[pkg-lxc-devel] Bug#1129002: lxc: ../src/lxc/conf.c:__lxc_idmapped_mounts_child:2704 - Invalid argument - Only bind mounts can currently be idmapped
Yves-Alexis Perez
corsac at debian.org
Wed Feb 25 17:20:01 GMT 2026
Package: lxc
Version: 1:6.0.5-2
Severity: important
Hi,
I'm reporting the issue against sid but I first experienced the issue in
trixie.
I have a bunch of LXC which I'm currently converting to unprivileged
ones using the idmap options.
I need to have some bind mounts insides the container, and I tried to
use the idmap=container option to those entries.
When adding this option, the container fails to start and the log
(attached) show the following lines:
lxc-start test 20260225171244.630 ERROR conf - ../src/lxc/conf.c:__lxc_idmapped_mounts_child:2704 - Invalid argument - Only bind mounts can currently be idmapped
lxc-start test 20260225171244.630 ERROR conf - ../src/lxc/conf.c:lxc_idmapped_mounts_child:2888 - Invalid argument - Failed to setup idmapped mount entries
lxc-start test 20260225171244.630 ERROR conf - ../src/lxc/conf.c:lxc_setup:3916 - Invalid argument - Failed to attached detached idmapped mounts
lxc-start test 20260225171244.630 ERROR start - ../src/lxc/start.c:do_start:1273 - Failed to setup container "test"
This error looks spurious because the relevant from the (attached)
configuration is:
lxc.mount.entry = /var/log/ var/log/ bind bind,rw,nosuid,nodev,noexec,idmap=container
Looking at the source code
(https://sources.debian.org/src/lxc/1%3A6.0.5-2/src/lxc/conf.c#L2704) it
should only happen when the `mnttype` is none which I don't think
is/should be the case here (the line explicitely sets it to 'bind').
Either I'm doing something wrong (what?) or it looks like a bug here.
Regards,
--
Yves-Alexis
-- System Information:
Debian Release: forky/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (450, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.18.12+deb14-amd64 (SMP w/14 CPU threads; PREEMPT)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages lxc depends on:
ii debconf [debconf-2.0] 1.5.92
ii dnsmasq-base [dnsmasq-base] 2.92-2
ii iproute2 6.19.0-1
ii iptables 1.8.12-1
ii libapparmor1 4.1.6-2
ii libc6 2.42-13
ii libcap2 1:2.75-10+b5
ii libdbus-1-3 1.16.2-4
ii libgcc-s1 15.2.0-14
ii liblxc-common 1:6.0.5-2
ii liblxc1t64 1:6.0.5-2
ii libseccomp2 2.6.0-2+b1
ii libselinux1 3.9-4+b1
ii nftables 1.1.6-1
Versions of packages lxc recommends:
ii apparmor 4.1.6-2
ii debootstrap 1.0.142
ii dirmngr 2.4.8-5
pn distrobuilder <none>
ii gnupg 2.4.8-5
pn libpam-cgfs <none>
pn lxcfs <none>
ii openssl 3.5.5-1
ii rsync 3.4.1+ds1-7
ii uidmap 1:4.19.3-1
ii wget 1.25.0-2
Versions of packages lxc suggests:
pn btrfs-progs <none>
pn criu <none>
ii lvm2 2.03.31-2+b1
pn python3-lxc <none>
-- debconf information:
lxc/auto_update_config:
-------------- next part --------------
lxc.uts.name = test
lxc.autodev = 1
lxc.mount.auto = proc:mixed
lxc.mount.auto = sys:mixed
lxc.mount.auto = cgroup:mixed
# Unprivileged
lxc.idmap = u 0 1600000 65535
lxc.idmap = g 0 1600000 65536
# fstab
lxc.rootfs.path = /srv/rootfs
lxc.rootfs.options=idmap=container
lxc.mount.entry = /var/log/ var/log/ bind bind,rw,nosuid,nodev,noexec,idmap=container
-------------- next part --------------
lxc-start test 20260225171244.599 INFO confile - ../src/lxc/confile.c:set_config_idmaps:2273 - Read uid map: type u nsid 0 hostid 1600000 range 65535
lxc-start test 20260225171244.599 INFO confile - ../src/lxc/confile.c:set_config_idmaps:2273 - Read uid map: type g nsid 0 hostid 1600000 range 65536
lxc-start test 20260225171244.599 INFO lxccontainer - ../src/lxc/lxccontainer.c:do_lxcapi_start:954 - Set process title to [lxc monitor] /var/lib/lxc test
lxc-start test 20260225171244.600 DEBUG lxccontainer - ../src/lxc/lxccontainer.c:wait_on_daemonized_start:813 - First child 112151 exited
lxc-start test 20260225171244.600 INFO lsm - ../src/lxc/lsm/lsm.c:lsm_init_static:38 - Initialized LSM security driver AppArmor
lxc-start test 20260225171244.600 INFO cgfsng - ../src/lxc/cgroups/cgfsng.c:unpriv_systemd_create_scope:1508 - Running privileged, not using a systemd unit
lxc-start test 20260225171244.600 INFO start - ../src/lxc/start.c:lxc_init:882 - Container "test" is initialized
lxc-start test 20260225171244.600 INFO cgfsng - ../src/lxc/cgroups/cgfsng.c:cgfsng_monitor_create:1682 - The monitor process uses "lxc.monitor.test" as cgroup
lxc-start test 20260225171244.621 DEBUG storage - ../src/lxc/storage/storage.c:storage_query:231 - Detected rootfs type "dir"
lxc-start test 20260225171244.621 DEBUG storage - ../src/lxc/storage/storage.c:storage_query:231 - Detected rootfs type "dir"
lxc-start test 20260225171244.622 INFO cgfsng - ../src/lxc/cgroups/cgfsng.c:cgfsng_payload_create:1790 - The container process uses "lxc.payload.test" as inner and "lxc.payload.test" as limit cgroup
lxc-start test 20260225171244.622 INFO start - ../src/lxc/start.c:lxc_spawn:1774 - Cloned CLONE_NEWUSER
lxc-start test 20260225171244.622 INFO start - ../src/lxc/start.c:lxc_spawn:1774 - Cloned CLONE_NEWNS
lxc-start test 20260225171244.622 INFO start - ../src/lxc/start.c:lxc_spawn:1774 - Cloned CLONE_NEWPID
lxc-start test 20260225171244.622 INFO start - ../src/lxc/start.c:lxc_spawn:1774 - Cloned CLONE_NEWUTS
lxc-start test 20260225171244.622 INFO start - ../src/lxc/start.c:lxc_spawn:1774 - Cloned CLONE_NEWIPC
lxc-start test 20260225171244.622 INFO start - ../src/lxc/start.c:lxc_spawn:1774 - Cloned CLONE_NEWCGROUP
lxc-start test 20260225171244.622 DEBUG start - ../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved user namespace via fd 20 and stashed path as user:/proc/112152/fd/20
lxc-start test 20260225171244.622 DEBUG start - ../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved mnt namespace via fd 21 and stashed path as mnt:/proc/112152/fd/21
lxc-start test 20260225171244.622 DEBUG start - ../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved pid namespace via fd 22 and stashed path as pid:/proc/112152/fd/22
lxc-start test 20260225171244.622 DEBUG start - ../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved uts namespace via fd 23 and stashed path as uts:/proc/112152/fd/23
lxc-start test 20260225171244.622 DEBUG start - ../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved ipc namespace via fd 24 and stashed path as ipc:/proc/112152/fd/24
lxc-start test 20260225171244.622 DEBUG start - ../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved cgroup namespace via fd 25 and stashed path as cgroup:/proc/112152/fd/25
lxc-start test 20260225171244.622 DEBUG idmap_utils - ../src/lxc/idmap_utils.c:idmaptool_on_path_and_privileged:93 - The binary "/usr/bin/newuidmap" does have the setuid bit set
lxc-start test 20260225171244.622 DEBUG idmap_utils - ../src/lxc/idmap_utils.c:idmaptool_on_path_and_privileged:93 - The binary "/usr/bin/newgidmap" does have the setuid bit set
lxc-start test 20260225171244.622 DEBUG idmap_utils - ../src/lxc/idmap_utils.c:lxc_map_ids:178 - Functional newuidmap and newgidmap binary found
lxc-start test 20260225171244.627 DEBUG idmap_utils - ../src/lxc/idmap_utils.c:idmaptool_on_path_and_privileged:93 - The binary "/usr/bin/newuidmap" does have the setuid bit set
lxc-start test 20260225171244.627 DEBUG idmap_utils - ../src/lxc/idmap_utils.c:idmaptool_on_path_and_privileged:93 - The binary "/usr/bin/newgidmap" does have the setuid bit set
lxc-start test 20260225171244.627 INFO idmap_utils - ../src/lxc/idmap_utils.c:lxc_map_ids:176 - Caller maps host root. Writing mapping directly
lxc-start test 20260225171244.627 NOTICE utils - ../src/lxc/utils.c:lxc_drop_groups:1481 - Dropped supplimentary groups
lxc-start test 20260225171244.628 INFO start - ../src/lxc/start.c:do_start:1105 - Unshared CLONE_NEWNET
lxc-start test 20260225171244.628 NOTICE utils - ../src/lxc/utils.c:lxc_drop_groups:1481 - Dropped supplimentary groups
lxc-start test 20260225171244.628 NOTICE utils - ../src/lxc/utils.c:lxc_switch_uid_gid:1457 - Switched to gid 0
lxc-start test 20260225171244.628 NOTICE utils - ../src/lxc/utils.c:lxc_switch_uid_gid:1466 - Switched to uid 0
lxc-start test 20260225171244.629 DEBUG start - ../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved net namespace via fd 7 and stashed path as net:/proc/112152/fd/7
lxc-start test 20260225171244.629 DEBUG storage - ../src/lxc/storage/storage.c:storage_query:231 - Detected rootfs type "dir"
lxc-start test 20260225171244.629 DEBUG conf - ../src/lxc/conf.c:lxc_mount_rootfs:1223 - Mounted rootfs "/srv/rootfs" onto "/usr/lib/x86_64-linux-gnu/lxc/rootfs" with options "idmap=container"
lxc-start test 20260225171244.629 INFO conf - ../src/lxc/conf.c:setup_utsname:671 - Set hostname to "cloud"
lxc-start test 20260225171244.629 INFO conf - ../src/lxc/conf.c:mount_autodev:1006 - Preparing "/dev"
lxc-start test 20260225171244.629 INFO conf - ../src/lxc/conf.c:mount_autodev:1067 - Prepared "/dev"
lxc-start test 20260225171244.629 DEBUG conf - ../src/lxc/conf.c:lxc_mount_auto_mounts:531 - Invalid argument - Tried to ensure procfs is unmounted
lxc-start test 20260225171244.629 DEBUG conf - ../src/lxc/conf.c:lxc_mount_auto_mounts:554 - Invalid argument - Tried to ensure sysfs is unmounted
lxc-start test 20260225171244.630 ERROR conf - ../src/lxc/conf.c:__lxc_idmapped_mounts_child:2704 - Invalid argument - Only bind mounts can currently be idmapped
lxc-start test 20260225171244.630 ERROR conf - ../src/lxc/conf.c:lxc_idmapped_mounts_child:2888 - Invalid argument - Failed to setup idmapped mount entries
lxc-start test 20260225171244.630 ERROR conf - ../src/lxc/conf.c:lxc_setup:3916 - Invalid argument - Failed to attached detached idmapped mounts
lxc-start test 20260225171244.630 ERROR start - ../src/lxc/start.c:do_start:1273 - Failed to setup container "test"
lxc-start test 20260225171244.630 ERROR sync - ../src/lxc/sync.c:sync_wait:34 - An error occurred in another process (expected sequence number 4)
lxc-start test 20260225171244.630 DEBUG network - ../src/lxc/network.c:lxc_delete_network:4221 - Deleted network devices
lxc-start test 20260225171244.630 ERROR lxccontainer - ../src/lxc/lxccontainer.c:wait_on_daemonized_start:832 - Received container state "ABORTING" instead of "RUNNING"
lxc-start test 20260225171244.630 ERROR lxc_start - ../src/lxc/tools/lxc_start.c:lxc_start_main:307 - The container failed to start
lxc-start test 20260225171244.630 ERROR lxc_start - ../src/lxc/tools/lxc_start.c:lxc_start_main:310 - To get more details, run the container in foreground mode
lxc-start test 20260225171244.630 ERROR lxc_start - ../src/lxc/tools/lxc_start.c:lxc_start_main:312 - Additional information can be obtained by setting the --logfile and --logpriority options
lxc-start test 20260225171244.630 ERROR start - ../src/lxc/start.c:__lxc_start:2119 - Failed to spawn container "test"
lxc-start test 20260225171244.630 WARN start - ../src/lxc/start.c:lxc_abort:1037 - No such process - Failed to send SIGKILL via pidfd 19 for process 112153
More information about the Pkg-lxc-devel
mailing list