Inconsistent bind mount behavior.

[gene-vigelis]

Required information

Distributor ID: Ubuntu Description: Ubuntu 22.04.1 LTS Release: 22.04 Codename: jammy

config: core.https_address: '[::]:8443' core.trust_password: true api_extensions:

• storage_zfs_remove_snapshots
• container_host_shutdown_timeout
• container_stop_priority
• container_syscall_filtering
• auth_pki
• container_last_used_at
• etag
• patch
• usb_devices
• https_allowed_credentials
• image_compression_algorithm
• directory_manipulation
• container_cpu_time
• storage_zfs_use_refquota
• storage_lvm_mount_options
• network
• profile_usedby
• container_push
• container_exec_recording
• certificate_update
• container_exec_signal_handling
• gpu_devices
• container_image_properties
• migration_progress
• id_map
• network_firewall_filtering
• network_routes
• storage
• file_delete
• file_append
• network_dhcp_expiry
• storage_lvm_vg_rename
• storage_lvm_thinpool_rename
• network_vlan
• image_create_aliases
• container_stateless_copy
• container_only_migration
• storage_zfs_clone_copy
• unix_device_rename
• storage_lvm_use_thinpool
• storage_rsync_bwlimit
• network_vxlan_interface
• storage_btrfs_mount_options
• entity_description
• image_force_refresh
• storage_lvm_lv_resizing
• id_map_base
• file_symlinks
• container_push_target
• network_vlan_physical
• storage_images_delete
• container_edit_metadata
• container_snapshot_stateful_migration
• storage_driver_ceph
• storage_ceph_user_name
• resource_limits
• storage_volatile_initial_source
• storage_ceph_force_osd_reuse
• storage_block_filesystem_btrfs
• resources
• kernel_limits
• storage_api_volume_rename
• macaroon_authentication
• network_sriov
• console
• restrict_devlxd
• migration_pre_copy
• infiniband
• maas_network
• devlxd_events
• proxy
• network_dhcp_gateway
• file_get_symlink
• network_leases
• unix_device_hotplug
• storage_api_local_volume_handling
• operation_description
• clustering
• event_lifecycle
• storage_api_remote_volume_handling
• nvidia_runtime
• container_mount_propagation
• container_backup
• devlxd_images
• container_local_cross_pool_handling
• proxy_unix
• proxy_udp
• clustering_join
• proxy_tcp_udp_multi_port_handling
• network_state
• proxy_unix_dac_properties
• container_protection_delete
• unix_priv_drop
• pprof_http
• proxy_haproxy_protocol
• network_hwaddr
• proxy_nat
• network_nat_order
• container_full
• candid_authentication
• backup_compression
• candid_config
• nvidia_runtime_config
• storage_api_volume_snapshots
• storage_unmapped
• projects
• candid_config_key
• network_vxlan_ttl
• container_incremental_copy
• usb_optional_vendorid
• snapshot_scheduling
• snapshot_schedule_aliases
• container_copy_project
• clustering_server_address
• clustering_image_replication
• container_protection_shift
• snapshot_expiry
• container_backup_override_pool
• snapshot_expiry_creation
• network_leases_location
• resources_cpu_socket
• resources_gpu
• resources_numa
• kernel_features
• id_map_current
• event_location
• storage_api_remote_volume_snapshots
• network_nat_address
• container_nic_routes
• rbac
• cluster_internal_copy
• seccomp_notify
• lxc_features
• container_nic_ipvlan
• network_vlan_sriov
• storage_cephfs
• container_nic_ipfilter
• resources_v2
• container_exec_user_group_cwd
• container_syscall_intercept
• container_disk_shift
• storage_shifted
• resources_infiniband
• daemon_storage
• instances
• image_types
• resources_disk_sata
• clustering_roles
• images_expiry
• resources_network_firmware
• backup_compression_algorithm
• ceph_data_pool_name
• container_syscall_intercept_mount
• compression_squashfs
• container_raw_mount
• container_nic_routed
• container_syscall_intercept_mount_fuse
• container_disk_ceph
• virtual-machines
• image_profiles
• clustering_architecture
• resources_disk_id
• storage_lvm_stripes
• vm_boot_priority
• unix_hotplug_devices
• api_filtering
• instance_nic_network
• clustering_sizing
• firewall_driver
• projects_limits
• container_syscall_intercept_hugetlbfs
• limits_hugepages
• container_nic_routed_gateway
• projects_restrictions
• custom_volume_snapshot_expiry
• volume_snapshot_scheduling
• trust_ca_certificates
• snapshot_disk_usage
• clustering_edit_roles
• container_nic_routed_host_address
• container_nic_ipvlan_gateway
• resources_usb_pci
• resources_cpu_threads_numa
• resources_cpu_core_die
• api_os
• container_nic_routed_host_table
• container_nic_ipvlan_host_table
• container_nic_ipvlan_mode
• resources_system
• images_push_relay
• network_dns_search
• container_nic_routed_limits
• instance_nic_bridged_vlan
• network_state_bond_bridge
• usedby_consistency
• custom_block_volumes
• clustering_failure_domains
• resources_gpu_mdev
• console_vga_type
• projects_limits_disk
• network_type_macvlan
• network_type_sriov
• container_syscall_intercept_bpf_devices
• network_type_ovn
• projects_networks
• projects_networks_restricted_uplinks
• custom_volume_backup
• backup_override_name
• storage_rsync_compression
• network_type_physical
• network_ovn_external_subnets
• network_ovn_nat
• network_ovn_external_routes_remove
• tpm_device_type
• storage_zfs_clone_copy_rebase
• gpu_mdev
• resources_pci_iommu
• resources_network_usb
• resources_disk_address
• network_physical_ovn_ingress_mode
• network_ovn_dhcp
• network_physical_routes_anycast
• projects_limits_instances
• network_state_vlan
• instance_nic_bridged_port_isolation
• instance_bulk_state_change
• network_gvrp
• instance_pool_move
• gpu_sriov
• pci_device_type
• storage_volume_state
• network_acl
• migration_stateful
• disk_state_quota
• storage_ceph_features
• projects_compression
• projects_images_remote_cache_expiry
• certificate_project
• network_ovn_acl
• projects_images_auto_update
• projects_restricted_cluster_target
• images_default_architecture
• network_ovn_acl_defaults
• gpu_mig
• project_usage
• network_bridge_acl
• warnings
• projects_restricted_backups_and_snapshots
• clustering_join_token
• clustering_description
• server_trusted_proxy
• clustering_update_cert
• storage_api_project
• server_instance_driver_operational
• server_supported_storage_drivers
• event_lifecycle_requestor_address
• resources_gpu_usb
• clustering_evacuation
• network_ovn_nat_address
• network_bgp
• network_forward
• custom_volume_refresh
• network_counters_errors_dropped
• metrics
• image_source_project
• clustering_config
• network_peer
• linux_sysctl
• network_dns
• ovn_nic_acceleration
• certificate_self_renewal
• instance_project_move
• storage_volume_project_move
• cloud_init
• network_dns_nat
• database_leader
• instance_all_projects
• clustering_groups
• ceph_rbd_du
• instance_get_full
• qemu_metrics
• gpu_mig_uuid
• event_project
• clustering_evacuation_live
• instance_allow_inconsistent_copy
• network_state_ovn
• storage_volume_api_filtering
• image_restrictions
• storage_zfs_export
• network_dns_records
• storage_zfs_reserve_space
• network_acl_log
• storage_zfs_blocksize
• metrics_cpu_seconds
• instance_snapshot_never
• certificate_token
• instance_nic_routed_neighbor_probe
• event_hub
• agent_nic_config
• projects_restricted_intercept
• metrics_authentication
• images_target_project
• cluster_migration_inconsistent_copy
• cluster_ovn_chassis
• container_syscall_intercept_sched_setscheduler
• storage_lvm_thinpool_metadata_size
• storage_volume_state_total
• instance_file_head
• instances_nic_host_name
• image_copy_profile
• container_syscall_intercept_sysinfo
• clustering_evacuation_mode
• resources_pci_vpd
• qemu_raw_conf
• storage_cephfs_fscache
• network_load_balancer
• vsock_api
• instance_ready_state
• network_bgp_holdtime
• storage_volumes_all_projects
• metrics_memory_oom_total
• storage_buckets api_status: stable api_version: "1.0" auth: trusted public: false auth_methods:
• tls environment: addresses:
  • 192.168.1.150:8443
  • 192.168.122.1:8443 architectures:
  • x86_64
  • i686 certificate: | -----BEGIN CERTIFICATE----- MIICBjCCAYygAwIBAgIQam5BQEW8dHxqXXpn0eMOATAKBggqhkjOPQQDAzA1MRww GgYDVQQKExNsaW51eGNvbnRhaW5lcnMub3JnMRUwEwYDVQQDDAxyb290QHZtLWhv c3QwHhcNMjIwMTEwMjEyMDI5WhcNMzIwMTA4MjEyMDI5WjA1MRwwGgYDVQQKExNs aW51eGNvbnRhaW5lcnMub3JnMRUwEwYDVQQDDAxyb290QHZtLWhvc3QwdjAQBgcq hkjOPQIBBgUrgQQAIgNiAAQbgx4mx0Ck6kuTwyopGcw8RhKpPnKBen/pNQK5WlMP b4grWvh2lbcCilO8ojN6Gp0FHqKCzit28fkp8f+YzxO3QL1RCTNTbMGobaSv1G+a NpuDixhuun2NzSGrAsQ30HujYTBfMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAK BggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMCoGA1UdEQQjMCGCB3ZtLWhvc3SHBH8A AAGHEAAAAAAAAAAAAAAAAAAAAAEwCgYIKoZIzj0EAwMDaAAwZQIwehYXC2IJ2ihT 4XCfxBvbRLk0skdz+YD2JvaCMKCipo2WXPNXniFaw+fsib3lQFYwAjEA9M82FX7g oFYnqtU+cMuvlOsVLBV3NAs1D3U7Xy3AIQd/lJl1uJzVrZnkhRGoxYl2 -----END CERTIFICATE----- certificate_fingerprint: 3f4284b5b46804c1f06ec6f98ef7471ca5ee232ef84e743d3f394ae414e62fba driver: qemu | lxc driver_version: 7.0.0 | 5.0.1 firewall: nftables kernel: Linux kernel_architecture: x86_64 kernel_features: idmapped_mounts: "true" netnsid_getifaddrs: "true" seccomp_listener: "true" seccomp_listener_continue: "true" shiftfs: "true" uevent_injection: "true" unpriv_fscaps: "true" kernel_version: 5.15.0-47-generic lxc_features: cgroup2: "true" core_scheduling: "true" devpts_fd: "true" idmapped_mounts_v2: "true" mount_injection_file: "true" network_gateway_device_route: "true" network_ipvlan: "true" network_l2proxy: "true" network_phys_macvlan_mtu: "true" network_veth_router: "true" pidfd: "true" seccomp_allow_deny_syntax: "true" seccomp_notify: "true" seccomp_proxy_send_notify_fd: "true" os_name: Ubuntu os_version: "22.04" project: default server: lxd server_clustered: false server_event_mode: full-mesh server_name: vm-host server_pid: 8722 server_version: "5.5" storage: lvm | btrfs storage_version: 2.03.07(2) (2019-11-30) / 1.02.167 (2019-11-30) / 4.45.0 | 5.4.1 storage_supported_drivers:
  • name: cephfs version: 15.2.16 remote: true
  • name: cephobject version: 15.2.16 remote: true
  • name: dir version: "1" remote: false
  • name: lvm version: 2.03.07(2) (2019-11-30) / 1.02.167 (2019-11-30) / 4.45.0 remote: false
  • name: zfs version: 2.1.4-0ubuntu0.1 remote: false
  • name: btrfs version: 5.4.1 remote: false
  • name: ceph version: 15.2.16 remote: true

Issue description

If I bind mount a directory under an already bind mounted directory in the config the container will not start with id_map errors. If I bind mount only the higher level directory in the config and start the container I can lxc device add ... the other lower level bind mounts (but the container must be running) and everything works as expected. I can define the extra mounts in a profile and add that profile only after the container starts as well.

Steps to reproduce

1. Define a bind mount with a target such as /var/lib/docker with "shift: true"
2. Define a bind mount with a target such as /var/lib/docker/volumes/postgres1 with "shift: true"
3. Attempt to start container. This step will fail.
4. Remove the second bind mount from step #2 in the configuration
5. Start the container (it will start fine now)
6. Run: lxc config device add container_name disk_label disk source=/xxx path=/var/lib/docker/volumes/postgre1 shift=true
7. Log into the already running container and the bind mount that failed from step 2 is successfully added in step 6

Information to attach

• [ ] Any relevant kernel output (dmesg)
• [ ] Container log (lxc info NAME --show-log)
• [ ] Container configuration (lxc config show NAME --expanded)
• [ ] Main daemon log (at /var/log/lxd/lxd.log orlxd.log)
• [ ] Output of the client with --debug
• [ ] Output of the daemon with --debug (alternatively output of lxc monitor while reproducing the issue)

[stgraber]

@gene-vigelis do you get the same behavior without shift=true?

[brauner]

Can you please get us the trace log for the container?

[stgraber]

lxc config set NAME raw.lxc=lxc.log.level=trace, then attempt to start the broken container and finally post lxc info NAME --show-log

[gene-vigelis]

@stgraber It's been a while since I tried without the shift but I believe it did start that way but my ownership's were all wrong.

Command history:

1663159109

lxc config set docker raw.lxc=lxc.log.level=trace

1663159216

lxc config show docker -e > show-container-e.out

1663159270

lxc start docker > lxc-start-err.out 2>&1

1663159332

lxc info --show-log docker > show-log-with-submounts-on-start.out 2>&1

1663159380

lxc profile remove docker docker-disks

1663159413

lxc start docker

1663159459

lxc profile add docker docker-disks

1663159503

lxc info --show-log docker > show-log-with-submounts-added-after-start.out 2>&1

Files: lxc-start-with-submounts.log show-container-e.log show-log-with-submounts-added-after-start.log show-log-with-submounts-on-start.log

[brauner]

So LXC is unhappy because:

lxc docker 20220914124111.394 ERROR    conf - ../src/src/lxc/conf.c:__lxc_idmapped_mounts_child:3050 - Invalid cross-device link - Failed to open target mountpoint 19/var/lib/docker/volumes/pgadmin1_config for detached idmapped mount 22:19/var/snap/lxd/common/lxd/devices/docker/disk.pgadmin1_config.var-lib-docker-volumes-pgadmin1_config
lxc docker 20220914124111.394 ERROR    conf - ../src/src/lxc/conf.c:lxc_idmapped_mounts_child:3096 - Invalid cross-device link - Failed to setup idmapped mount entries
lxc docker 20220914124111.394 ERROR    conf - ../src/src/lxc/conf.c:lxc_setup:4383 - Invalid cross-device link - Failed to attached detached idmapped mounts

It seems that /var/lib/docker/volumes/pgadmin1_config crosses a mount which LXC currently blocks when setting up idmapped mounts.

[gene-vigelis]

@brauner, I have lxd installed via snap. What do I need to do to get his patch?

[stgraber]

Needs to be merged into LXC and then backported to LXC 5.0 and then cherry-picked into the snap or wait for the next 5.0.x release of liblxc to have it be picked up automatically

[gene-vigelis]

I've install snap LXD so my lxc --version shows 5.5. How will i know that this has been back-ported? I have a workaround as shown above so would like to know when I can stop my workaround and have the container start properly with all disks.

Thank you so very much for such prompt response to my error!!!

[gene-vigelis]

Hi @stgraber,

My lxc driver is still at 5.0.1, is there any timeline for when liblxc will be patched/backported to lxd in the snap store?

Gene