The lxc version you use is ancient as can be seen from the log output you posted. It mentions the cgfs cgroup driver. This drivers does not support cgroup2 and has been removed from out codebase several years ago. I’m afraid you need to find a recent version of LXC to make this work. I suggest waiting a week for the new LXC 4.0 release which will have full support for cgroup2 (also called “unified” cgroup).

1 Like
3

Now I am trying to start priveleged container,

lxc-start -n test2 --foreground --logpriority=debug --logfile=/root/logfile.txt

lxc-start: test2: cgroups/cgfsng.c: cgfsng_setup_limits_legacy: 2829 No such file or directory - Failed to set "devices.deny" to "a"
lxc-start: test2: start.c: lxc_spawn: 1788 Failed to setup legacy device cgroup controller limits
lxc-start: test2: start.c: __lxc_start: 1953 Failed to spawn container "test2"
lxc-start: test2: tools/lxc_start.c: main: 308 The container failed to start
lxc-start: test2: tools/lxc_start.c: main: 313 Additional information can be obtained by setting the --logfile and --logpriority options

uname -a

Linux localhost 5.4.28-gentoo-x86_64 #5 SMP Fri Apr 10 17:23:45 MSK 2020 x86_64 Intel® Core™2 Quad CPU Q9450 @ 2.66GHz GenuineIntel GNU/Linux

Version of lxc is 4.0.0_p9 (d8ccf906038e7ca3241e572192ffa59999adb923)

cat /root/logfile.txt

https://gist.githubusercontent.com/EinstokFair/6c5d4c53b0fae531a960bbb7205b596d/raw/87bb9e09731b592221981f7009a0d49deeb57a6d/gistfile1.txt

I am not sure, that I built kernel correctly.

# zcat /proc/config.gz | grep CONFIG_SECCOMP
CONFIG_SECCOMP=y
CONFIG_SECCOMP_FILTER=y

systemctl --version

systemd 244 (244)
+PAM -AUDIT -SELINUX +IMA -APPARMOR +SMACK -SYSVINIT +UTMP -LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL -XZ +LZ4 +SECCOMP +BLKID -ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=unified

setting
lxc.cgroup.devices.allow =
lxc.cgroup.devices.deny =
allows container to run.

Now I am trying to understand that advice:


(about mounting in second way), and to create unpriveleged container (third way).