Unprivileged LXC on Yocto

LXC
22

@brauner

1 Like
23

@stgraber @brauner

This is the output of “strace” : strace_output - Pastebin.com

I can’t find anything like :

mount(“proc”, “/mnt/proc”, “proc”, MS_MGC_VAL, NULL) = 0

in the log. Same goes when i start a privileged container. Actually there is no mention of “/proc” anywhere. Could this help?

24

Hm, can I trouble you to try this with current git main?

25

Hi @brauner,

I tried but this is a log from LXC :

lxc_spawn: 1673 Invalid argument - Failed to clone a new set of namespaces

From lxc-checkconfig :

— Namespaces —
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled

Kernel configuration is same, i changed only LXC version.

Do you know all the functionalities on which lxc lean on? It strikes me that newer versions use something from kernel that older doesn’t? Do you have any documentation on that?

26

Hello,
I had the same problem, and it was solved by this post: linux - Mounting proc in non-privileged namespace sandbox - Stack Overflow

I added the flags MS_REC and MS_BIND while mounting proc in the lxc source code and the error disappeared.

27

Hello @dbog,

In my opinion this is not the best solution for me. I understood that MS_REC blocks further mounting of already mounted directory if someone tries to remount it recursively.

28

Hi,
I am experiencing the same issue with mounting proc when starting unprivileged container, but on newer version - LXC 4.0.9:

lxc-start asd 20210915214303.369 ERROR    utils - utils.c:lxc_can_use_pidfd:1772 - Kernel does not support pidfds
lxc-start asd 20210915214303.433 ERROR    utils - utils.c:__safe_mount_beneath_at:1100 - Function not implemented - Failed to open 44(proc)
lxc-start asd 20210915214303.434 ERROR    utils - utils.c:safe_mount:1198 - Device or resource busy - Failed to mount "proc" onto "/usr/lib/lxc/rootfs/proc"
lxc-start asd 20210915214303.434 ERROR    conf - conf.c:lxc_transient_proc:3234 - Device or resource busy - Failed to mount temporary procfs
lxc-start asd 20210915214303.434 ERROR    conf - conf.c:lxc_create_tmp_proc_mount:3249 - Operation not permitted - Failed to create transient procfs mount
lxc-start asd 20210915214303.434 ERROR    conf - conf.c:lxc_setup:3704 - Failed to mount transient procfs instance for LSMs
lxc-start asd 20210915214303.434 ERROR    start - start.c:do_start:1265 - Failed to setup container "asd"
lxc-start asd 20210915214303.435 ERROR    sync - sync.c:sync_wait:36 - An error occurred in another process (expected sequence number 5)
lxc-start asd 20210915214303.435 ERROR    lxccontainer - lxccontainer.c:wait_on_daemonized_start:868 - Received container state "ABORTING" instead of "RUNNING"
lxc-start asd 20210915214303.439 ERROR    start - start.c:__lxc_start:2073 - Failed to spawn container "asd"

Full Trace log is:

lxc asd 20210915214254.681 TRACE    commands - commands.c:lxc_cmd:511 - Connection refused - Command "get_state" failed to connect command socket
lxc asd 20210915214254.682 TRACE    commands - commands.c:lxc_cmd:511 - Connection refused - Command "get_state" failed to connect command socket
lxc asd 20210915214254.682 TRACE    commands - commands.c:lxc_cmd:511 - Connection refused - Command "get_init_pid" failed to connect command socket
lxc-start asd 20210915214303.315 TRACE    commands - commands.c:lxc_cmd:511 - Connection refused - Command "get_init_pid" failed to connect command socket
lxc-start asd 20210915214303.316 TRACE    commands - commands.c:lxc_cmd:511 - Connection refused - Command "get_state" failed to connect command socket
lxc-start asd 20210915214303.316 TRACE    start - start.c:lxc_init_handler:710 - Created anonymous pair {3,4} of unix sockets
lxc-start asd 20210915214303.317 TRACE    commands - commands.c:lxc_server_init:2063 - Created abstract unix socket "/var/lib/lxc/asd/command"
lxc-start asd 20210915214303.317 TRACE    start - start.c:lxc_init_handler:726 - Unix domain socket 5 for command server is ready
lxc-start asd 20210915214303.321 INFO     lxccontainer - lxccontainer.c:do_lxcapi_start:988 - Set process title to [lxc monitor] /var/lib/lxc asd
lxc-start asd 20210915214303.325 DEBUG    lxccontainer - lxccontainer.c:wait_on_daemonized_start:849 - First child 79768 exited
lxc-start asd 20210915214303.325 TRACE    start - start.c:lxc_start:2186 - Doing lxc_start
lxc-start asd 20210915214303.326 INFO     lsm - lsm.c:lsm_init_static:40 - Initialized LSM security driver nop
lxc-start asd 20210915214303.326 TRACE    start - start.c:lxc_init:750 - Initialized LSM
lxc-start asd 20210915214303.326 TRACE    start - start.c:lxc_serve_state_clients:448 - Set container state to STARTING
lxc-start asd 20210915214303.326 TRACE    start - start.c:lxc_serve_state_clients:451 - No state clients registered
lxc-start asd 20210915214303.326 TRACE    start - start.c:lxc_init:756 - Set container state to "STARTING"
lxc-start asd 20210915214303.326 TRACE    start - start.c:lxc_init:812 - Set environment variables
lxc-start asd 20210915214303.326 TRACE    start - start.c:lxc_init:817 - Ran pre-start hooks
lxc-start asd 20210915214303.327 TRACE    start - start.c:setup_signal_fd:341 - Created signal file descriptor 8
lxc-start asd 20210915214303.327 TRACE    start - start.c:lxc_init:826 - Set up signal fd
lxc-start asd 20210915214303.330 TRACE    conf - conf.c:userns_exec_mapped_root:4838 - Chowned 10((null)) to uid 1000000 and 1000000
lxc-start asd 20210915214303.330 TRACE    terminal - terminal.c:lxc_terminal_map_ids:859 - Chowned terminal 10((null))
lxc-start asd 20210915214303.330 DEBUG    terminal - terminal.c:lxc_terminal_peer_default:665 - No such device - The process does not have a controlling terminal
lxc-start asd 20210915214303.330 TRACE    start - start.c:lxc_init:834 - Created console
lxc-start asd 20210915214303.331 TRACE    cgfsng - cgfsng.c:cgroup_hierarchy_add:446 - Adding cgroup hierarchy mounted at blkio and base cgroup (null)
lxc-start asd 20210915214303.331 TRACE    cgfsng - cgfsng.c:cgroup_hierarchy_add:449 - The hierarchy contains the blkio controller
lxc-start asd 20210915214303.331 TRACE    cgfsng - cgfsng.c:cgroup_hierarchy_add:446 - Adding cgroup hierarchy mounted at freezer and base cgroup (null)
lxc-start asd 20210915214303.331 TRACE    cgfsng - cgfsng.c:cgroup_hierarchy_add:449 - The hierarchy contains the freezer controller
lxc-start asd 20210915214303.331 TRACE    cgfsng - cgfsng.c:cgroup_hierarchy_add:446 - Adding cgroup hierarchy mounted at devices and base cgroup (null)
lxc-start asd 20210915214303.331 TRACE    cgfsng - cgfsng.c:cgroup_hierarchy_add:449 - The hierarchy contains the devices controller
lxc-start asd 20210915214303.331 TRACE    cgfsng - cgfsng.c:cgroup_hierarchy_add:446 - Adding cgroup hierarchy mounted at cpu,cpuacct and base cgroup (null)
lxc-start asd 20210915214303.332 TRACE    cgfsng - cgfsng.c:cgroup_hierarchy_add:449 - The hierarchy contains the cpu controller
lxc-start asd 20210915214303.332 TRACE    cgfsng - cgfsng.c:cgroup_hierarchy_add:449 - The hierarchy contains the cpuacct controller
lxc-start asd 20210915214303.332 TRACE    cgfsng - cgfsng.c:cgroup_hierarchy_add:446 - Adding cgroup hierarchy mounted at memory and base cgroup (null)
lxc-start asd 20210915214303.332 TRACE    cgfsng - cgfsng.c:cgroup_hierarchy_add:449 - The hierarchy contains the memory controller
lxc-start asd 20210915214303.332 TRACE    cgfsng - cgfsng.c:cgroup_hierarchy_add:446 - Adding cgroup hierarchy mounted at debug and base cgroup (null)
lxc-start asd 20210915214303.332 TRACE    cgfsng - cgfsng.c:cgroup_hierarchy_add:449 - The hierarchy contains the debug controller
lxc-start asd 20210915214303.332 TRACE    cgfsng - cgfsng.c:cgroup_hierarchy_add:446 - Adding cgroup hierarchy mounted at cpuset and base cgroup (null)
lxc-start asd 20210915214303.332 TRACE    cgfsng - cgfsng.c:cgroup_hierarchy_add:449 - The hierarchy contains the cpuset controller
lxc-start asd 20210915214303.333 TRACE    cgfsng - cgfsng.c:cgroup_hierarchy_add:446 - Adding cgroup hierarchy mounted at perf_event and base cgroup (null)
lxc-start asd 20210915214303.333 TRACE    cgfsng - cgfsng.c:cgroup_hierarchy_add:449 - The hierarchy contains the perf_event controller
lxc-start asd 20210915214303.333 TRACE    cgfsng - cgfsng.c:cgroup_hierarchy_add:446 - Adding cgroup hierarchy mounted at hugetlb and base cgroup (null)
lxc-start asd 20210915214303.333 TRACE    cgfsng - cgfsng.c:cgroup_hierarchy_add:449 - The hierarchy contains the hugetlb controller
lxc-start asd 20210915214303.333 TRACE    cgfsng - cgfsng.c:cgroup_hierarchy_add:446 - Adding cgroup hierarchy mounted at pids and base cgroup (null)
lxc-start asd 20210915214303.333 TRACE    cgfsng - cgfsng.c:cgroup_hierarchy_add:449 - The hierarchy contains the pids controller
lxc-start asd 20210915214303.333 TRACE    cgfsng - cgfsng.c:cgroup_hierarchy_add:446 - Adding cgroup hierarchy mounted at net_cls,net_prio and base cgroup (null)
lxc-start asd 20210915214303.333 TRACE    cgfsng - cgfsng.c:cgroup_hierarchy_add:449 - The hierarchy contains the net_cls controller
lxc-start asd 20210915214303.333 TRACE    cgfsng - cgfsng.c:cgroup_hierarchy_add:449 - The hierarchy contains the net_prio controller
lxc-start asd 20210915214303.334 TRACE    cgfsng - cgfsng.c:cgroup_hierarchy_add:446 - Adding cgroup hierarchy mounted at systemd and base cgroup (null)
lxc-start asd 20210915214303.334 TRACE    cgfsng - cgfsng.c:cgroup_hierarchy_add:449 - The hierarchy contains the name=systemd controller
lxc-start asd 20210915214303.334 WARN     cgfsng - cgfsng.c:__list_cgroup_delegate:3041 - No such file or directory - Failed to read /sys/kernel/cgroup/delegate
lxc-start asd 20210915214303.335 TRACE    cgfsng - cgfsng.c:__initialize_cgroups:3158 - No controllers are enabled for delegation in the unified hierarchy
lxc-start asd 20210915214303.335 TRACE    cgfsng - cgfsng.c:cgroup_hierarchy_add:446 - Adding cgroup hierarchy mounted at unified and base cgroup (null)
lxc-start asd 20210915214303.335 TRACE    cgroup - cgroup.c:cgroup_init:42 - Initialized cgroup driver cgfsng
lxc-start asd 20210915214303.335 TRACE    cgroup - cgroup.c:cgroup_init:47 - Hybrid cgroup layout
lxc-start asd 20210915214303.335 TRACE    start - start.c:lxc_init:841 - Initialized cgroup driver
lxc-start asd 20210915214303.335 TRACE    start - start.c:lxc_init:846 - Read seccomp policy
lxc-start asd 20210915214303.335 TRACE    start - start.c:lxc_init:853 - Initialized LSM
lxc-start asd 20210915214303.335 INFO     start - start.c:lxc_init:855 - Container "asd" is initialized
lxc-start asd 20210915214303.336 TRACE    cgfsng - cgfsng.c:__cgroup_tree_create:751 - Created 12(lxc.monitor.asd) cgroup
lxc-start asd 20210915214303.337 TRACE    cgfsng - cgfsng.c:__cgroup_tree_create:751 - Created 13(lxc.monitor.asd) cgroup
lxc-start asd 20210915214303.337 TRACE    cgfsng - cgfsng.c:__cgroup_tree_create:751 - Created 14(lxc.monitor.asd) cgroup
lxc-start asd 20210915214303.338 TRACE    cgfsng - cgfsng.c:__cgroup_tree_create:751 - Created 15(lxc.monitor.asd) cgroup
lxc-start asd 20210915214303.340 TRACE    cgfsng - cgfsng.c:__cgroup_tree_create:751 - Created 16(lxc.monitor.asd) cgroup
lxc-start asd 20210915214303.340 TRACE    cgfsng - cgfsng.c:__cgroup_tree_create:751 - Created 17(lxc.monitor.asd) cgroup
lxc-start asd 20210915214303.341 TRACE    cgfsng - cgfsng.c:__cgroup_tree_create:751 - Created 18(lxc.monitor.asd) cgroup
lxc-start asd 20210915214303.347 TRACE    cgfsng - cgfsng.c:cpuset1_cpus_initialize:670 - Copied cpu settings of parent cgroup
lxc-start asd 20210915214303.348 TRACE    cgfsng - cgfsng.c:cpuset1_initialize:712 - Initialized cpuset in the legacy hierarchy
lxc-start asd 20210915214303.348 TRACE    cgfsng - cgfsng.c:__cgroup_tree_create:751 - Created 19(lxc.monitor.asd) cgroup
lxc-start asd 20210915214303.348 TRACE    cgfsng - cgfsng.c:__cgroup_tree_create:751 - Created 20(lxc.monitor.asd) cgroup
lxc-start asd 20210915214303.349 TRACE    cgfsng - cgfsng.c:__cgroup_tree_create:751 - Created 21(lxc.monitor.asd) cgroup
lxc-start asd 20210915214303.349 TRACE    cgfsng - cgfsng.c:__cgroup_tree_create:751 - Created 22(lxc.monitor.asd) cgroup
lxc-start asd 20210915214303.350 TRACE    cgfsng - cgfsng.c:__cgroup_tree_create:751 - Created 23(lxc.monitor.asd) cgroup
lxc-start asd 20210915214303.350 TRACE    cgfsng - cgfsng.c:__cgroup_tree_create:751 - Created 24(lxc.monitor.asd) cgroup
lxc-start asd 20210915214303.351 INFO     cgfsng - cgfsng.c:cgfsng_monitor_create:1070 - The monitor process uses "lxc.monitor.asd" as cgroup
lxc-start asd 20210915214303.351 TRACE    cgfsng - cgfsng.c:cgfsng_monitor_enter:1220 - Moved monitor into cgroup 25
lxc-start asd 20210915214303.351 TRACE    cgfsng - cgfsng.c:cgfsng_monitor_enter:1229 - Moved transient process into cgroup 25
lxc-start asd 20210915214303.352 TRACE    cgfsng - cgfsng.c:cgfsng_monitor_enter:1220 - Moved monitor into cgroup 26
lxc-start asd 20210915214303.352 TRACE    cgfsng - cgfsng.c:cgfsng_monitor_enter:1229 - Moved transient process into cgroup 26
lxc-start asd 20210915214303.352 TRACE    cgfsng - cgfsng.c:cgfsng_monitor_enter:1220 - Moved monitor into cgroup 27
lxc-start asd 20210915214303.353 TRACE    cgfsng - cgfsng.c:cgfsng_monitor_enter:1229 - Moved transient process into cgroup 27
lxc-start asd 20210915214303.353 TRACE    cgfsng - cgfsng.c:cgfsng_monitor_enter:1220 - Moved monitor into cgroup 28
lxc-start asd 20210915214303.354 TRACE    cgfsng - cgfsng.c:cgfsng_monitor_enter:1229 - Moved transient process into cgroup 28
lxc-start asd 20210915214303.354 TRACE    cgfsng - cgfsng.c:cgfsng_monitor_enter:1220 - Moved monitor into cgroup 29
lxc-start asd 20210915214303.354 TRACE    cgfsng - cgfsng.c:cgfsng_monitor_enter:1229 - Moved transient process into cgroup 29
lxc-start asd 20210915214303.355 TRACE    cgfsng - cgfsng.c:cgfsng_monitor_enter:1220 - Moved monitor into cgroup 30
lxc-start asd 20210915214303.355 TRACE    cgfsng - cgfsng.c:cgfsng_monitor_enter:1229 - Moved transient process into cgroup 30
lxc-start asd 20210915214303.356 TRACE    cgfsng - cgfsng.c:cgfsng_monitor_enter:1220 - Moved monitor into cgroup 31
lxc-start asd 20210915214303.356 TRACE    cgfsng - cgfsng.c:cgfsng_monitor_enter:1229 - Moved transient process into cgroup 31
lxc-start asd 20210915214303.356 TRACE    cgfsng - cgfsng.c:cgfsng_monitor_enter:1220 - Moved monitor into cgroup 32
lxc-start asd 20210915214303.357 TRACE    cgfsng - cgfsng.c:cgfsng_monitor_enter:1229 - Moved transient process into cgroup 32
lxc-start asd 20210915214303.357 TRACE    cgfsng - cgfsng.c:cgfsng_monitor_enter:1220 - Moved monitor into cgroup 33
lxc-start asd 20210915214303.357 TRACE    cgfsng - cgfsng.c:cgfsng_monitor_enter:1229 - Moved transient process into cgroup 33
lxc-start asd 20210915214303.358 TRACE    cgfsng - cgfsng.c:cgfsng_monitor_enter:1220 - Moved monitor into cgroup 34
lxc-start asd 20210915214303.358 TRACE    cgfsng - cgfsng.c:cgfsng_monitor_enter:1229 - Moved transient process into cgroup 34
lxc-start asd 20210915214303.359 TRACE    cgfsng - cgfsng.c:cgfsng_monitor_enter:1220 - Moved monitor into cgroup 35
lxc-start asd 20210915214303.359 TRACE    cgfsng - cgfsng.c:cgfsng_monitor_enter:1229 - Moved transient process into cgroup 35
lxc-start asd 20210915214303.360 TRACE    cgfsng - cgfsng.c:cgfsng_monitor_enter:1220 - Moved monitor into cgroup 36
lxc-start asd 20210915214303.360 TRACE    cgfsng - cgfsng.c:cgfsng_monitor_enter:1229 - Moved transient process into cgroup 36
lxc-start asd 20210915214303.360 TRACE    cgfsng - cgfsng.c:cgfsng_monitor_enter:1220 - Moved monitor into cgroup 37
lxc-start asd 20210915214303.361 TRACE    cgfsng - cgfsng.c:cgfsng_monitor_enter:1229 - Moved transient process into cgroup 37
lxc-start asd 20210915214303.361 DEBUG    storage - storage.c:get_storage_by_name:211 - Detected rootfs type "dir"
lxc-start asd 20210915214303.361 TRACE    conf - conf.c:lxc_rootfs_init:565 - Not pinning because container runs in user namespace
lxc-start asd 20210915214303.361 DEBUG    storage - storage.c:get_storage_by_name:211 - Detected rootfs type "dir"
lxc-start asd 20210915214303.361 TRACE    sync - sync.c:lxc_sync_init:141 - Initialized synchronization infrastructure
lxc-start asd 20210915214303.361 TRACE    cgfsng - cgfsng.c:__cgroup_tree_create:751 - Created 12(lxc.payload.asd) cgroup
lxc-start asd 20210915214303.362 TRACE    cgfsng - cgfsng.c:__cgroup_tree_create:751 - Created 13(lxc.payload.asd) cgroup
lxc-start asd 20210915214303.362 TRACE    cgfsng - cgfsng.c:__cgroup_tree_create:751 - Created 14(lxc.payload.asd) cgroup
lxc-start asd 20210915214303.362 TRACE    cgfsng - cgfsng.c:__cgroup_tree_create:751 - Created 15(lxc.payload.asd) cgroup
lxc-start asd 20210915214303.362 TRACE    cgfsng - cgfsng.c:__cgroup_tree_create:751 - Created 16(lxc.payload.asd) cgroup
lxc-start asd 20210915214303.363 TRACE    cgfsng - cgfsng.c:__cgroup_tree_create:751 - Created 17(lxc.payload.asd) cgroup
lxc-start asd 20210915214303.363 TRACE    cgfsng - cgfsng.c:__cgroup_tree_create:751 - Created 18(lxc.payload.asd) cgroup
lxc-start asd 20210915214303.365 TRACE    cgfsng - cgfsng.c:cpuset1_cpus_initialize:670 - Copied cpu settings of parent cgroup
lxc-start asd 20210915214303.365 TRACE    cgfsng - cgfsng.c:cpuset1_initialize:712 - Initialized cpuset in the legacy hierarchy
lxc-start asd 20210915214303.366 TRACE    cgfsng - cgfsng.c:__cgroup_tree_create:751 - Created 19(lxc.payload.asd) cgroup
lxc-start asd 20210915214303.366 TRACE    cgfsng - cgfsng.c:__cgroup_tree_create:751 - Created 20(lxc.payload.asd) cgroup
lxc-start asd 20210915214303.366 TRACE    cgfsng - cgfsng.c:__cgroup_tree_create:751 - Created 21(lxc.payload.asd) cgroup
lxc-start asd 20210915214303.366 TRACE    cgfsng - cgfsng.c:__cgroup_tree_create:751 - Created 22(lxc.payload.asd) cgroup
lxc-start asd 20210915214303.366 TRACE    cgfsng - cgfsng.c:__cgroup_tree_create:751 - Created 23(lxc.payload.asd) cgroup
lxc-start asd 20210915214303.366 TRACE    cgfsng - cgfsng.c:__cgroup_tree_create:751 - Created 24(lxc.payload.asd) cgroup
lxc-start asd 20210915214303.366 INFO     cgfsng - cgfsng.c:cgfsng_payload_create:1178 - The container process uses "lxc.payload.asd" as inner and "lxc.payload.asd" as limit cgroup
lxc-start asd 20210915214303.367 TRACE    start - start.c:lxc_spawn:1690 - Function not implemented - Failed to spawn container directly into target cgroup
lxc-start asd 20210915214303.367 TRACE    start - start.c:lxc_spawn:1706 - Function not implemented - Failed to spawn container via clone3()
lxc-start asd 20210915214303.369 TRACE    start - start.c:lxc_spawn:1741 - Cloned child process 79770
lxc-start asd 20210915214303.369 ERROR    utils - utils.c:lxc_can_use_pidfd:1772 - Kernel does not support pidfds
lxc-start asd 20210915214303.369 INFO     start - start.c:lxc_spawn:1757 - Cloned CLONE_NEWUSER
lxc-start asd 20210915214303.369 INFO     start - start.c:lxc_spawn:1757 - Cloned CLONE_NEWNS
lxc-start asd 20210915214303.369 INFO     start - start.c:lxc_spawn:1757 - Cloned CLONE_NEWPID
lxc-start asd 20210915214303.369 INFO     start - start.c:lxc_spawn:1757 - Cloned CLONE_NEWUTS
lxc-start asd 20210915214303.369 INFO     start - start.c:lxc_spawn:1757 - Cloned CLONE_NEWIPC
lxc-start asd 20210915214303.369 DEBUG    start - start.c:lxc_try_preserve_namespace:139 - Preserved user namespace via fd 43 and stashed path as user:/proc/79769/fd/43
lxc-start asd 20210915214303.369 DEBUG    start - start.c:lxc_try_preserve_namespace:139 - Preserved mnt namespace via fd 44 and stashed path as mnt:/proc/79769/fd/44
lxc-start asd 20210915214303.370 DEBUG    start - start.c:lxc_try_preserve_namespace:139 - Preserved pid namespace via fd 45 and stashed path as pid:/proc/79769/fd/45
lxc-start asd 20210915214303.370 DEBUG    start - start.c:lxc_try_preserve_namespace:139 - Preserved uts namespace via fd 46 and stashed path as uts:/proc/79769/fd/46
lxc-start asd 20210915214303.370 DEBUG    start - start.c:lxc_try_preserve_namespace:139 - Preserved ipc namespace via fd 47 and stashed path as ipc:/proc/79769/fd/47
lxc-start asd 20210915214303.370 WARN     conf - conf.c:lxc_map_ids:3007 - newuidmap binary is missing
lxc-start asd 20210915214303.370 WARN     conf - conf.c:lxc_map_ids:3013 - newgidmap binary is missing
lxc-start asd 20210915214303.370 DEBUG    conf - conf.c:lxc_map_ids:3026 - No newuidmap and newgidmap binary found. Trying to write directly with euid 0
lxc-start asd 20210915214303.370 TRACE    conf - conf.c:lxc_map_ids:3093 - Wrote mapping "0 1000000 65536
"
lxc-start asd 20210915214303.370 TRACE    conf - conf.c:lxc_map_ids:3093 - Wrote mapping "0 1000000 65536
"
lxc-start asd 20210915214303.371 TRACE    sync - sync.c:lxc_sync_wake_child:124 - Child waking parent with sequence startup
lxc-start asd 20210915214303.371 TRACE    sync - sync.c:lxc_sync_wait_child:118 - Child waiting for parent with sequence configure
lxc-start asd 20210915214303.371 TRACE    sync - sync.c:lxc_sync_wait_parent:112 - Parent waiting for child with sequence startup
lxc-start asd 20210915214303.404 INFO     start - start.c:do_start:1085 - Unshared CLONE_NEWNET
lxc-start asd 20210915214303.405 TRACE    sync - sync.c:lxc_sync_barrier_parent:92 - Child waking parent with sequence configure and waiting for sequence post-configure
lxc-start asd 20210915214303.406 TRACE    cgfsng - cgfsng.c:cgfsng_payload_enter:1279 - Moved container into /sys/fs/cgroup/blkio/lxc.payload.asd cgroup via 29
lxc-start asd 20210915214303.406 TRACE    cgfsng - cgfsng.c:cgfsng_payload_enter:1279 - Moved container into /sys/fs/cgroup/freezer/lxc.payload.asd cgroup via 30
lxc-start asd 20210915214303.406 TRACE    cgfsng - cgfsng.c:cgfsng_payload_enter:1279 - Moved container into /sys/fs/cgroup/devices/lxc.payload.asd cgroup via 31
lxc-start asd 20210915214303.407 TRACE    cgfsng - cgfsng.c:cgfsng_payload_enter:1279 - Moved container into /sys/fs/cgroup/cpu,cpuacct/lxc.payload.asd cgroup via 32
lxc-start asd 20210915214303.407 TRACE    cgfsng - cgfsng.c:cgfsng_payload_enter:1279 - Moved container into /sys/fs/cgroup/memory/lxc.payload.asd cgroup via 33
lxc-start asd 20210915214303.407 TRACE    cgfsng - cgfsng.c:cgfsng_payload_enter:1279 - Moved container into /sys/fs/cgroup/debug/lxc.payload.asd cgroup via 34
lxc-start asd 20210915214303.407 TRACE    cgfsng - cgfsng.c:cgfsng_payload_enter:1279 - Moved container into /sys/fs/cgroup/cpuset/lxc.payload.asd cgroup via 35
lxc-start asd 20210915214303.407 TRACE    cgfsng - cgfsng.c:cgfsng_payload_enter:1279 - Moved container into /sys/fs/cgroup/perf_event/lxc.payload.asd cgroup via 36
lxc-start asd 20210915214303.408 TRACE    cgfsng - cgfsng.c:cgfsng_payload_enter:1279 - Moved container into /sys/fs/cgroup/hugetlb/lxc.payload.asd cgroup via 38
lxc-start asd 20210915214303.408 TRACE    cgfsng - cgfsng.c:cgfsng_payload_enter:1279 - Moved container into /sys/fs/cgroup/pids/lxc.payload.asd cgroup via 39
lxc-start asd 20210915214303.408 TRACE    cgfsng - cgfsng.c:cgfsng_payload_enter:1279 - Moved container into /sys/fs/cgroup/net_cls,net_prio/lxc.payload.asd cgroup via 40
lxc-start asd 20210915214303.408 TRACE    cgfsng - cgfsng.c:cgfsng_payload_enter:1279 - Moved container into /sys/fs/cgroup/systemd/lxc.payload.asd cgroup via 41
lxc-start asd 20210915214303.409 TRACE    cgfsng - cgfsng.c:cgfsng_payload_enter:1279 - Moved container into /sys/fs/cgroup/unified/lxc.payload.asd cgroup via 42
lxc-start asd 20210915214303.409 TRACE    conf - conf.c:get_minimal_idmap:4365 - Allocated minimal idmapping for ns uid 0 and ns gid 0
lxc-start asd 20210915214303.409 TRACE    process_utils - process_utils.c:lxc_raw_clone:110 - Function not implemented - Falling back to legacy clone
lxc-start asd 20210915214303.410 TRACE    conf - conf.c:userns_exec_1:4429 - Establishing uid mapping for "79771" in new user namespace: nsuid 65536 - hostid 0 - range 1
lxc-start asd 20210915214303.410 TRACE    conf - conf.c:userns_exec_1:4429 - Establishing uid mapping for "79771" in new user namespace: nsuid 0 - hostid 1000000 - range 65536
lxc-start asd 20210915214303.410 TRACE    conf - conf.c:userns_exec_1:4429 - Establishing gid mapping for "79771" in new user namespace: nsuid 65536 - hostid 0 - range 1
lxc-start asd 20210915214303.410 TRACE    conf - conf.c:userns_exec_1:4429 - Establishing gid mapping for "79771" in new user namespace: nsuid 0 - hostid 1000000 - range 65536
lxc-start asd 20210915214303.411 WARN     conf - conf.c:lxc_map_ids:3007 - newuidmap binary is missing
lxc-start asd 20210915214303.411 WARN     conf - conf.c:lxc_map_ids:3013 - newgidmap binary is missing
lxc-start asd 20210915214303.411 DEBUG    conf - conf.c:lxc_map_ids:3026 - No newuidmap and newgidmap binary found. Trying to write directly with euid 0
lxc-start asd 20210915214303.411 TRACE    conf - conf.c:lxc_map_ids:3093 - Wrote mapping "65536 0 1
0 1000000 65536
"
lxc-start asd 20210915214303.411 TRACE    conf - conf.c:lxc_map_ids:3093 - Wrote mapping "65536 0 1
0 1000000 65536
"
lxc-start asd 20210915214303.411 TRACE    conf - conf.c:run_userns_fn:4208 - Calling function "chown_cgroup_wrapper"
lxc-start asd 20210915214303.412 NOTICE   utils - utils.c:lxc_drop_groups:1345 - Dropped supplimentary groups
lxc-start asd 20210915214303.414 WARN     cgfsng - cgfsng.c:fchowmodat:1293 - No such file or directory - Failed to fchownat(42, memory.oom.group, 65536, 0, AT_EMPTY_PATH | AT_SYMLINK_NOFOLLOW )
lxc-start asd 20210915214303.415 DEBUG    start - start.c:lxc_try_preserve_namespace:139 - Preserved net namespace via fd 7 and stashed path as net:/proc/79769/fd/7
lxc-start asd 20210915214303.415 TRACE    start - start.c:lxc_spawn:1838 - Allocated new network namespace id
lxc-start asd 20210915214303.415 TRACE    sync - sync.c:lxc_sync_barrier_child:99 - Parent waking child with sequence post-configure and waiting with sequence cgroup
lxc-start asd 20210915214303.416 NOTICE   utils - utils.c:lxc_drop_groups:1345 - Dropped supplimentary groups
lxc-start asd 20210915214303.416 NOTICE   utils - utils.c:lxc_switch_uid_gid:1321 - Switched to gid 0
lxc-start asd 20210915214303.416 NOTICE   utils - utils.c:lxc_switch_uid_gid:1330 - Switched to uid 0
lxc-start asd 20210915214303.416 TRACE    sync - sync.c:lxc_sync_barrier_parent:92 - Child waking parent with sequence cgroup and waiting for sequence cgroup-unshare
lxc-start asd 20210915214303.416 TRACE    sync - sync.c:lxc_sync_barrier_child:99 - Parent waking child with sequence cgroup-unshare and waiting with sequence cgroup-limits
lxc-start asd 20210915214303.416 INFO     start - start.c:do_start:1196 - Unshared CLONE_NEWCGROUP
lxc-start asd 20210915214303.417 TRACE    conf - conf.c:turn_into_dependent_mounts:3344 - Turned all mount table entries into dependent mount
lxc-start asd 20210915214303.417 TRACE    dir - dir.c:dir_mount:193 - Mounted "/home/user/asd/rootfs" onto "/usr/lib/lxc/rootfs"
lxc-start asd 20210915214303.417 DEBUG    conf - conf.c:lxc_mount_rootfs:1394 - Mounted rootfs "/home/user/asd/rootfs" onto "/usr/lib/lxc/rootfs" with options "(null)"
lxc-start asd 20210915214303.417 INFO     conf - conf.c:setup_utsname:846 - Set hostname to "asd"
lxc-start asd 20210915214303.417 INFO     conf - conf.c:mount_autodev:1182 - Preparing "/dev"
lxc-start asd 20210915214303.425 DEBUG    conf - conf.c:mount_autodev:1212 - Using mount options: size=500000,mode=755
lxc-start asd 20210915214303.426 INFO     conf - conf.c:mount_autodev:1242 - Prepared "/dev"
lxc-start asd 20210915214303.426 INFO     conf - conf.c:lxc_fill_autodev:1279 - Populating "/dev"
lxc-start asd 20210915214303.427 DEBUG    conf - conf.c:lxc_fill_autodev:1356 - Bind mounted host device node "/dev/full" to "/usr/lib/lxc/rootfs/dev/full"
lxc-start asd 20210915214303.428 DEBUG    conf - conf.c:lxc_fill_autodev:1356 - Bind mounted host device node "/dev/null" to "/usr/lib/lxc/rootfs/dev/null"
lxc-start asd 20210915214303.428 DEBUG    conf - conf.c:lxc_fill_autodev:1356 - Bind mounted host device node "/dev/random" to "/usr/lib/lxc/rootfs/dev/random"
lxc-start asd 20210915214303.429 DEBUG    conf - conf.c:lxc_fill_autodev:1356 - Bind mounted host device node "/dev/tty" to "/usr/lib/lxc/rootfs/dev/tty"
lxc-start asd 20210915214303.430 DEBUG    conf - conf.c:lxc_fill_autodev:1356 - Bind mounted host device node "/dev/urandom" to "/usr/lib/lxc/rootfs/dev/urandom"
lxc-start asd 20210915214303.430 DEBUG    conf - conf.c:lxc_fill_autodev:1356 - Bind mounted host device node "/dev/zero" to "/usr/lib/lxc/rootfs/dev/zero"
lxc-start asd 20210915214303.430 INFO     conf - conf.c:lxc_fill_autodev:1363 - Populated "/dev"
lxc-start asd 20210915214303.433 ERROR    utils - utils.c:__safe_mount_beneath_at:1100 - Function not implemented - Failed to open 44(proc)
lxc-start asd 20210915214303.434 ERROR    utils - utils.c:safe_mount:1198 - Device or resource busy - Failed to mount "proc" onto "/usr/lib/lxc/rootfs/proc"
lxc-start asd 20210915214303.434 ERROR    conf - conf.c:lxc_transient_proc:3234 - Device or resource busy - Failed to mount temporary procfs
lxc-start asd 20210915214303.434 ERROR    conf - conf.c:lxc_create_tmp_proc_mount:3249 - Operation not permitted - Failed to create transient procfs mount
lxc-start asd 20210915214303.434 ERROR    conf - conf.c:lxc_setup:3704 - Failed to mount transient procfs instance for LSMs
lxc-start asd 20210915214303.434 ERROR    start - start.c:do_start:1265 - Failed to setup container "asd"
lxc-start asd 20210915214303.434 TRACE    sync - sync.c:lxc_sync_wake_parent:106 - Child waking parent with sequence error
lxc-start asd 20210915214303.435 ERROR    sync - sync.c:sync_wait:36 - An error occurred in another process (expected sequence number 5)
lxc-start asd 20210915214303.435 TRACE    start - start.c:lxc_expose_namespace_environment:883 - Set environment variable LXC_USER_NS=/proc/79769/fd/43
lxc-start asd 20210915214303.435 TRACE    start - start.c:lxc_expose_namespace_environment:883 - Set environment variable LXC_MNT_NS=/proc/79769/fd/44
lxc-start asd 20210915214303.435 TRACE    start - start.c:lxc_expose_namespace_environment:883 - Set environment variable LXC_PID_NS=/proc/79769/fd/45
lxc-start asd 20210915214303.435 TRACE    start - start.c:lxc_expose_namespace_environment:883 - Set environment variable LXC_UTS_NS=/proc/79769/fd/46
lxc-start asd 20210915214303.435 TRACE    start - start.c:lxc_expose_namespace_environment:883 - Set environment variable LXC_IPC_NS=/proc/79769/fd/47
lxc-start asd 20210915214303.435 TRACE    start - start.c:lxc_expose_namespace_environment:883 - Set environment variable LXC_NET_NS=/proc/79769/fd/7
lxc-start asd 20210915214303.435 DEBUG    network - network.c:lxc_delete_network:4180 - Deleted network devices
lxc-start asd 20210915214303.435 TRACE    start - start.c:lxc_serve_state_socket_pair:512 - Sent container state "ABORTING" to 4
lxc-start asd 20210915214303.435 TRACE    start - start.c:lxc_serve_state_clients:448 - Set container state to ABORTING
lxc-start asd 20210915214303.435 TRACE    start - start.c:lxc_serve_state_clients:451 - No state clients registered
lxc-start asd 20210915214303.435 ERROR    lxccontainer - lxccontainer.c:wait_on_daemonized_start:868 - Received container state "ABORTING" instead of "RUNNING"
lxc-start asd 20210915214303.439 ERROR    start - start.c:__lxc_start:2073 - Failed to spawn container "asd"
lxc-start asd 20210915214303.439 TRACE    start - start.c:lxc_serve_state_clients:448 - Set container state to ABORTING
lxc-start asd 20210915214303.439 TRACE    start - start.c:lxc_serve_state_clients:451 - No state clients registered
lxc-start asd 20210915214303.440 WARN     start - start.c:lxc_abort:1022 - No such process - Failed to send SIGKILL to 79770
lxc-start asd 20210915214303.440 TRACE    start - start.c:lxc_serve_state_clients:448 - Set container state to STOPPING
lxc-start asd 20210915214303.440 TRACE    start - start.c:lxc_serve_state_clients:451 - No state clients registered
lxc-start asd 20210915214303.440 TRACE    conf - conf.c:get_minimal_idmap:4365 - Allocated minimal idmapping for ns uid 0 and ns gid 0
lxc-start asd 20210915214303.440 TRACE    process_utils - process_utils.c:lxc_raw_clone:110 - Function not implemented - Falling back to legacy clone
lxc-start asd 20210915214303.441 TRACE    conf - conf.c:userns_exec_1:4429 - Establishing uid mapping for "79773" in new user namespace: nsuid 65536 - hostid 0 - range 1
lxc-start asd 20210915214303.441 TRACE    conf - conf.c:userns_exec_1:4429 - Establishing uid mapping for "79773" in new user namespace: nsuid 0 - hostid 1000000 - range 65536
lxc-start asd 20210915214303.441 TRACE    conf - conf.c:userns_exec_1:4429 - Establishing gid mapping for "79773" in new user namespace: nsuid 65536 - hostid 0 - range 1
lxc-start asd 20210915214303.441 TRACE    conf - conf.c:userns_exec_1:4429 - Establishing gid mapping for "79773" in new user namespace: nsuid 0 - hostid 1000000 - range 65536
lxc-start asd 20210915214303.442 WARN     conf - conf.c:lxc_map_ids:3007 - newuidmap binary is missing
lxc-start asd 20210915214303.442 WARN     conf - conf.c:lxc_map_ids:3013 - newgidmap binary is missing
lxc-start asd 20210915214303.442 DEBUG    conf - conf.c:lxc_map_ids:3026 - No newuidmap and newgidmap binary found. Trying to write directly with euid 0
lxc-start asd 20210915214303.442 TRACE    conf - conf.c:lxc_map_ids:3093 - Wrote mapping "65536 0 1
0 1000000 65536
"
lxc-start asd 20210915214303.442 TRACE    conf - conf.c:lxc_map_ids:3093 - Wrote mapping "65536 0 1
0 1000000 65536
"
lxc-start asd 20210915214303.443 TRACE    conf - conf.c:run_userns_fn:4208 - Calling function "cgroup_tree_remove_wrapper"
lxc-start asd 20210915214303.443 NOTICE   utils - utils.c:lxc_drop_groups:1345 - Dropped supplimentary groups
lxc-start asd 20210915214303.446 TRACE    cgfsng - cgfsng.c:cgroup_tree_remove:475 - Removed cgroup tree 12(lxc.payload.asd)
lxc-start asd 20210915214303.447 TRACE    cgfsng - cgfsng.c:cgroup_tree_remove:475 - Removed cgroup tree 13(lxc.payload.asd)
lxc-start asd 20210915214303.448 TRACE    cgfsng - cgfsng.c:cgroup_tree_remove:475 - Removed cgroup tree 14(lxc.payload.asd)
lxc-start asd 20210915214303.449 TRACE    cgfsng - cgfsng.c:cgroup_tree_remove:475 - Removed cgroup tree 15(lxc.payload.asd)
lxc-start asd 20210915214303.452 TRACE    cgfsng - cgfsng.c:cgroup_tree_remove:475 - Removed cgroup tree 16(lxc.payload.asd)
lxc-start asd 20210915214303.453 TRACE    cgfsng - cgfsng.c:cgroup_tree_remove:475 - Removed cgroup tree 17(lxc.payload.asd)
lxc-start asd 20210915214303.454 TRACE    cgfsng - cgfsng.c:cgroup_tree_remove:475 - Removed cgroup tree 18(lxc.payload.asd)
lxc-start asd 20210915214303.455 TRACE    cgfsng - cgfsng.c:cgroup_tree_remove:475 - Removed cgroup tree 19(lxc.payload.asd)
lxc-start asd 20210915214303.456 TRACE    cgfsng - cgfsng.c:cgroup_tree_remove:475 - Removed cgroup tree 20(lxc.payload.asd)
lxc-start asd 20210915214303.457 TRACE    cgfsng - cgfsng.c:cgroup_tree_remove:475 - Removed cgroup tree 21(lxc.payload.asd)
lxc-start asd 20210915214303.458 TRACE    cgfsng - cgfsng.c:cgroup_tree_remove:475 - Removed cgroup tree 22(lxc.payload.asd)
lxc-start asd 20210915214303.458 TRACE    cgfsng - cgfsng.c:cgroup_tree_remove:475 - Removed cgroup tree 23(lxc.payload.asd)
lxc-start asd 20210915214303.459 TRACE    cgfsng - cgfsng.c:cgroup_tree_remove:475 - Removed cgroup tree 24(lxc.payload.asd)
lxc-start asd 20210915214303.461 TRACE    cgfsng - cgfsng.c:__cgroup_tree_create:751 - Reusing 12(lxc.pivot) cgroup
lxc-start asd 20210915214303.463 TRACE    cgfsng - cgfsng.c:cgfsng_monitor_destroy:957 - Removed cgroup tree 12(lxc.monitor.asd)
lxc-start asd 20210915214303.463 TRACE    cgfsng - cgfsng.c:__cgroup_tree_create:751 - Reusing 13(lxc.pivot) cgroup
lxc-start asd 20210915214303.464 TRACE    cgfsng - cgfsng.c:cgfsng_monitor_destroy:957 - Removed cgroup tree 13(lxc.monitor.asd)
lxc-start asd 20210915214303.464 TRACE    cgfsng - cgfsng.c:__cgroup_tree_create:751 - Reusing 14(lxc.pivot) cgroup
lxc-start asd 20210915214303.464 TRACE    cgfsng - cgfsng.c:cgfsng_monitor_destroy:957 - Removed cgroup tree 14(lxc.monitor.asd)
lxc-start asd 20210915214303.465 TRACE    cgfsng - cgfsng.c:__cgroup_tree_create:751 - Reusing 15(lxc.pivot) cgroup
lxc-start asd 20210915214303.466 TRACE    cgfsng - cgfsng.c:cgfsng_monitor_destroy:957 - Removed cgroup tree 15(lxc.monitor.asd)
lxc-start asd 20210915214303.466 TRACE    cgfsng - cgfsng.c:__cgroup_tree_create:751 - Reusing 16(lxc.pivot) cgroup
lxc-start asd 20210915214303.468 TRACE    cgfsng - cgfsng.c:cgfsng_monitor_destroy:957 - Removed cgroup tree 16(lxc.monitor.asd)
lxc-start asd 20210915214303.468 TRACE    cgfsng - cgfsng.c:__cgroup_tree_create:751 - Reusing 17(lxc.pivot) cgroup
lxc-start asd 20210915214303.468 TRACE    cgfsng - cgfsng.c:cgfsng_monitor_destroy:957 - Removed cgroup tree 17(lxc.monitor.asd)
lxc-start asd 20210915214303.469 TRACE    cgfsng - cgfsng.c:__cgroup_tree_create:751 - Reusing 18(lxc.pivot) cgroup
lxc-start asd 20210915214303.471 TRACE    cgfsng - cgfsng.c:cpuset1_cpus_initialize:670 - Copied cpu settings of parent cgroup
lxc-start asd 20210915214303.471 TRACE    cgfsng - cgfsng.c:cpuset1_initialize:712 - Initialized cpuset in the legacy hierarchy
lxc-start asd 20210915214303.473 TRACE    cgfsng - cgfsng.c:cgfsng_monitor_destroy:957 - Removed cgroup tree 18(lxc.monitor.asd)
lxc-start asd 20210915214303.473 TRACE    cgfsng - cgfsng.c:__cgroup_tree_create:751 - Reusing 19(lxc.pivot) cgroup
lxc-start asd 20210915214303.473 TRACE    cgfsng - cgfsng.c:cgfsng_monitor_destroy:957 - Removed cgroup tree 19(lxc.monitor.asd)
lxc-start asd 20210915214303.473 TRACE    cgfsng - cgfsng.c:__cgroup_tree_create:751 - Reusing 20(lxc.pivot) cgroup
lxc-start asd 20210915214303.474 TRACE    cgfsng - cgfsng.c:cgfsng_monitor_destroy:957 - Removed cgroup tree 20(lxc.monitor.asd)
lxc-start asd 20210915214303.474 TRACE    cgfsng - cgfsng.c:__cgroup_tree_create:751 - Reusing 21(lxc.pivot) cgroup
lxc-start asd 20210915214303.475 TRACE    cgfsng - cgfsng.c:cgfsng_monitor_destroy:957 - Removed cgroup tree 21(lxc.monitor.asd)
lxc-start asd 20210915214303.475 TRACE    cgfsng - cgfsng.c:__cgroup_tree_create:751 - Reusing 22(lxc.pivot) cgroup
lxc-start asd 20210915214303.475 TRACE    cgfsng - cgfsng.c:cgfsng_monitor_destroy:957 - Removed cgroup tree 22(lxc.monitor.asd)
lxc-start asd 20210915214303.475 TRACE    cgfsng - cgfsng.c:__cgroup_tree_create:751 - Reusing 23(lxc.pivot) cgroup
lxc-start asd 20210915214303.476 TRACE    cgfsng - cgfsng.c:cgfsng_monitor_destroy:957 - Removed cgroup tree 23(lxc.monitor.asd)
lxc-start asd 20210915214303.476 TRACE    cgfsng - cgfsng.c:__cgroup_tree_create:751 - Reusing 24(lxc.pivot) cgroup
lxc-start asd 20210915214303.477 TRACE    cgfsng - cgfsng.c:cgfsng_monitor_destroy:957 - Removed cgroup tree 24(lxc.monitor.asd)
lxc-start asd 20210915214303.477 TRACE    start - start.c:lxc_end:940 - Closed command socket
lxc-start asd 20210915214303.477 TRACE    start - start.c:lxc_end:951 - Set container state to "STOPPED"

I patched LXC to save file descriptors at a point just before mounting proc, and could not find any process keeping proc busy when comparing to privileged containers which work just fine.

Is there any mainline kernel security feature which needs to be enabled/disabled in order to have unprivileged container running on Yocto based systems?

@brauner @stgraber

1 Like
29

Which kernel are you on?

30

@brauner The kernel is 4.14

31

Can you run lxc-checkconfig, please and paste the output here?

32

lxc-checkconfig:

--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
newuidmap is not installed
newgidmap is not installed
Network namespace: enabled

--- Control groups ---
Cgroups: enabled

Cgroup v1 mount points:
/sys/fs/cgroup/systemd
/sys/fs/cgroup/pids
/sys/fs/cgroup/cpu,cpuacct
/sys/fs/cgroup/net_cls,net_prio
/sys/fs/cgroup/debug
/sys/fs/cgroup/blkio
/sys/fs/cgroup/devices
/sys/fs/cgroup/hugetlb
/sys/fs/cgroup/perf_event
/sys/fs/cgroup/freezer
/sys/fs/cgroup/memory
/sys/fs/cgroup/cpuset

Cgroup v2 mount points:
/sys/fs/cgroup/unified

Cgroup v1 clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled, not loaded
Macvlan: enabled, not loaded
Vlan: enabled, not loaded
Bridges: enabled, not loaded
Advanced netfilter: enabled, not loaded
CONFIG_NF_NAT_IPV4: enabled, not loaded
CONFIG_NF_NAT_IPV6: enabled, not loaded
CONFIG_IP_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_IP6_NF_TARGET_MASQUERADE: missing
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled, not loaded
CONFIG_NETFILTER_XT_MATCH_COMMENT: enabled, not loaded
FUSE (for use with lxcfs): enabled, not loaded

--- Checkpoint/Restore ---
checkpoint restore: enabled
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: enabled
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: enabled
File capabilities:

Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig

P.S. Instead of using newuidmap and newgidmap, id mappings were set manually by appending /etc/sub{uid, gid}.

1 Like
33

Hm, is it possible for you to compile LXC master and check whether the same error happens?
The error you’re seeing indicats that procfs is already mounted and we’re misdetecting this case.

Can you also paste your config please?

1 Like
34

I’ve just tried a another few versions of lxc:

LXC 4.0.10 had the same issue with mounting proc (unprivileged container) as LXC 4.0.9, and privileged containers work the same as on LXC 4.0.9.

When I compiled source from master branch, neither privileged nor unprivileged container worked. Unprivileged had the same issue - could not mount proc as it was busy.
Privileged container failed with these errors:

lxc-start asd 20210924065328.239 ERROR    utils - utils.c:lxc_can_use_pidfd:1774 - Kernel does not support pidfds
lxc-start asd 20210924065328.246 ERROR    utils - utils.c:__safe_mount_beneath_at:1102 - Function not implemented - Failed to open 45(proc)
lxc-start asd 20210924065328.246 ERROR    conf - conf.c:lxc_setup:4376 - Failed to finish devpts setup
lxc-start asd 20210924065328.246 ERROR    start - start.c:do_start:1274 - Failed to setup container "asd"
lxc-start asd 20210924065328.247 ERROR    sync - sync.c:sync_wait:34 - An error occurred in another process (expected sequence number 4)
lxc-start asd 20210924065328.248 ERROR    lxccontainer - lxccontainer.c:wait_on_daemonized_start:867 - Received container state "ABORTING" instead of "RUNNING"
lxc-start asd 20210924065328.249 ERROR    start - start.c:__lxc_start:2035 - Failed to spawn container "asd"

Another issue that I had with LXC from master is that it could not parse

lxc.apparmor.profile = unconfined

The config used:

# Container specific configuration
lxc.rootfs.path = dir:/home/user/asd/rootfs
lxc.uts.name = asd

# Logging
lxc.log.file = /home/user/asd/logfile
lxc.log.level = 0

# Apparmor config
lxc.apparmor.profile = unconfined

# Unprivileged
lxc.idmap = u 0 1000000 65536
lxc.idmap = g 0 1000000 65536

# Network configuration
#lxc.net.0.type = veth
#lxc.net.0.link = lxcbr0
#lxc.net.0.flags = up
#lxc.net.0.hwaddr = 00:16:3e:9b:4d:e2
1 Like