/proc/sys/net mount fails and remains read only

LXC
,
1

I’ve run into a stange issue, where /proc/sys/net doesn’t get mounted writeable in an unprivileged lxc container. I think the corresponding error in the container log is:

lxc_utils - utils.c:safe_mount:1707 - No such file or directory - Failed to mount /usr/lib/lxc/rootfs/proc/tty onto /usr/lib/lxc/rootfs/proc/sys/net

The stange thing is, that the the problem does not occur on lxc 4.0 with nearly the same config.

My config is pretty standard an looks as following:

# common config
lxc.include = /usr/share/lxc/config/common.conf
# userns.conf is copied from LXC version 4.0
lxc.include = /usr/share/lxc/config/userns.conf.new

lxc.log.level = 0

# other rootfs
lxc.rootfs.path = dir:/cont/openwrt_19.02_fritz4040_00

# unprivileged uid/gid mapping
lxc.idmap = u 0 65536 65536
lxc.idmap = g 0 65536 65536

# hostname + network
lxc.uts.name = openwrt_t00
lxc.net.0.type = veth
lxc.net.0.flags = up
lxc.net.0.link = br-lan
lxc.net.0.hwaddr = 4a:49:43:49:79:b9
# lxc.net.0.ipv4.address = 192.168.1.102/24
# lxc.net.0.ipv4.gateway = 192.168.1.1

The copied user config looks as following ( /usr/share/lxc/config/userns.conf.new )

# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
lxc.cgroup.devices.deny =
lxc.cgroup.devices.allow =

# Start with a full set of capabilities in user namespaces.
lxc.cap.drop =
lxc.cap.keep =

# We can't move bind-mounts, so don't use /dev/lxc/
lxc.tty.dir =

# Setup the default mounts
lxc.mount.auto = sys:rw

The mount points in the running container are these:

root@openwrt_t00:/# cat /proc/self/mounts
/dev/sda1 / ext4 rw,relatime,data=ordered 0 0
none /dev tmpfs rw,relatime,size=492k,mode=755,uid=65536,gid=65536 0 0
proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
proc /proc/sys proc ro,nosuid,nodev,noexec,relatime 0 0
proc /proc/sysrq-trigger proc ro,nosuid,nodev,noexec,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
tmpfs /dev/null tmpfs rw,nosuid,relatime,size=512k,mode=755 0 0
tmpfs /dev/zero tmpfs rw,nosuid,relatime,size=512k,mode=755 0 0
tmpfs /dev/full tmpfs rw,nosuid,relatime,size=512k,mode=755 0 0
tmpfs /dev/urandom tmpfs rw,nosuid,relatime,size=512k,mode=755 0 0
tmpfs /dev/random tmpfs rw,nosuid,relatime,size=512k,mode=755 0 0
tmpfs /dev/tty tmpfs rw,nosuid,relatime,size=512k,mode=755 0 0
devpts /dev/console devpts rw,nosuid,noexec,relatime,mode=600,ptmxmode=000 0 0
devpts /dev/pts devpts rw,relatime,gid=65541,mode=620,ptmxmode=666,max=1024 0 0
devpts /dev/ptmx devpts rw,relatime,gid=65541,mode=620,ptmxmode=666,max=1024 0 0
devpts /dev/tty1 devpts rw,relatime,gid=65541,mode=620,ptmxmode=666,max=1024 0 0
devpts /dev/tty2 devpts rw,relatime,gid=65541,mode=620,ptmxmode=666,max=1024 0 0
devpts /dev/tty3 devpts rw,relatime,gid=65541,mode=620,ptmxmode=666,max=1024 0 0
devpts /dev/tty4 devpts rw,relatime,gid=65541,mode=620,ptmxmode=666,max=1024 0 0
devpts /dev/tty5 devpts rw,relatime,gid=65541,mode=620,ptmxmode=666,max=1024 0 0
devpts /dev/tty6 devpts rw,relatime,gid=65541,mode=620,ptmxmode=666,max=1024 0 0
tmpfs /tmp tmpfs rw,nosuid,nodev,noatime,uid=65536,gid=65536 0 0

The Host is an Openwrt System:

$ uname -a
Linux OpenWrt 4.14.171 [..]

$ root@OpenWrt:/srv/lxc/openwrt-19.02_00# lxc-start --version
2.1.1

$ root@OpenWrt:/srv/lxc/openwrt-19.02_00# lxc-checkconfig                                                                               
--- Namespaces ---                                                                                                                    
Namespaces: enabled                                                                                                                   
Utsname namespace: enabled                                                                                                            
Ipc namespace: enabled                                                                                                                
Pid namespace: enabled                                                                                                                
User namespace: enabled                                                                                                               
Network namespace: enabled                                                                                                            
                                                                                                                                      
--- Control groups ---                                                                                                                
Cgroups: enabled                                                                                                                      
                                                                                                                                      
Cgroup v1 mount points:                                                                                                               
/sys/fs/cgroup

Cgroup v2 mount points: 


Cgroup v1 systemd controller: /usr/bin/lxc-checkconfig: line 167: printf \033[1;31m: not found

Cgroup v1 freezer controller: /usr/bin/lxc-checkconfig: line 174: printf \033[1;31m: not found

Cgroup v1 clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled, loaded
Macvlan: enabled, loaded
Vlan: enabled, not loaded
Bridges: enabled, not loaded
Advanced netfilter: enabled, not loaded
CONFIG_NF_NAT_IPV4: enabled, loaded
CONFIG_NF_NAT_IPV6: enabled, not loaded
CONFIG_IP_NF_TARGET_MASQUERADE: enabled, loaded
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled, not loadedCONFIG_NETFILTER_XT_MATCH_COMMENT: enabled, loaded
FUSE (for use with lxcfs): enabled, not loaded

--- Checkpoint/Restore ---
checkpoint restore: missing
CONFIG_FHANDLE: missing
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: missing
CONFIG_INET_DIAG: missing
CONFIG_PACKET_DIAG: missing
CONFIG_NETLINK_DIAG: missing
File capabilities: enabled

The full error Log:

      lxc-start openwrt-19.02_00 20200522221131.136 TRACE    lxc_commands - commands.c:lxc_cmd:290 - command get_init_pid tries to connect command socket
      lxc-start openwrt-19.02_00 20200522221131.166 TRACE    lxc_commands - commands.c:lxc_cmd:295 - command get_init_pid failed to connect command socket: Connection refused
      lxc-start openwrt-19.02_00 20200522221131.206 TRACE    lxc_commands - commands.c:lxc_cmd:290 - command get_cgroup tries to connect command socket
      lxc-start openwrt-19.02_00 20200522221131.239 TRACE    lxc_commands - commands.c:lxc_cmd:295 - command get_cgroup failed to connect command socket: Connection refused
      lxc-start openwrt-19.02_00 20200522221131.273 TRACE    lxc_commands - commands.c:lxc_cmd_get_cgroup_path:440 - command get_cgroup failed for container "openwrt-19.02_00": Connection refused.
      lxc-start openwrt-19.02_00 20200522221131.315 TRACE    lxc_commands - commands.c:lxc_cmd:290 - command get_state tries to connect command socket
      lxc-start openwrt-19.02_00 20200522221131.346 TRACE    lxc_commands - commands.c:lxc_cmd:295 - command get_state failed to connect command socket: Connection refused
      lxc-start openwrt-19.02_00 20200522221131.379 TRACE    lxc_start - start.c:lxc_init_handler:592 - unix domain socket 4 for command server is ready
      lxc-start openwrt-19.02_00 20200522221131.412 TRACE    lxc_start - start.c:lxc_init:607 - initialized LSM
      lxc-start openwrt-19.02_00 20200522221131.444 INFO     lxc_seccomp - seccomp.c:parse_config_v2:435 - processing: .reject_force_umount  # comment this to allow umount -f;  not recommended.
      lxc-start openwrt-19.02_00 20200522221131.473 INFO     lxc_seccomp - seccomp.c:parse_config_v2:594 - Adding native rule for reject_force_umount action 0(kill).
      lxc-start openwrt-19.02_00 20200522221131.505 INFO     lxc_seccomp - seccomp.c:do_resolve_add_rule:276 - Setting Seccomp rule to reject force umounts.
      lxc-start openwrt-19.02_00 20200522221131.535 INFO     lxc_seccomp - seccomp.c:parse_config_v2:435 - processing: .[all].
      lxc-start openwrt-19.02_00 20200522221131.562 INFO     lxc_seccomp - seccomp.c:parse_config_v2:435 - processing: .kexec_load errno 1.
      lxc-start openwrt-19.02_00 20200522221131.590 INFO     lxc_seccomp - seccomp.c:parse_config_v2:594 - Adding native rule for kexec_load action 327681(errno).
      lxc-start openwrt-19.02_00 20200522221131.621 INFO     lxc_seccomp - seccomp.c:parse_config_v2:435 - processing: .open_by_handle_at errno 1.
      lxc-start openwrt-19.02_00 20200522221131.651 INFO     lxc_seccomp - seccomp.c:parse_config_v2:594 - Adding native rule for open_by_handle_at action 327681(errno).
      lxc-start openwrt-19.02_00 20200522221131.679 INFO     lxc_seccomp - seccomp.c:parse_config_v2:435 - processing: .init_module errno 1.
      lxc-start openwrt-19.02_00 20200522221131.708 INFO     lxc_seccomp - seccomp.c:parse_config_v2:594 - Adding native rule for init_module action 327681(errno).
      lxc-start openwrt-19.02_00 20200522221131.739 INFO     lxc_seccomp - seccomp.c:parse_config_v2:435 - processing: .finit_module errno 1.
      lxc-start openwrt-19.02_00 20200522221131.768 INFO     lxc_seccomp - seccomp.c:parse_config_v2:594 - Adding native rule for finit_module action 327681(errno).
      lxc-start openwrt-19.02_00 20200522221131.798 INFO     lxc_seccomp - seccomp.c:parse_config_v2:435 - processing: .delete_module errno 1.
      lxc-start openwrt-19.02_00 20200522221131.826 INFO     lxc_seccomp - seccomp.c:parse_config_v2:594 - Adding native rule for delete_module action 327681(errno).
      lxc-start openwrt-19.02_00 20200522221131.858 TRACE    lxc_start - start.c:lxc_init:613 - read seccomp policy
      lxc-start openwrt-19.02_00 20200522221131.888 TRACE    lxc_start - start.c:lxc_serve_state_clients:373 - set container state to STARTING
      lxc-start openwrt-19.02_00 20200522221131.916 TRACE    lxc_start - start.c:lxc_serve_state_clients:376 - no state clients registered
      lxc-start openwrt-19.02_00 20200522221131.946 WARN     lxc_monitor - monitor.c:lxc_monitor_fifo_send:111 - Failed to open fifo to send message: No such file or directory.
      lxc-start openwrt-19.02_00 20200522221131.114 WARN     lxc_monitor - monitor.c:lxc_monitor_fifo_send:111 - Failed to open fifo to send message: No such file or directory.
      lxc-start openwrt-19.02_00 20200522221131.117 TRACE    lxc_start - start.c:lxc_init:620 - set container state to "STARTING"
      lxc-start openwrt-19.02_00 20200522221131.119 TRACE    lxc_start - start.c:lxc_init:648 - set environment variables
      lxc-start openwrt-19.02_00 20200522221131.122 TRACE    lxc_start - start.c:lxc_init:654 - ran pre-start hooks
      lxc-start openwrt-19.02_00 20200522221131.125 DEBUG    lxc_start - start.c:setup_signal_fd:301 - Set SIGCHLD handler with file descriptor: 5.
      lxc-start openwrt-19.02_00 20200522221131.128 TRACE    lxc_start - start.c:lxc_init:665 - set up signal fd
      lxc-start openwrt-19.02_00 20200522221131.131 DEBUG    console - console.c:lxc_console_peer_default:459 - using "/dev/tty" as peer tty device
      lxc-start openwrt-19.02_00 20200522221131.134 DEBUG    console - console.c:lxc_console_sigwinch_init:151 - process 11648 created signal fd 9 to handle SIGWINCH events
      lxc-start openwrt-19.02_00 20200522221131.137 DEBUG    console - console.c:lxc_console_winsz:71 - set winsz dstfd:6 cols:134 rows:34
      lxc-start openwrt-19.02_00 20200522221131.140 TRACE    lxc_start - start.c:lxc_init:672 - created console
      lxc-start openwrt-19.02_00 20200522221131.142 TRACE    lxc_conf - conf.c:lxc_ttys_shift_ids:2975 - chowned console "/dev/pts/10"
      lxc-start openwrt-19.02_00 20200522221131.145 TRACE    lxc_start - start.c:lxc_init:678 - shifted tty ids
      lxc-start openwrt-19.02_00 20200522221131.148 INFO     lxc_start - start.c:lxc_init:680 - container "openwrt-19.02_00" is initialized
      lxc-start openwrt-19.02_00 20200522221131.151 DEBUG    storage - storage/storage.c:get_storage_by_name:231 - Detected rootfs type "dir"
      lxc-start openwrt-19.02_00 20200522221131.158 INFO     lxc_network - network.c:instantiate_veth:171 - Retrieved mtu 1500 from br-lan
      lxc-start openwrt-19.02_00 20200522221131.173 INFO     lxc_network - network.c:instantiate_veth:197 - Attached "vethPEOKB2" to bridge "br-lan"
      lxc-start openwrt-19.02_00 20200522221131.178 DEBUG    lxc_network - network.c:instantiate_veth:214 - Instantiated veth "vethPEOKB2/veth9FLUH6", index is "107"
      lxc-start openwrt-19.02_00 20200522221131.185 INFO     lxc_cgroup - cgroups/cgroup.c:cgroup_init:67 - cgroup driver cgroupfs initing for openwrt-19.02_00
      lxc-start openwrt-19.02_00 20200522221131.193 INFO     lxc_start - start.c:lxc_spawn:1259 - Cloned CLONE_NEWUSER.
      lxc-start openwrt-19.02_00 20200522221131.197 INFO     lxc_start - start.c:lxc_spawn:1259 - Cloned CLONE_NEWNS.
      lxc-start openwrt-19.02_00 20200522221131.200 INFO     lxc_start - start.c:lxc_spawn:1259 - Cloned CLONE_NEWPID.
      lxc-start openwrt-19.02_00 20200522221131.203 INFO     lxc_start - start.c:lxc_spawn:1259 - Cloned CLONE_NEWUTS.
      lxc-start openwrt-19.02_00 20200522221131.207 INFO     lxc_start - start.c:lxc_spawn:1259 - Cloned CLONE_NEWIPC.
      lxc-start openwrt-19.02_00 20200522221131.211 DEBUG    lxc_conf - conf.c:idmaptool_on_path_and_privileged:2601 - The binary "/usr/bin/newuidmap" does have the setuid bit set.
      lxc-start openwrt-19.02_00 20200522221131.215 DEBUG    lxc_conf - conf.c:idmaptool_on_path_and_privileged:2601 - The binary "/usr/bin/newgidmap" does have the setuid bit set.
      lxc-start openwrt-19.02_00 20200522221131.219 DEBUG    lxc_conf - conf.c:lxc_map_ids:2689 - Functional newuidmap and newgidmap binary found.
      lxc-start openwrt-19.02_00 20200522221131.231 TRACE    lxc_conf - conf.c:lxc_map_ids:2745 - newuidmap wrote mapping "newuidmap 11661 0 65536 65536"
      lxc-start openwrt-19.02_00 20200522221131.241 TRACE    lxc_conf - conf.c:lxc_map_ids:2745 - newgidmap wrote mapping "newgidmap 11661 0 65536 65536"
      lxc-start openwrt-19.02_00 20200522221131.248 INFO     lxc_start - start.c:do_start:848 - Unshared CLONE_NEWNET.
      lxc-start openwrt-19.02_00 20200522221131.272 TRACE    lxc_conf - conf.c:userns_exec_1:3822 - establishing uid mapping for "11688" in new user namespace: nsuid 0 - hostid 65536 - range 65536
      lxc-start openwrt-19.02_00 20200522221131.276 TRACE    lxc_conf - conf.c:userns_exec_1:3822 - establishing uid mapping for "11688" in new user namespace: nsuid 65536 - hostid 0 - range 1
      lxc-start openwrt-19.02_00 20200522221131.282 TRACE    lxc_conf - conf.c:userns_exec_1:3822 - establishing gid mapping for "11688" in new user namespace: nsuid 0 - hostid 65536 - range 65536
      lxc-start openwrt-19.02_00 20200522221131.287 TRACE    lxc_conf - conf.c:userns_exec_1:3822 - establishing gid mapping for "11688" in new user namespace: nsuid 65536 - hostid 0 - range 1
      lxc-start openwrt-19.02_00 20200522221131.292 DEBUG    lxc_conf - conf.c:idmaptool_on_path_and_privileged:2601 - The binary "/usr/bin/newuidmap" does have the setuid bit set.
      lxc-start openwrt-19.02_00 20200522221131.296 DEBUG    lxc_conf - conf.c:idmaptool_on_path_and_privileged:2601 - The binary "/usr/bin/newgidmap" does have the setuid bit set.
      lxc-start openwrt-19.02_00 20200522221131.300 DEBUG    lxc_conf - conf.c:lxc_map_ids:2689 - Functional newuidmap and newgidmap binary found.
      lxc-start openwrt-19.02_00 20200522221131.310 TRACE    lxc_conf - conf.c:lxc_map_ids:2745 - newuidmap wrote mapping "newuidmap 11688 0 65536 65536 65536 0 1"
      lxc-start openwrt-19.02_00 20200522221131.324 TRACE    lxc_conf - conf.c:lxc_map_ids:2745 - newgidmap wrote mapping "newgidmap 11688 0 65536 65536 65536 0 1"
      lxc-start openwrt-19.02_00 20200522221131.327 TRACE    lxc_conf - conf.c:run_userns_fn:3582 - calling function "chown_cgroup_wrapper"
      lxc-start openwrt-19.02_00 20200522221131.389 DEBUG    lxc_network - network.c:lxc_network_move_created_netdev_priv:2445 - Moved network device "veth9FLUH6"/"(null)" to network namespace of 11661
      lxc-start openwrt-19.02_00 20200522221131.393 NOTICE   lxc_utils - utils.c:lxc_switch_uid_gid:2073 - Switched to gid 0.
      lxc-start openwrt-19.02_00 20200522221131.398 NOTICE   lxc_utils - utils.c:lxc_switch_uid_gid:2079 - Switched to uid 0.
      lxc-start openwrt-19.02_00 20200522221131.401 NOTICE   lxc_utils - utils.c:lxc_setgroups:2091 - Dropped additional groups.
      lxc-start openwrt-19.02_00 20200522221131.406 INFO     lxc_start - start.c:do_start:925 - Unshared CLONE_NEWCGROUP.
      lxc-start openwrt-19.02_00 20200522221131.410 DEBUG    storage - storage/storage.c:get_storage_by_name:231 - Detected rootfs type "dir"
      lxc-start openwrt-19.02_00 20200522221131.414 TRACE    dir - storage/dir.c:dir_mount:184 - Mounted "/cont/openwrt_19.02_fritz4040_00" on "/usr/lib/lxc/rootfs"
      lxc-start openwrt-19.02_00 20200522221131.418 DEBUG    lxc_conf - conf.c:lxc_setup_rootfs:1320 - Mounted rootfs "dir:/cont/openwrt_19.02_fritz4040_00" onto "/usr/lib/lxc/rootfs" with options "(null)".
      lxc-start openwrt-19.02_00 20200522221131.421 INFO     lxc_conf - conf.c:setup_utsname:769 - 'openwrt_t00' hostname has been setup
      lxc-start openwrt-19.02_00 20200522221131.498 DEBUG    lxc_network - network.c:setup_hw_addr:2711 - Mac address "4a:49:43:49:79:b9" on "eth0" has been setup
      lxc-start openwrt-19.02_00 20200522221131.527 DEBUG    lxc_network - network.c:lxc_setup_netdev_in_child_namespaces:2969 - Network device "eth0" has been setup
      lxc-start openwrt-19.02_00 20200522221131.533 INFO     lxc_network - network.c:lxc_setup_network_in_child_namespaces:2997 - network has been setup
      lxc-start openwrt-19.02_00 20200522221131.538 TRACE    lxc_network - network.c:lxc_network_send_name_and_ifindex_to_parent:3078 - Sent network device names and ifindeces to parent
      lxc-start openwrt-19.02_00 20200522221131.542 INFO     lxc_conf - conf.c:mount_autodev:1150 - Preparing "/dev"
      lxc-start openwrt-19.02_00 20200522221131.546 INFO     lxc_conf - conf.c:mount_autodev:1172 - Mounted tmpfs on "/usr/lib/lxc/rootfs/dev"
      lxc-start openwrt-19.02_00 20200522221131.572 INFO     lxc_conf - conf.c:mount_autodev:1189 - Prepared "/dev"
      lxc-start openwrt-19.02_00 20200522221131.576 INFO     lxc_conf - conf.c:lxc_mount_auto_mounts:709 - Mount source or target for /usr/lib/lxc/rootfs/proc/sys/net on /usr/lib/lxc/rootfs/proc/tty doesn't exist. Skipping.
      lxc-start openwrt-19.02_00 20200522221131.580 ERROR    lxc_utils - utils.c:safe_mount:1707 - No such file or directory - Failed to mount /usr/lib/lxc/rootfs/proc/tty onto /usr/lib/lxc/rootfs/proc/sys/net
      lxc-start openwrt-19.02_00 20200522221131.584 INFO     lxc_conf - conf.c:lxc_mount_auto_mounts:709 - Mount source or target for /usr/lib/lxc/rootfs/proc/tty on /usr/lib/lxc/rootfs/proc/sys/net doesn't exist. Skipping.
      lxc-start openwrt-19.02_00 20200522221131.589 TRACE    lxc_conf - conf.c:make_anonymous_mount_file:2257 - Created anonymous mount file
      lxc-start openwrt-19.02_00 20200522221131.593 INFO     lxc_conf - conf.c:mount_entry:1851 - Failed to mount "/sys/fs/fuse/connections" on "/usr/lib/lxc/rootfs/sys/fs/fuse/connections" (optional): No such file or directory
      lxc-start openwrt-19.02_00 20200522221131.597 INFO     lxc_conf - conf.c:mount_file_entries:2213 - Set up mount entries
      lxc-start openwrt-19.02_00 20200522221131.600 INFO     lxc_conf - conf.c:lxc_fill_autodev:1225 - Populating "/dev"
      lxc-start openwrt-19.02_00 20200522221131.604 DEBUG    lxc_conf - conf.c:lxc_fill_autodev:1269 - Bind mounted "/dev/null" onto "/usr/lib/lxc/rootfs/dev/null"
      lxc-start openwrt-19.02_00 20200522221131.607 DEBUG    lxc_conf - conf.c:lxc_fill_autodev:1269 - Bind mounted "/dev/zero" onto "/usr/lib/lxc/rootfs/dev/zero"
      lxc-start openwrt-19.02_00 20200522221131.611 DEBUG    lxc_conf - conf.c:lxc_fill_autodev:1269 - Bind mounted "/dev/full" onto "/usr/lib/lxc/rootfs/dev/full"
      lxc-start openwrt-19.02_00 20200522221131.614 DEBUG    lxc_conf - conf.c:lxc_fill_autodev:1269 - Bind mounted "/dev/urandom" onto "/usr/lib/lxc/rootfs/dev/urandom"
      lxc-start openwrt-19.02_00 20200522221131.618 DEBUG    lxc_conf - conf.c:lxc_fill_autodev:1269 - Bind mounted "/dev/random" onto "/usr/lib/lxc/rootfs/dev/random"
      lxc-start openwrt-19.02_00 20200522221131.621 DEBUG    lxc_conf - conf.c:lxc_fill_autodev:1269 - Bind mounted "/dev/tty" onto "/usr/lib/lxc/rootfs/dev/tty"
      lxc-start openwrt-19.02_00 20200522221131.624 INFO     lxc_conf - conf.c:lxc_fill_autodev:1276 - Populated "/dev"
      lxc-start openwrt-19.02_00 20200522221131.628 DEBUG    lxc_conf - conf.c:lxc_setup_dev_console:1604 - mounted pts device "/dev/pts/10" onto "/usr/lib/lxc/rootfs/dev/console"
      lxc-start openwrt-19.02_00 20200522221131.631 INFO     lxc_utils - utils.c:lxc_mount_proc_if_needed:1758 - I am 1, /proc/self points to "1"
      lxc-start openwrt-19.02_00 20200522221131.679 DEBUG    lxc_conf - conf.c:setup_rootfs_pivot_root:1128 - pivot_root syscall to '/usr/lib/lxc/rootfs' successful
      lxc-start openwrt-19.02_00 20200522221131.692 DEBUG    lxc_conf - conf.c:setup_pivot_root:1437 - finished pivot root
      lxc-start openwrt-19.02_00 20200522221131.696 DEBUG    lxc_conf - conf.c:lxc_setup_devpts:1482 - mount new devpts instance with options "newinstance,ptmxmode=0666,mode=0620,gid=5,max=1024"
      lxc-start openwrt-19.02_00 20200522221131.701 DEBUG    lxc_conf - conf.c:lxc_setup_devpts:1502 - created dummy "/dev/ptmx" file as bind mount target
      lxc-start openwrt-19.02_00 20200522221131.705 DEBUG    lxc_conf - conf.c:lxc_setup_devpts:1507 - bind mounted "/dev/pts/ptmx" to "/dev/ptmx"
      lxc-start openwrt-19.02_00 20200522221131.709 DEBUG    lxc_conf - conf.c:lxc_allocate_ttys:965 - allocated pty "/dev/pts/0" with master fd 11 and slave fd 14
      lxc-start openwrt-19.02_00 20200522221131.713 DEBUG    lxc_conf - conf.c:lxc_allocate_ttys:965 - allocated pty "/dev/pts/1" with master fd 15 and slave fd 16
      lxc-start openwrt-19.02_00 20200522221131.716 DEBUG    lxc_conf - conf.c:lxc_allocate_ttys:965 - allocated pty "/dev/pts/2" with master fd 17 and slave fd 18
      lxc-start openwrt-19.02_00 20200522221131.735 DEBUG    lxc_conf - conf.c:lxc_allocate_ttys:965 - allocated pty "/dev/pts/3" with master fd 19 and slave fd 20
      lxc-start openwrt-19.02_00 20200522221131.739 DEBUG    lxc_conf - conf.c:lxc_allocate_ttys:965 - allocated pty "/dev/pts/4" with master fd 21 and slave fd 22
      lxc-start openwrt-19.02_00 20200522221131.742 DEBUG    lxc_conf - conf.c:lxc_allocate_ttys:965 - allocated pty "/dev/pts/5" with master fd 23 and slave fd 24
      lxc-start openwrt-19.02_00 20200522221131.745 INFO     lxc_conf - conf.c:lxc_allocate_ttys:985 - finished allocating 6 pts devices
      lxc-start openwrt-19.02_00 20200522221131.748 TRACE    lxc_conf - conf.c:lxc_send_ttys_to_parent:1028 - Send pty "/dev/pts/0" with master fd 11 and slave fd 14 to parent
      lxc-start openwrt-19.02_00 20200522221131.752 TRACE    lxc_conf - conf.c:lxc_send_ttys_to_parent:1028 - Send pty "/dev/pts/1" with master fd 15 and slave fd 16 to parent
      lxc-start openwrt-19.02_00 20200522221131.756 TRACE    lxc_conf - conf.c:lxc_send_ttys_to_parent:1028 - Send pty "/dev/pts/2" with master fd 17 and slave fd 18 to parent
      lxc-start openwrt-19.02_00 20200522221131.761 TRACE    lxc_conf - conf.c:lxc_send_ttys_to_parent:1028 - Send pty "/dev/pts/3" with master fd 19 and slave fd 20 to parent
      lxc-start openwrt-19.02_00 20200522221131.764 TRACE    lxc_conf - conf.c:lxc_send_ttys_to_parent:1028 - Send pty "/dev/pts/4" with master fd 21 and slave fd 22 to parent
      lxc-start openwrt-19.02_00 20200522221131.769 TRACE    lxc_conf - conf.c:lxc_send_ttys_to_parent:1028 - Send pty "/dev/pts/5" with master fd 23 and slave fd 24 to parent
      lxc-start openwrt-19.02_00 20200522221131.773 TRACE    lxc_conf - conf.c:lxc_send_ttys_to_parent:1035 - Sent 6 ttys to parent
      lxc-start openwrt-19.02_00 20200522221131.777 DEBUG    lxc_conf - conf.c:lxc_setup_ttys:922 - Bind mounted "/dev/pts/0" onto "/dev/tty1"
      lxc-start openwrt-19.02_00 20200522221131.781 DEBUG    lxc_conf - conf.c:lxc_setup_ttys:922 - Bind mounted "/dev/pts/1" onto "/dev/tty2"
      lxc-start openwrt-19.02_00 20200522221131.785 DEBUG    lxc_conf - conf.c:lxc_setup_ttys:922 - Bind mounted "/dev/pts/2" onto "/dev/tty3"
      lxc-start openwrt-19.02_00 20200522221131.790 DEBUG    lxc_conf - conf.c:lxc_setup_ttys:922 - Bind mounted "/dev/pts/3" onto "/dev/tty4"
      lxc-start openwrt-19.02_00 20200522221131.794 DEBUG    lxc_conf - conf.c:lxc_setup_ttys:922 - Bind mounted "/dev/pts/4" onto "/dev/tty5"
      lxc-start openwrt-19.02_00 20200522221131.797 DEBUG    lxc_conf - conf.c:lxc_setup_ttys:922 - Bind mounted "/dev/pts/5" onto "/dev/tty6"
      lxc-start openwrt-19.02_00 20200522221131.800 INFO     lxc_conf - conf.c:lxc_setup_ttys:931 - Finished setting up 6 /dev/tty<N> device(s)
      lxc-start openwrt-19.02_00 20200522221131.803 DEBUG    lxc_conf - conf.c:setup_caps:2378 - capabilities have been setup
      lxc-start openwrt-19.02_00 20200522221131.806 NOTICE   lxc_conf - conf.c:lxc_setup:3283 - Container "openwrt-19.02_00" is set up
#
# pseudo filter code start
#
# filter for arch arm (1073741864)
if ($arch == 1073741864)
  # filter for syscall "finit_module" (379) [priority: 65535]
  if ($syscall == 379)
    action ERRNO(1);
  # filter for syscall "open_by_handle_at" (371) [priority: 65535]
  if ($syscall == 371)
    action ERRNO(1);
  # filter for syscall "kexec_load" (347) [priority: 65535]
  if ($syscall == 347)
    action ERRNO(1);
  # filter for syscall "delete_module" (129) [priority: 65535]
  if ($syscall == 129)
    action ERRNO(1);
  # filter for syscall "init_module" (128) [priority: 65535]
  if ($syscall == 128)
    action ERRNO(1);
  # filter for syscall "umount2" (52) [priority: 65534]
  if ($syscall == 52)
    if ($a1 & 0x00000001 == 1)
      action ERRNO(13);
  # default action
  action ALLOW;
# invalid architecture action
action KILL;
#
# pseudo filter code end
#
      lxc-start openwrt-19.02_00 20200522221131.815 TRACE    lxc_start - start.c:lxc_spawn:1348 - Set up cgroup device limits
      lxc-start openwrt-19.02_00 20200522221131.818 NOTICE   lxc_start - start.c:start:1532 - Exec'ing "/sbin/init".
      lxc-start openwrt-19.02_00 20200522221131.839 TRACE    lxc_confile_utils - confile_utils.c:lxc_log_configured_netdevs:252 - index: 0
      lxc-start openwrt-19.02_00 20200522221131.842 TRACE    lxc_confile_utils - confile_utils.c:lxc_log_configured_netdevs:253 - ifindex: 107
      lxc-start openwrt-19.02_00 20200522221131.845 TRACE    lxc_confile_utils - confile_utils.c:lxc_log_configured_netdevs:256 - type: veth
      lxc-start openwrt-19.02_00 20200522221131.851 TRACE    lxc_confile_utils - confile_utils.c:lxc_log_configured_netdevs:262 - veth1 : vethPEOKB2
      lxc-start openwrt-19.02_00 20200522221131.855 TRACE    lxc_confile_utils - confile_utils.c:lxc_log_configured_netdevs:265 - host side ifindex for veth device: 108
      lxc-start openwrt-19.02_00 20200522221131.859 TRACE    lxc_confile_utils - confile_utils.c:lxc_log_configured_netdevs:302 - flags: up
      lxc-start openwrt-19.02_00 20200522221131.863 TRACE    lxc_confile_utils - confile_utils.c:lxc_log_configured_netdevs:304 - link: br-lan
      lxc-start openwrt-19.02_00 20200522221131.867 TRACE    lxc_confile_utils - confile_utils.c:lxc_log_configured_netdevs:306 - name: eth0
      lxc-start openwrt-19.02_00 20200522221131.872 TRACE    lxc_confile_utils - confile_utils.c:lxc_log_configured_netdevs:308 - hwaddr: 4a:49:43:49:79:b9
      lxc-start openwrt-19.02_00 20200522221131.876 TRACE    lxc_confile_utils - confile_utils.c:lxc_log_configured_netdevs:317 - ipv4 gateway auto: false
      lxc-start openwrt-19.02_00 20200522221131.879 TRACE    lxc_confile_utils - confile_utils.c:lxc_log_configured_netdevs:333 - ipv6 gateway auto: false
      lxc-start openwrt-19.02_00 20200522221131.882 TRACE    lxc_start - start.c:lxc_recv_ttys_from_child:1114 - Received pty with master fd 20 and slave fd 21 from parent
      lxc-start openwrt-19.02_00 20200522221131.885 TRACE    lxc_start - start.c:lxc_recv_ttys_from_child:1114 - Received pty with master fd 22 and slave fd 23 from parent
      lxc-start openwrt-19.02_00 20200522221131.888 TRACE    lxc_start - start.c:lxc_recv_ttys_from_child:1114 - Received pty with master fd 24 and slave fd 25 from parent
      lxc-start openwrt-19.02_00 20200522221131.892 TRACE    lxc_start - start.c:lxc_recv_ttys_from_child:1114 - Received pty with master fd 26 and slave fd 27 from parent
      lxc-start openwrt-19.02_00 20200522221131.895 TRACE    lxc_start - start.c:lxc_recv_ttys_from_child:1114 - Received pty with master fd 28 and slave fd 29 from parent
      lxc-start openwrt-19.02_00 20200522221131.898 TRACE    lxc_start - start.c:lxc_recv_ttys_from_child:1114 - Received pty with master fd 30 and slave fd 31 from parent
      lxc-start openwrt-19.02_00 20200522221131.901 TRACE    lxc_start - start.c:lxc_recv_ttys_from_child:1120 - Received 6 ttys from child
      lxc-start openwrt-19.02_00 20200522221131.904 NOTICE   lxc_start - start.c:post_start:1543 - Started "/sbin/init" with pid "11661".
      lxc-start openwrt-19.02_00 20200522221131.907 TRACE    lxc_start - start.c:lxc_serve_state_clients:373 - set container state to RUNNING
      lxc-start openwrt-19.02_00 20200522221131.910 TRACE    lxc_start - start.c:lxc_serve_state_clients:376 - no state clients registered
      lxc-start openwrt-19.02_00 20200522221131.914 WARN     lxc_monitor - monitor.c:lxc_monitor_fifo_send:111 - Failed to open fifo to send message: No such file or directory.
      lxc-start openwrt-19.02_00 20200522221131.918 WARN     lxc_monitor - monitor.c:lxc_monitor_fifo_send:111 - Failed to open fifo to send message: No such file or directory.
      lxc-start openwrt-19.02_00 20200522221131.921 TRACE    lxc_start - start.c:lxc_poll:504 - lxc mainloop is ready
      lxc-start openwrt-19.02_00 20200522221131.925 NOTICE   lxc_start - start.c:signal_handler:350 - Received SIGCHLD from pid 11669 instead of container init 11661.
      lxc-start openwrt-19.02_00 20200523125637.779 DEBUG    console - console.c:lxc_console_winsz:71 - set winsz dstfd:6 cols:168

somehow can’t get the formatting prettier :expressionless:

2

The result is, that any write to /proc/sys/net fails and the firewall as well as the dhcpv6 client fail.

3

Is there anything i can additionally provide to narrow the error down?

4

Try:

lxc.mount.auto =
lxc.mount.auto = sys:rw proc:rw
5

thanks. this seems to resolv the issue.
I don’t get the any error messages in the lxc log and the mounts now seem to work.
Does this change have any security implications for unprivileged containers, as /proc/sys is now writeable also?
Any idea why the mount should fail with this (somehow wierd) message in the first place?

root@openwrt_t00:/# cat /proc/self/mounts                          
/dev/sda1 / ext4 rw,relatime,data=ordered 0 0      
none /dev tmpfs rw,relatime,size=492k,mode=755,uid=65536,gid=65536 0 0
proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0                                   
tmpfs /dev/null tmpfs rw,nosuid,relatime,size=512k,mode=755 0 0
tmpfs /dev/zero tmpfs rw,nosuid,relatime,size=512k,mode=755 0 0
tmpfs /dev/full tmpfs rw,nosuid,relatime,size=512k,mode=755 0 0
tmpfs /dev/urandom tmpfs rw,nosuid,relatime,size=512k,mode=755 0 0
tmpfs /dev/random tmpfs rw,nosuid,relatime,size=512k,mode=755 0 0
tmpfs /dev/tty tmpfs rw,nosuid,relatime,size=512k,mode=755 0 0
devpts /dev/console devpts rw,nosuid,noexec,relatime,mode=600,ptmxmode=000 0 0
devpts /dev/pts devpts rw,relatime,gid=65541,mode=620,ptmxmode=666,max=1024 0 0
devpts /dev/ptmx devpts rw,relatime,gid=65541,mode=620,ptmxmode=666,max=1024 0 0
devpts /dev/tty1 devpts rw,relatime,gid=65541,mode=620,ptmxmode=666,max=1024 0 0
devpts /dev/tty2 devpts rw,relatime,gid=65541,mode=620,ptmxmode=666,max=1024 0 0
devpts /dev/tty3 devpts rw,relatime,gid=65541,mode=620,ptmxmode=666,max=1024 0 0
devpts /dev/tty4 devpts rw,relatime,gid=65541,mode=620,ptmxmode=666,max=1024 0 0
tmpfs /tmp tmpfs rw,nosuid,nodev,noatime,uid=65536,gid=65536 0 0
6

For unprivileged containers, no. It’s only really a concern for privileged containers.

7

Thank you for the explanation @stgraber .
I will mark your original comment as solution.
But i’m still curious what the original error/bug was.
Could you point me to the part of the source/documentation where i can comprehend what sys/proc::auto is really doing under the hood? I somehow can’t locate it, as i’m probably not familliar enough with the source structure.