[pkg-lxc-devel] Bug#934387: lxc: privileged LXC container do not start

Diego Torres diego.torres at gmail.com
Mon Aug 26 23:03:58 BST 2019


> Yes, now update to the version claiming fixing the issue, that is
> 1:3.1.0+really3.0.4-2. If you then see still similar or same issue
> might you post your debug log output, which might help further
> investigating the issue.

I have updated liblxc1 with containers running. Containers where stopped,
and it was not possible to start them again, but this time the error
message changed.

As a proof of concept I have created a new container as Salvatore did:

# lxc-create -n test-container -t debian -- -r sid
[...]
# lxc-start -n test-container --logfile=/tmp/test-container.log -l DEBUG
lxc-start: test-container: lxccontainer.c: wait_on_daemonized_start: 850
Received container state "ABORTING" instead of "RUNNING"
lxc-start: test-container: tools/lxc_start.c: main: 329 The container
failed to start
lxc-start: test-container: tools/lxc_start.c: main: 332 To get more
details, run the container in foreground mode
lxc-start: test-container: tools/lxc_start.c: main: 334 Additional
information can be obtained by setting the --logfile and --logpriority
options

# cat /tmp/test-container.log
lxc-start test-container 20190826214714.591 INFO     lxccontainer -
lxccontainer.c:do_lxcapi_start:971 - Set process title to [lxc monitor]
/var/lib/lxc test-container
lxc-start test-container 20190826214714.592 INFO     lsm -
lsm/lsm.c:lsm_init:50 - LSM security driver AppArmor
lxc-start test-container 20190826214714.592 INFO     seccomp -
seccomp.c:parse_config_v2:759 - Processing "reject_force_umount  # comment
this to allow umount -f;  not recommended"
lxc-start test-container 20190826214714.592 INFO     seccomp -
seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts
lxc-start test-container 20190826214714.592 INFO     seccomp -
seccomp.c:parse_config_v2:935 - Added native rule for arch 0 for
reject_force_umount action 0(kill)
lxc-start test-container 20190826214714.592 INFO     seccomp -
seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts
lxc-start test-container 20190826214714.592 INFO     seccomp -
seccomp.c:parse_config_v2:944 - Added compat rule for arch 1073741827 for
reject_force_umount action 0(kill)
lxc-start test-container 20190826214714.592 INFO     seccomp -
seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts
lxc-start test-container 20190826214714.592 INFO     seccomp -
seccomp.c:parse_config_v2:954 - Added compat rule for arch 1073741886 for
reject_force_umount action 0(kill)
lxc-start test-container 20190826214714.592 INFO     seccomp -
seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts
lxc-start test-container 20190826214714.592 INFO     seccomp -
seccomp.c:parse_config_v2:964 - Added native rule for arch -1073741762 for
reject_force_umount action 0(kill)
lxc-start test-container 20190826214714.592 INFO     seccomp -
seccomp.c:parse_config_v2:759 - Processing "[all]"
lxc-start test-container 20190826214714.592 INFO     seccomp -
seccomp.c:parse_config_v2:759 - Processing "kexec_load errno 1"
lxc-start test-container 20190826214714.592 INFO     seccomp -
seccomp.c:parse_config_v2:935 - Added native rule for arch 0 for kexec_load
action 327681(errno)
lxc-start test-container 20190826214714.592 INFO     seccomp -
seccomp.c:parse_config_v2:944 - Added compat rule for arch 1073741827 for
kexec_load action 327681(errno)
lxc-start test-container 20190826214714.592 INFO     seccomp -
seccomp.c:parse_config_v2:954 - Added compat rule for arch 1073741886 for
kexec_load action 327681(errno)
lxc-start test-container 20190826214714.592 INFO     seccomp -
seccomp.c:parse_config_v2:964 - Added native rule for arch -1073741762 for
kexec_load action 327681(errno)
lxc-start test-container 20190826214714.592 INFO     seccomp -
seccomp.c:parse_config_v2:759 - Processing "open_by_handle_at errno 1"
lxc-start test-container 20190826214714.592 INFO     seccomp -
seccomp.c:parse_config_v2:935 - Added native rule for arch 0 for
open_by_handle_at action 327681(errno)
lxc-start test-container 20190826214714.592 INFO     seccomp -
seccomp.c:parse_config_v2:944 - Added compat rule for arch 1073741827 for
open_by_handle_at action 327681(errno)
lxc-start test-container 20190826214714.592 INFO     seccomp -
seccomp.c:parse_config_v2:954 - Added compat rule for arch 1073741886 for
open_by_handle_at action 327681(errno)
lxc-start test-container 20190826214714.592 INFO     seccomp -
seccomp.c:parse_config_v2:964 - Added native rule for arch -1073741762 for
open_by_handle_at action 327681(errno)
lxc-start test-container 20190826214714.592 INFO     seccomp -
seccomp.c:parse_config_v2:759 - Processing "init_module errno 1"
lxc-start test-container 20190826214714.592 INFO     seccomp -
seccomp.c:parse_config_v2:935 - Added native rule for arch 0 for
init_module action 327681(errno)
lxc-start test-container 20190826214714.592 INFO     seccomp -
seccomp.c:parse_config_v2:944 - Added compat rule for arch 1073741827 for
init_module action 327681(errno)
lxc-start test-container 20190826214714.592 INFO     seccomp -
seccomp.c:parse_config_v2:954 - Added compat rule for arch 1073741886 for
init_module action 327681(errno)
lxc-start test-container 20190826214714.592 INFO     seccomp -
seccomp.c:parse_config_v2:964 - Added native rule for arch -1073741762 for
init_module action 327681(errno)
lxc-start test-container 20190826214714.592 INFO     seccomp -
seccomp.c:parse_config_v2:759 - Processing "finit_module errno 1"
lxc-start test-container 20190826214714.592 INFO     seccomp -
seccomp.c:parse_config_v2:935 - Added native rule for arch 0 for
finit_module action 327681(errno)
lxc-start test-container 20190826214714.592 INFO     seccomp -
seccomp.c:parse_config_v2:944 - Added compat rule for arch 1073741827 for
finit_module action 327681(errno)
lxc-start test-container 20190826214714.592 INFO     seccomp -
seccomp.c:parse_config_v2:954 - Added compat rule for arch 1073741886 for
finit_module action 327681(errno)
lxc-start test-container 20190826214714.592 INFO     seccomp -
seccomp.c:parse_config_v2:964 - Added native rule for arch -1073741762 for
finit_module action 327681(errno)
lxc-start test-container 20190826214714.592 INFO     seccomp -
seccomp.c:parse_config_v2:759 - Processing "delete_module errno 1"
lxc-start test-container 20190826214714.592 INFO     seccomp -
seccomp.c:parse_config_v2:935 - Added native rule for arch 0 for
delete_module action 327681(errno)
lxc-start test-container 20190826214714.592 INFO     seccomp -
seccomp.c:parse_config_v2:944 - Added compat rule for arch 1073741827 for
delete_module action 327681(errno)
lxc-start test-container 20190826214714.592 INFO     seccomp -
seccomp.c:parse_config_v2:954 - Added compat rule for arch 1073741886 for
delete_module action 327681(errno)
lxc-start test-container 20190826214714.592 INFO     seccomp -
seccomp.c:parse_config_v2:964 - Added native rule for arch -1073741762 for
delete_module action 327681(errno)
lxc-start test-container 20190826214714.592 INFO     seccomp -
seccomp.c:parse_config_v2:970 - Merging compat seccomp contexts into main
context
lxc-start test-container 20190826214714.593 DEBUG    terminal -
terminal.c:lxc_terminal_peer_default:676 - No such device - The process
does not have a controlling terminal
lxc-start test-container 20190826214714.593 INFO     start -
start.c:lxc_init:926 - Container "test-container" is initialized
lxc-start test-container 20190826214714.594 INFO     cgfsng -
cgroups/cgfsng.c:cgfsng_monitor_create:1401 - The monitor process uses
"lxc.monitor/test-container" as cgroup
lxc-start test-container 20190826214714.601 INFO     network -
network.c:instantiate_veth:148 - Retrieved mtu 1500 from br0
lxc-start test-container 20190826214714.602 INFO     network -
network.c:instantiate_veth:176 - Attached "vethQ60O8Z" to bridge "br0"
lxc-start test-container 20190826214714.602 DEBUG    network -
network.c:instantiate_veth:201 - Instantiated veth "vethQ60O8Z/vethPWR03K",
index is "19"
lxc-start test-container 20190826214714.603 INFO     cgfsng -
cgroups/cgfsng.c:cgfsng_payload_create:1466 - The container process uses
"lxc.payload/test-container" as cgroup
lxc-start test-container 20190826214714.605 ERROR    start -
start.c:proc_pidfd_open:1619 - Invalid argument - Failed to send signal
through pidfd
lxc-start test-container 20190826214714.653 INFO     network -
network.c:lxc_delete_network_priv:2723 - Removed interface "(null)" with
index 19
lxc-start test-container 20190826214714.662 WARN     network -
network.c:lxc_delete_network_priv:2742 - Failed to remove interface
"vethQ60O8Z" from "br0"
lxc-start test-container 20190826214714.662 DEBUG    network -
network.c:lxc_delete_network:3308 - Deleted network devices
lxc-start test-container 20190826214714.662 DEBUG    lxccontainer -
lxccontainer.c:wait_on_daemonized_start:839 - First child 15800 exited
lxc-start test-container 20190826214714.662 ERROR    lxccontainer -
lxccontainer.c:wait_on_daemonized_start:850 - Received container state
"ABORTING" instead of "RUNNING"
lxc-start test-container 20190826214714.662 ERROR    lxc_start -
tools/lxc_start.c:main:329 - The container failed to start
lxc-start test-container 20190826214714.662 ERROR    lxc_start -
tools/lxc_start.c:main:332 - To get more details, run the container in
foreground mode
lxc-start test-container 20190826214714.662 ERROR    lxc_start -
tools/lxc_start.c:main:334 - Additional information can be obtained by
setting the --logfile and --logpriority options
lxc-start test-container 20190826214714.681 ERROR    start -
start.c:__lxc_start:2031 - Failed to spawn container "test-container"
lxc-start test-container 20190826214714.685 INFO     conf -
conf.c:run_script_argv:371 - Executing script
"/usr/share/lxcfs/lxc.reboot.hook" for container "test-container", config
section "lxc"

Package: liblxc1
Version: 1:3.1.0+really3.0.4-2
Package: lxc
Version: 1:3.1.0+really3.0.4-2


-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 5.1.21-050121-generic (SMP w/2 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8),
LANGUAGE=es_ES.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages liblxc1 depends on:
ii  libc6        2.28-10
ii  libcap2      1:2.25-2
ii  libgcc1      1:9.2.1-1
ii  libseccomp2  2.4.1-2
ii  libselinux1  2.9-2+b2
ii  systemd      242-4

Versions of packages lxc depends on:
ii  debconf [debconf-2.0]  1.5.73
ii  libc6                  2.28-10
ii  libgcc1                1:9.2.1-1
ii  liblxc1                1:3.1.0+really3.0.4-2
ii  lsb-base               11.1.0

Versions of packages lxc recommends:
ii  apparmor                     2.13.3-4
ii  bridge-utils                 1.6-2
ii  debootstrap                  1.0.115
ii  dirmngr                      2.2.17-3
ii  dnsmasq-base [dnsmasq-base]  2.80-1+b1
ii  gnupg                        2.2.17-3
ii  iproute2                     5.2.0-1
ii  iptables                     1.8.3-2
ii  libpam-cgfs                  1:3.1.0+really3.0.4-2
ii  lxc-templates                3.0.3-1
ii  lxcfs                        3.0.4-2
ii  nftables                     0.9.1-3
ii  openssl                      1.1.1c-1
ii  rsync                        3.1.3-6+b1
ii  uidmap                       1:4.7-2

Versions of packages lxc suggests:
ii  btrfs-progs  5.2.1-1
ii  lvm2         2.03.02-3
ii  python3-lxc  1:3.0.4-1

liblxc1 recommends no packages.
liblxc1 suggests no packages.


Going back to liblxc1=1:3.1.0+really3.0.3-8 fixes the problem.

Regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-lxc-devel/attachments/20190827/22855ab8/attachment-0001.html>


More information about the Pkg-lxc-devel mailing list