You are not logged in.

#1 2017-05-13 19:40:31

fuzzy2
Member
Registered: 2016-04-16
Posts: 7

[SOLVED] LXC 2.0.8 not starting privileged containers

Hi, I just upgraded my system and in the process got version "1:2.0.8-1" of LXC. Using this version, I can no longer start any LXC containers. All my containers are privileged and do not have any id_map options in their configuration files. The log reads as follows:

      lxc-start 20170513185321.579 INFO     lxc_start_ui - tools/lxc_start.c:main:275 - using rcfile /var/lib/lxc/bubbleupnp/config
      lxc-start 20170513185321.580 WARN     lxc_confile - confile.c:config_pivotdir:1916 - lxc.pivotdir is ignored.  It will soon become an error.
      lxc-start 20170513185321.581 DEBUG    lxc_monitor - monitor.c:lxc_monitord_spawn:330 - Going to wait for pid 6312.
      lxc-start 20170513185321.581 DEBUG    lxc_monitor - monitor.c:lxc_monitord_spawn:349 - Trying to sync with child process.
      lxc-start 20170513185321.581 INFO     lxc_start - start.c:lxc_check_inherited:235 - Closed inherited fd: 4.
      lxc-start 20170513185321.581 DEBUG    lxc_monitor - monitor.c:lxc_monitord_spawn:387 - Using pipe file descriptor 5 for monitord.
      lxc-start 20170513185321.585 DEBUG    lxc_monitor - monitor.c:lxc_monitord_spawn:364 - Successfully synced with child process.
      lxc-start 20170513185321.585 DEBUG    lxc_monitor - monitor.c:lxc_monitord_spawn:333 - Finished waiting on pid 6312.
      lxc-start 20170513185321.585 INFO     lxc_container - lxccontainer.c:do_lxcapi_start:802 - Attempting to set proc title to [lxc monitor] /var/lib/lxc bubbleupnp
      lxc-start 20170513185321.585 INFO     lxc_utils - utils.c:setproctitle:1506 - setting cmdline failed - Invalid argument
      lxc-start 20170513185321.586 DEBUG    lxc_monitor - monitor.c:lxc_monitord_spawn:330 - Going to wait for pid 6316.
      lxc-start 20170513185321.586 INFO     lxc_seccomp - seccomp.c:parse_config_v2:418 - processing: .reject_force_umount  # comment this to allow umount -f;  not recommended.
      lxc-start 20170513185321.586 INFO     lxc_seccomp - seccomp.c:parse_config_v2:590 - Adding native rule for reject_force_umount action 0.
      lxc-start 20170513185321.586 INFO     lxc_seccomp - seccomp.c:do_resolve_add_rule:259 - Setting Seccomp rule to reject force umounts.
      lxc-start 20170513185321.586 INFO     lxc_seccomp - seccomp.c:parse_config_v2:593 - Adding compat rule for reject_force_umount action 0.
      lxc-start 20170513185321.586 INFO     lxc_seccomp - seccomp.c:do_resolve_add_rule:259 - Setting Seccomp rule to reject force umounts.
      lxc-start 20170513185321.586 INFO     lxc_seccomp - seccomp.c:do_resolve_add_rule:259 - Setting Seccomp rule to reject force umounts.
      lxc-start 20170513185321.586 INFO     lxc_seccomp - seccomp.c:parse_config_v2:418 - processing: .[all].
      lxc-start 20170513185321.586 INFO     lxc_seccomp - seccomp.c:parse_config_v2:418 - processing: .kexec_load errno 1.
      lxc-start 20170513185321.586 INFO     lxc_seccomp - seccomp.c:parse_config_v2:590 - Adding native rule for kexec_load action 327681.
      lxc-start 20170513185321.586 INFO     lxc_seccomp - seccomp.c:parse_config_v2:593 - Adding compat rule for kexec_load action 327681.
      lxc-start 20170513185321.586 INFO     lxc_seccomp - seccomp.c:parse_config_v2:418 - processing: .open_by_handle_at errno 1.
      lxc-start 20170513185321.586 INFO     lxc_seccomp - seccomp.c:parse_config_v2:590 - Adding native rule for open_by_handle_at action 327681.
      lxc-start 20170513185321.586 INFO     lxc_seccomp - seccomp.c:parse_config_v2:593 - Adding compat rule for open_by_handle_at action 327681.
      lxc-start 20170513185321.586 INFO     lxc_seccomp - seccomp.c:parse_config_v2:418 - processing: .init_module errno 1.
      lxc-start 20170513185321.586 INFO     lxc_seccomp - seccomp.c:parse_config_v2:590 - Adding native rule for init_module action 327681.
      lxc-start 20170513185321.586 INFO     lxc_seccomp - seccomp.c:parse_config_v2:593 - Adding compat rule for init_module action 327681.
      lxc-start 20170513185321.586 INFO     lxc_seccomp - seccomp.c:parse_config_v2:418 - processing: .finit_module errno 1.
      lxc-start 20170513185321.586 INFO     lxc_seccomp - seccomp.c:parse_config_v2:590 - Adding native rule for finit_module action 327681.
      lxc-start 20170513185321.586 INFO     lxc_seccomp - seccomp.c:parse_config_v2:593 - Adding compat rule for finit_module action 327681.
      lxc-start 20170513185321.586 INFO     lxc_seccomp - seccomp.c:parse_config_v2:418 - processing: .delete_module errno 1.
      lxc-start 20170513185321.586 INFO     lxc_seccomp - seccomp.c:parse_config_v2:590 - Adding native rule for delete_module action 327681.
      lxc-start 20170513185321.586 INFO     lxc_seccomp - seccomp.c:parse_config_v2:593 - Adding compat rule for delete_module action 327681.
      lxc-start 20170513185321.587 INFO     lxc_seccomp - seccomp.c:parse_config_v2:603 - Merging in the compat Seccomp ctx into the main one.
      lxc-start 20170513185321.587 DEBUG    lxc_start - start.c:setup_signal_fd:273 - Set SIGCHLD handler with file descriptor: 5.
      lxc-start 20170513185321.587 DEBUG    console - console.c:lxc_console_peer_default:438 - process does not have a controlling terminal
      lxc-start 20170513185321.587 INFO     lxc_start - start.c:lxc_init:475 - Container "bubbleupnp" is initialized.
      lxc-start 20170513185321.588 DEBUG    lxc_start - start.c:__lxc_start:1325 - Not dropping CAP_SYS_BOOT or watching utmp.
      lxc-start 20170513185321.588 DEBUG    lxc_monitor - monitor.c:lxc_monitord_spawn:349 - Trying to sync with child process.
      lxc-start 20170513185321.588 INFO     lxc_start - start.c:lxc_check_inherited:235 - Closed inherited fd: 4.
      lxc-start 20170513185321.588 DEBUG    lxc_monitor - monitor.c:lxc_monitord_spawn:387 - Using pipe file descriptor 5 for monitord.
      lxc-start 20170513185321.590 INFO     lxc_conf - conf.c:instantiate_veth:2706 - Retrieved mtu 1500 from br0
      lxc-start 20170513185321.591 INFO     lxc_conf - conf.c:instantiate_veth:2731 - Attached 'veth2VQ2FO': to the bridge 'br0':
      lxc-start 20170513185321.591 DEBUG    lxc_conf - conf.c:instantiate_veth:2748 - instantiated veth 'veth2VQ2FO/vethD16026', index is '14'
      lxc-start 20170513185321.591 INFO     lxc_cgroup - cgroups/cgroup.c:cgroup_init:68 - cgroup driver cgroupfs-ng initing for bubbleupnp
      lxc-start 20170513185321.591 DEBUG    lxc_cgfsng - cgroups/cgfsng.c:filter_and_set_cpus:480 - No isolated cpus detected.
      lxc-start 20170513185321.591 DEBUG    lxc_cgfsng - cgroups/cgfsng.c:handle_cpuset_hierarchy:650 - "cgroup.clone_children" was already set to "1".
      lxc-start 20170513185321.593 INFO     lxc_start - start.c:lxc_spawn:1165 - Cloned CLONE_NEWNS.
      lxc-start 20170513185321.593 INFO     lxc_start - start.c:lxc_spawn:1165 - Cloned CLONE_NEWPID.
      lxc-start 20170513185321.593 INFO     lxc_start - start.c:lxc_spawn:1165 - Cloned CLONE_NEWUTS.
      lxc-start 20170513185321.593 INFO     lxc_start - start.c:lxc_spawn:1165 - Cloned CLONE_NEWIPC.
      lxc-start 20170513185321.593 INFO     lxc_start - start.c:lxc_spawn:1165 - Cloned CLONE_NEWNET.
      lxc-start 20170513185321.593 DEBUG    lxc_conf - conf.c:lxc_map_ids:3377 - Either one or both of the newuidmap and newgidmap binaries do not exist or are missing necessary privilege.
      lxc-start 20170513185321.593 ERROR    lxc_start - start.c:lxc_spawn:1182 - Failed to set up id mapping.
      lxc-start 20170513185321.599 DEBUG    lxc_monitor - monitor.c:lxc_monitord_spawn:364 - Successfully synced with child process.
      lxc-start 20170513185321.600 DEBUG    lxc_monitor - monitor.c:lxc_monitord_spawn:333 - Finished waiting on pid 6316.
      lxc-start 20170513185321.600 INFO     lxc_monitor - monitor.c:lxc_monitor_sock_name:201 - using monitor socket name "lxc/ad055575fe28ddd5//var/lib/lxc" (length of socket name 33 must be <= 105)
      lxc-start 20170513185321.600 DEBUG    lxc_monitor - monitor.c:lxc_monitor_open:225 - opening monitor socket lxc/ad055575fe28ddd5//var/lib/lxc with len 33
      lxc-start 20170513185321.631 INFO     lxc_conf - conf.c:lxc_delete_network:3074 - Removed interface "(null)" with index 14.
      lxc-start 20170513185321.633 WARN     lxc_conf - conf.c:lxc_delete_network:3095 - Failed to remove "veth2VQ2FO" from host: Invalid argument.
      lxc-start 20170513185321.633 ERROR    lxc_start - start.c:__lxc_start:1354 - Failed to spawn container "bubbleupnp".
      lxc-start 20170513185321.658 WARN     lxc_commands - commands.c:lxc_cmd_rsp_recv:177 - Command get_cgroup failed to receive response: Connection reset by peer.
      lxc-start 20170513185326.661 ERROR    lxc_start_ui - tools/lxc_start.c:main:366 - The container failed to start.
      lxc-start 20170513185326.661 ERROR    lxc_start_ui - tools/lxc_start.c:main:368 - To get more details, run the container in foreground mode.
      lxc-start 20170513185326.661 ERROR    lxc_start_ui - tools/lxc_start.c:main:370 - Additional information can be obtained by setting the --logfile and --logpriority options.

Again: No id_map anywhere. You may also note that it does not say "Cloned CLONE_NEWUSER" in the log.

When I downgrade to version "1:2.0.7-1", everything works as it should.

This container uses the default Arch Linux template, with the following container config:

# Template used to create this container: /usr/share/lxc/templates/lxc-archlinux
# Parameters passed to the template:
# For additional config options, please look at lxc.container.conf(5)
lxc.network.type = veth
#lxc.network.flags = up
lxc.network.link = br0
lxc.network.hwaddr = ba:b5:4e:b8:e3:c2
lxc.rootfs = /var/lib/lxc/bubbleupnp/rootfs
lxc.utsname = bubbleupnp
lxc.arch = x86_64
lxc.include = /usr/share/lxc/config/archlinux.common.conf
lxc.start.auto = 1
lxc.mount.entry = /var/cache/pacman/pkg var/cache/pacman/pkg none bind 0 0

How do I fix this? I can see that some additional checks landed in LXC’s conf.c, but I’m unsure on how to proceed.

Last edited by fuzzy2 (2017-05-13 19:45:29)

Offline

#2 2017-05-13 19:45:16

fuzzy2
Member
Registered: 2016-04-16
Posts: 7

Re: [SOLVED] LXC 2.0.8 not starting privileged containers

Ah, never mind. Someone has already reported the issue: https://github.com/lxc/lxc/issues/1555

It is as I suspected: The call to lxc_map_ids was redundant without CLONE_NEWUSER.

The workaround as mentioned on that bug report:

This is a LXC bug but independent of that your distro should ship newuidmap and newgidmap either as setuid binaries or set necessary capabilities on them. So as a temporary workaround until we push that fix, please either do:

sudo chmod 04755 /usr/bin/newuidmap
sudo chmod 04755 /usr/bin/newgidmap

or

sudo setcap cap_setuid+ep /usr/bin/newuidmap
sudo setcap cap_setgid+ep /usr/bin/newgidmap

This should allow you to start your containers.

/edit:
Related update to the shadow package: https://github.com/shadow-maint/shadow/pull/43

shadow provides newuidmap and newgidmap. They would usually be setuid. As such, I’d recommend the first workaround – making them setuid.

Last edited by fuzzy2 (2017-05-13 19:54:17)

Offline

#3 2017-05-15 07:29:05

thePanz
Member
Registered: 2017-05-08
Posts: 9

Re: [SOLVED] LXC 2.0.8 not starting privileged containers

Thanks for sharing, it works!! smile
I used the first method you suggested, the `sudo chmod ...`

Last edited by thePanz (2017-05-15 07:29:24)

Offline

Board footer

Powered by FluxBB