[Pkg-libvirt-maintainers] Bug#766390: libvirt0: fails unprivileged lxc domain with /proc/sys re-mount error

Adrian Davey adrian at beth2.org
Wed Oct 22 18:42:04 UTC 2014 

Package: libvirt0
Version: 1.2.9-3
Severity: normal

Dear Maintainer,

Launching a libvirt_lxc domain with <idmap> enabled using virsh fails:

virsh # start testvm
error: Failed to start domain testvm
error: internal error: guest failed to start: Failed to re-mount /proc/sys on /proc/sys flags=1021: Operation not permitted

virsh # dumpxml testvm
<domain type='lxc'>
  <name>testvm</name>
  <uuid>efdb0924-d538-461e-98c4-b46eabd7ec13</uuid>
  <memory unit='KiB'>262144</memory>
  <currentMemory unit='KiB'>262144</currentMemory>
  <vcpu placement='static'>1</vcpu>
  <resource>
    <partition>/machine</partition>
  </resource>
  <os>
    <type arch='x86_64'>exe</type>
    <init>/bin/bash</init>
  </os>
  <idmap>
    <uid start='0' target='10000' count='1000'/>
    <gid start='0' target='10000' count='1000'/>
  </idmap>
  <features>
    <privnet/>
  </features>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>restart</on_crash>
  <devices>
    <emulator>/usr/lib/libvirt/libvirt_lxc</emulator>
    <filesystem type='mount' accessmode='passthrough'>
      <source dir='/opt/vm/containers/testvm'/>
      <target dir='/'/>
    </filesystem>
    <interface type='network'>
      <mac address='00:16:3e:03:90:ee'/>
      <source network='default'/>
      <guest dev='eth0' actual='vnet1'/>
    </interface>
    <console type='pty'>
      <target type='lxc' port='0'/>
    </console>
  </devices>
</domain>

This is a systemd controlled system with systemd responsible for /proc 

I have these additional settings as recommended for normal LXC operation

echo 1 > /sys/fs/cgroup/cpuset/cgroup.clone_children
echo 1 > /proc/sys/kernel/unprivileged_userns_clone

/etc/sub{u/g}id:

systemd-timesync:100000:65536
systemd-network:165536:65536
systemd-resolve:231072:65536
systemd-bus-proxy:296608:65536
mylxcuser:10000:10001


The same error happens if mapping id 0 == 0 or 0 == 10000

mount | grep proc
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)

Without idmap enabled the domain starts a debian sid amd64 container perfectly.

Regards,

Adrian

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libvirt0 depends on:
ii  libapparmor1        2.9.0-1
ii  libaudit1           1:2.4-1
ii  libavahi-client3    0.6.31-4
ii  libavahi-common3    0.6.31-4
ii  libc6               2.19-11
ii  libcap-ng0          0.7.4-2
ii  libdbus-1-3         1.8.8-2
ii  libdevmapper1.02.1  2:1.02.90-2
ii  libgnutls-deb0-28   3.3.8-3
ii  libnl-3-200         3.2.24-2
ii  libnl-route-3-200   3.2.24-2
ii  libnuma1            2.0.10~rc2-3
ii  libsasl2-2          2.1.26.dfsg1-12
ii  libselinux1         2.3-2
ii  libssh2-1           1.4.3-4
ii  libsystemd0         215-5+b1
ii  libxml2             2.9.1+dfsg1-4
ii  libyajl2            2.1.0-2

Versions of packages libvirt0 recommends:
pn  lvm2  <none>

libvirt0 suggests no packages.

-- no debconf information

More information about the Pkg-libvirt-maintainers mailing list