Unprivileged LXC Containers on Ubuntu 14.04 failing
The entire process works fine for privileged containers, but when I try to start an unprivileged container I get the following
clack@localhost ~> lxc-start -n clack -d --logfile=log --logpriority=TRACE
lxc-start: The container failed to start.
lxc-start: To get more details, run the container in foreground mode.
lxc-start: Additional information can be obtained by setting the --logfile and --logpriority options.
clack@localhost ~> cat log
lxc-start 1419697784.716 INFO lxc_start_ui - using rcfile /home/clack/.local/share/lxc/clack/config
lxc-start 1419697784.716 INFO lxc_confile - read uid map: type u nsid 0 hostid 100000 range 65536
lxc-start 1419697784.716 INFO lxc_confile - read uid map: type g nsid 0 hostid 100000 range 65536
lxc-start 1419697784.717 WARN lxc_log - lxc_log_init called with log already initialized
lxc-start 1419697784.718 INFO lxc_start - closed inherited fd 4
lxc-start 1419697784.726 INFO lxc_lsm - LSM security driver nop
lxc-start 1419697784.727 INFO lxc_start - closed inherited fd 4
lxc-start 1419697784.727 DEBUG lxc_conf - allocated pty '/dev/pts/4' (5/6)
lxc-start 1419697784.727 DEBUG lxc_conf - allocated pty '/dev/pts/5' (7/8)
lxc-start 1419697784.728 DEBUG lxc_conf - allocated pty '/dev/pts/6' (9/10)
lxc-start 1419697784.728 DEBUG lxc_conf - allocated pty '/dev/pts/7' (11/12)
lxc-start 1419697784.728 INFO lxc_conf - tty's configured
lxc-start 1419697784.728 DEBUG lxc_start - sigchild handler set
lxc-start 1419697784.728 DEBUG lxc_console - no console peer
lxc-start 1419697784.731 INFO lxc_monitor - using monitor sock name lxc/debd9ceabca2145a//home/clack/.local/share/lxc
lxc-start 1419697785.096 INFO lxc_start - 'clack' is initialized
lxc-start 1419697785.115 DEBUG lxc_start - Not dropping cap_sys_boot or watching utmp
lxc-start 1419697785.115 INFO lxc_start - Cloning a new user namespace
lxc-start 1419697785.115 INFO lxc_cgroup - cgroup driver cgmanager initing for clack
lxc-start 1419697785.116 ERROR lxc_cgmanager - call to cgmanager_create_sync failed: invalid request
lxc-start 1419697785.117 ERROR lxc_cgmanager - Failed to create perf_event:clack
lxc-start 1419697785.117 ERROR lxc_cgmanager - Error creating cgroup perf_event:clack
lxc-start 1419697785.117 INFO lxc_cgmanager - cgroup removal attempt: perf_event:clack did not exist
lxc-start 1419697785.117 INFO lxc_cgmanager - cgroup removal attempt: blkio:clack did not exist
lxc-start 1419697785.117 INFO lxc_cgmanager - cgroup removal attempt: net_cls:clack did not exist
lxc-start 1419697785.117 INFO lxc_cgmanager - cgroup removal attempt: freezer:clack did not exist
lxc-start 1419697785.118 INFO lxc_cgmanager - cgroup removal attempt: devices:clack did not exist
lxc-start 1419697785.118 INFO lxc_cgmanager - cgroup removal attempt: cpuacct:clack did not exist
lxc-start 1419697785.118 INFO lxc_cgmanager - cgroup removal attempt: cpu:clack did not exist
lxc-start 1419697785.118 INFO lxc_cgmanager - cgroup removal attempt: debug:clack did not exist
lxc-start 1419697785.119 INFO lxc_cgmanager - cgroup removal attempt: name=systemd:clack did not exist
lxc-start 1419697785.119 INFO lxc_cgmanager - cgroup removal attempt: cpuset:clack did not exist
lxc-start 1419697785.119 ERROR lxc_start - failed creating cgroups
lxc-start 1419697785.119 ERROR lxc_start - failed to spawn 'clack'
lxc-start 1419697785.119 WARN lxc_commands - command get_init_pid failed to receive response
lxc-start 1419697785.120 WARN lxc_cgmanager - do_cgm_get exited with error
lxc-start 1419697790.126 ERROR lxc_start_ui - The container failed to start.
lxc-start 1419697790.126 ERROR lxc_start_ui - To get more details, run the container in foreground mode.
lxc-start 1419697790.126 ERROR lxc_start_ui - Additional information can be obtained by setting the --logfile and --logpriority options.
This seems to imply a permissions issue with my user and cgroup creation. When I try to look at the relevant cgroup permissions I see the following.
root@localhost ~# cat /proc/self/cgroup
11:perf_event:/user/0.user/2.session
10:blkio:/user/0.user/2.session
9:net_cls:/user/0.user/2.session
8:freezer:/user/0.user/2.session
7:devices:/user/0.user/2.session
6:cpuacct:/user/0.user/2.session
5:cpu:/user/0.user/2.session
4:debug:/user/0.user/2.session
3:name=systemd:/user/0.user/2.session
2:cpuset:/user/0.user/2.session
Given that my user's UID and GID is 1000 this seems wrong. Only root looks like it has permissions. When I try to manually add permissions with cgm I get the following:
root@localhost ~# cgm create all clack
method return sender=(null sender) -> dest=(null destination) reply_serial=1
int32 1
method return sender=(null sender) -> dest=(null destination) reply_serial=1
int32 1
method return sender=(null sender) -> dest=(null destination) reply_serial=1
int32 1
method return sender=(null sender) -> dest=(null destination) reply_serial=1
int32 1
method return sender=(null sender) -> dest=(null destination) reply_serial=1
int32 1
method return sender=(null sender) -> dest=(null destination) reply_serial=1
int32 1
method return sender=(null sender) -> dest=(null destination) reply_serial=1
int32 1
method return sender=(null sender) -> dest=(null destination) reply_serial=1
int32 1
method return sender=(null sender) -> dest=(null destination) reply_serial=1
int32 1
method return sender=(null sender) -> dest=(null destination) reply_serial=1
int32 1
which looks to me like a dbus error, and trying to start dbus-monitor to see if the IPC mechanism is running gets me the following:
root@localhost ~# dbus-monitor
Failed to open connection to session bus: Unable to autolaunch a dbus-daemon without a $DISPLAY for X11
Which just flummoxes me. Why does dbus need an XDisplay? and more importantly how do I fix this?
I've tried setting things up with xvfb so that there's a virtual frame-buffer for the dbus deamon to use, but my attempts
seem to make it inaccessible to process that aren't started with xvfb-run.
Not to mention this seems like an incredibly hacky solution to the problem anyway, honestly I"m not really sure what's
available to fix the problem or where the issue actually lies.
I've also performed all the steps recommended here