"Rootfs overmounted", container doesn't start

einfair · December 8, 2022, 2:16pm

Earlier in 2020 this root container worked, but now after upgrade of kernel and lxc it doesn’t start

--logpriority=debug --logfile

...
lxc-start test2 20221208133322.704 WARN     conf - ../lxc-5.0.1/src/lxc/conf.c:lxc_rootfs_overmounted:1459 - Invalid argument - Rootfs seems to have changed after setting up mounts
lxc-start test2 20221208133322.704 ERROR    conf - ../lxc-5.0.1/src/lxc/conf.c:lxc_setup:4403 - Rootfs overmounted
lxc-start test2 20221208133322.704 ERROR    start - ../lxc-5.0.1/src/lxc/start.c:do_start:1272 - Failed to setup container "test2"
...

# uname -r

5.15.80-gentoo-x86_64

lxc-checkconfig

LXC version 5.0.1
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
— Control groups —

Cgroups: enabled

Cgroup namespace: enabled
Cgroup v1 mount points:
Cgroup v2 mount points:

/sys/fs/cgroup
Cgroup v1 systemd controller: missing

Cgroup v1 freezer controller: missing

Cgroup ns_cgroup: required

Cgroup device: enabled

Cgroup sched: enabled

Cgroup cpu account: enabled

Cgroup memory controller: enabled

Cgroup cpuset: enabled
— Misc —

Veth pair device: enabled, loaded

Macvlan: enabled, not loaded

Vlan: enabled, not loaded

Bridges: enabled, loaded

Advanced netfilter: enabled, not loaded

CONFIG_IP_NF_TARGET_MASQUERADE: enabled, not loaded

CONFIG_IP6_NF_TARGET_MASQUERADE: enabled, not loaded

CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled, not loaded

CONFIG_NETFILTER_XT_MATCH_COMMENT: enabled, not loaded

FUSE (for use with lxcfs): enabled, not loaded
— Checkpoint/Restore —

checkpoint restore: enabled

CONFIG_FHANDLE: enabled

CONFIG_EVENTFD: enabled

CONFIG_EPOLL: enabled

CONFIG_UNIX_DIAG: enabled

CONFIG_INET_DIAG: enabled

CONFIG_PACKET_DIAG: enabled

CONFIG_NETLINK_DIAG: enabled

File capabilities:
Note : Before booting a new kernel, you can check its configuration

usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig

/var/lib/lxc/test2/config

/var/lib/lxc/test2 # grep -vE "(^#.*$)|(^$)" config
lxc.net.0.type = veth
lxc.net.0.veth.pair=test2ext
lxc.net.0.veth.mode=bridge
lxc.net.0.link=br0
lxc.net.0.name=test2int
lxc.net.0.hwaddr=12:34:56:78:xx:xx
lxc.rootfs.path = dir:/var/lib/lxc/test2/rootfs
lxc.mount.entry=/dev/sda4 . btrfs subvol=vm/test2 0 0
lxc.mount.entry=/dev/sda4 var/db/repos btrfs subvol=portage/repos 0 0
lxc.mount.entry=/dev/sda4 var/cache/distfiles btrfs subvol=portage/distfiles 0 0
lxc.mount.entry=/dev/sda4 var/cache/binpkgs btrfs subvol=portage/binpkgs 0 0
lxc.arch = amd64
lxc.uts.name = test2
lxc.tty.max = 1
lxc.include = /usr/share/lxc/config/gentoo.common.conf
lxc.cgroup.devices.allow =
lxc.cgroup.devices.deny =

btrfs subvolume list .

...
ID 288 gen 790745 top level 5 path portage/distfiles
ID 289 gen 790769 top level 5 path portage/binpkgs
ID 334 gen 790769 top level 5 path portage/repos
ID 336 gen 790773 top level 5 path vm/test2
...

amikhalitsyn · December 8, 2022, 3:28pm

I don’t think that it’s related to the kernel update. Have you performed the LXC update too?
Looks related to this change conf: verify that rootfs is stable after setting up mounts by brauner · Pull Request #4003 · lxc/lxc · GitHub

You have:

lxc.mount.entry=/dev/sda4 . btrfs subvol=vm/test2 0 0

in your container configuration and this is prohibited after that change.

I can suggest you to bind-mount your /dev/sda4 to some other place in the container (not /) to make it work.

einfair · December 8, 2022, 9:10pm

Yes, I updated the lxc too (from ~4.0.0). Will it help to mount vm/test2 volume with root filesystem into /var/lib/lxc/test2/rootfs before starting container (and remove that mount from config)? In this case it will not change during container start. Just checked, yes, seems that it helps.