[pkg-lxc-devel] Bug#880502: lxc: cannot start container with kernel 4.13.10

Antonio Terceiro terceiro at debian.org
Wed Nov 1 14:00:12 UTC 2017 

Control: retitle -1 lxc: cannot start container with kernel 4.13.10

On Wed, Nov 01, 2017 at 11:32:31AM -0200, Antonio Terceiro wrote:
> Package: lxc
> Version: 1:2.0.9-3
> Severity: serious
> 
> I'm filing this in lxc initially as I don't know exactly where the issue
> is yet. We will probably want to reassign it.
> 
> Something other than lxc itself changed recently in unstable which makes
> lxc not able to start a Debian container:
> 
> # lxc-start -n autopkgtest-sid-amd64
> lxc-start: lxccontainer.c: wait_on_daemonized_start: 754 Received container state "ABORTING" instead of "RUNNING"
> lxc-start: tools/lxc_start.c: main: 368 The container failed to start.
> lxc-start: tools/lxc_start.c: main: 370 To get more details, run the container in foreground mode.
> lxc-start: tools/lxc_start.c: main: 372 Additional information can be obtained by setting the --logfile and --logpriority options.
> # cat /var/lib/lxc/autopkgtest-sid-amd64/autopkgtest-sid-amd64.log
>       lxc-start 20171101123914.655 ERROR    lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:220 - If you really want to start this container, set
>       lxc-start 20171101123914.655 ERROR    lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:221 - lxc.aa_allow_incomplete = 1
>       lxc-start 20171101123914.655 ERROR    lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:222 - in your container configuration file
>       lxc-start 20171101123914.655 ERROR    lxc_sync - sync.c:__sync_wait:57 - An error occurred in another process (expected sequence number 5)
>       lxc-start 20171101123914.701 ERROR    lxc_container - lxccontainer.c:wait_on_daemonized_start:754 - Received container state "ABORTING" instead of "RUNNING"
>       lxc-start 20171101123914.701 ERROR    lxc_start - start.c:__lxc_start:1530 - Failed to spawn container "autopkgtest-sid-amd64".
>       lxc-start 20171101123914.701 ERROR    lxc_start_ui - tools/lxc_start.c:main:368 - The container failed to start.
>       lxc-start 20171101123914.701 ERROR    lxc_start_ui - tools/lxc_start.c:main:370 - To get more details, run the container in foreground mode.
>       lxc-start 20171101123914.701 ERROR    lxc_start_ui - tools/lxc_start.c:main:372 - Additional information can be obtained by setting the --logfile and --logpriority options.
>       lxc-start 20171101132533.307 ERROR    lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:220 - If you really want to start this container, set
>       lxc-start 20171101132533.307 ERROR    lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:221 - lxc.aa_allow_incomplete = 1
>       lxc-start 20171101132533.307 ERROR    lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:222 - in your container configuration file
>       lxc-start 20171101132533.307 ERROR    lxc_sync - sync.c:__sync_wait:57 - An error occurred in another process (expected sequence number 5)
>       lxc-start 20171101132533.373 ERROR    lxc_container - lxccontainer.c:wait_on_daemonized_start:754 - Received container state "ABORTING" instead of "RUNNING"
>       lxc-start 20171101132533.374 ERROR    lxc_start_ui - tools/lxc_start.c:main:368 - The container failed to start.
>       lxc-start 20171101132533.374 ERROR    lxc_start - start.c:__lxc_start:1530 - Failed to spawn container "autopkgtest-sid-amd64".
>       lxc-start 20171101132533.374 ERROR    lxc_start_ui - tools/lxc_start.c:main:370 - To get more details, run the container in foreground mode.
>       lxc-start 20171101132533.374 ERROR    lxc_start_ui - tools/lxc_start.c:main:372 - Additional information can be obtained by setting the --logfile and --logpriority options.
> 
> 
> This is not happening on testing yet. When I upgrade a testing VM to
> unstable, I can still start the container before a reboot. After a
> reboot, I cannot start a container anymore. Maybe it's related to some
> kernel change?
> 
> I'm copying debian-kernel in case someone there can provide some insight.

So, I tried downgrading the kernel to the one in testing, rebooted, and
now I can start containers again, So this is being caused by a change in
the kernel between 4.13.4-2 and 4.13.10-1

I still need to study the lxc code path that is being triggered to be
able to provide more useful information. Since the issue is definitively
related to apparmor, I am also copying the apparmor team in case they
have any input to provide.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-lxc-devel/attachments/20171101/043f0c23/attachment.sig>

More information about the Pkg-lxc-devel mailing list