LXC Container failed to start. Ubuntu 18.4 LTS

AliBaghernejad · October 30, 2018, 9:27pm

Hi all,
I want to create a new container, depend of the linuxcontainers documentation.
The creation of container is OK but it not start successfully.

lxc-start: mycontainer: lxccontainer.c: wait_on_daemonized_start: 840 Received container state “ABORTING” instead of “RUNNING”
lxc-start: mycontainer: tools/lxc_start.c: main: 330 The container failed to start
lxc-start: mycontainer: tools/lxc_start.c: main: 333 To get more details, run the container in foreground mode
lxc-start: mycontainer: tools/lxc_start.c: main: 336 Additional information can be obtained by setting the --logfile and --logpriority options

here is the trace log file:
https://pastebin.ubuntu.com/p/v9x83F98mx/

Kernel Info:
Linux ali 4.15.0-38-generic #41-Ubuntu SMP Wed Oct 10 10:59:38 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

lxc version:
3.0.2

container type:
unprivileged container

Thanks,
Ali Baghernejad

stgraber · October 30, 2018, 9:49pm

@brauner ideas?

brauner · October 30, 2018, 9:58pm

That is an odd error:

lxc-start mycontainer 20181030212307.213 ERROR    utils - utils.c:safe_mount:1130 - Permission denied - Failed to mount /dev/full onto /dev/full
lxc-start mycontainer 20181030212307.213 ERROR    conf - conf.c:lxc_fill_autodev:1289 - Permission denied - Failed to bind mount host device node "/dev/full" onto "/dev/full"

What does dmesg show when you try to start the container. Smells like AppArmor.

AliBaghernejad · October 31, 2018, 6:14pm

Here is the result of dmesg command after a failed try:
https://pastebin.ubuntu.com/p/GbrWpZnFTK/

brauner · October 31, 2018, 8:54pm

Yeah, somehow your AppArmor configuration is preventing you from accessing /dev/full:

[11073.418388] audit: type=1400 audit(1541009178.089:154): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="/usr/bin/lxc-start" name="/dev/full" pid=16683 comm="lxc-start" srcname="/dev/full" flags="rw, bind"

@stgraber any ideas why this can happen?

stgraber · October 31, 2018, 9:16pm

Well, looks like LXC is trying to bind-mount /dev/full onto itself at /dev/full rather than onto the container’s /dev at /usr/lib/…/lxc/rootfs/dev/full

So I think the denial is correct here, the question is why is LXC attempting to overmount the host’s /dev/full.

AliBaghernejad · November 1, 2018, 8:50am

@brauner
@stgraber
Let me know if I can send some useful data that help us to catch the issue.
Any documentation that shows me the underhood of the starting process of an LXC Container? (Mount /dev/full for example)