[Pkg-libvirt-maintainers] Bug#766390: Bug#766390: libvirt0: fails unprivileged lxc domain with /proc/sys re-mount error

Adrian Davey adrian at beth2.org
Thu Oct 23 19:34:50 UTC 2014 

On 23/10/2014 13:03, Guido Günther wrote:
> On Wed, Oct 22, 2014 at 07:42:04PM +0100, Adrian Davey wrote:
>> Package: libvirt0
>> Version: 1.2.9-3
>> Severity: normal
>> 
>> Dear Maintainer,
>> 
>> Launching a libvirt_lxc domain with <idmap> enabled using virsh fails:
>> 
>> virsh # start testvm
>> error: Failed to start domain testvm
>> error: internal error: guest failed to start: Failed to re-mount
>> /proc/sys on /proc/sys flags=1021: Operation not permitted
> 
> I tried to reproduce and used the attached config, did a
> 
>  sudo  ./uidmapshift -b /my/lxc/containers/lxc-test2 0 100000 1000
> 
> (from nsexec, currently not packaged in Debian) and could happily
> start the container. The bash process also shows the uid mapping. Note
> that I did not set:
> 
>    echo 1 > /proc/sys/kernel/unprivileged_userns_clone
> 
> since my kernel doesn't have it. Can you check if this works for you 
> too?
> Cheers,
>  -- Guido

I tried without the unprivileged_userns_clone before doing the change as 
by default the debian linux kernel doesn't set it

I have just tried again without it set, exactly the same issue.

I have tried a debootstrap installation then using uidmapshift, same 
result.
I have tried an LXC download template for sid/amd64 that does the id 
shift, same result. (echo 1 > 
/proc/sys/kernel/unprivileged_userns_clone, is required to make sure the 
download template operation finishes)

If it works for you then there must be something different between our 
setups, I guess it's a case of trying to identify what is different 
easily.

Which kernel are you using ? Do you have anything in libvirt conf that 
is not the default that could be related ? Do normal LXC unprivileged 
domains work for you? I find that LXC doesn't work either as cgroups 
have issues as described in [1] and then /dev/.lxc/ errors [2].  These 
rootfs live on btrfs filesystem with default mount options.
I was hoping systemd with libvirt would sort out my original cgroups 
issue and just work to compliment my qemu side of libvirt.

Cheers,

Adrian

[1] 
https://lists.linuxcontainers.org/pipermail/lxc-users/2014-September/007776.html
[2] 
https://lists.linuxcontainers.org/pipermail/lxc-users/2014-September/007860.html

More information about the Pkg-libvirt-maintainers mailing list