x32767 commented 1 month ago

Required information

Distribution: Debian
Distribution version: Debian 12 (bookworm) arm64 (installed from debian-12.6.0-arm64-netinst.iso)
```
Linux debian 6.1.0-23-arm64 #1 SMP Debian 6.1.99-1 (2024-07-15) aarch64 GNU/Linux
```

The output of "incus info" or if that fails:

test@debian:~$ incus info
config: {}
api_extensions:
- storage_zfs_remove_snapshots
- container_host_shutdown_timeout
- container_stop_priority
- container_syscall_filtering
- auth_pki
- container_last_used_at
- etag
- patch
- usb_devices
- https_allowed_credentials
- image_compression_algorithm
- directory_manipulation
- container_cpu_time
- storage_zfs_use_refquota
- storage_lvm_mount_options
- network
- profile_usedby
- container_push
- container_exec_recording
- certificate_update
- container_exec_signal_handling
- gpu_devices
- container_image_properties
- migration_progress
- id_map
- network_firewall_filtering
- network_routes
- storage
- file_delete
- file_append
- network_dhcp_expiry
- storage_lvm_vg_rename
- storage_lvm_thinpool_rename
- network_vlan
- image_create_aliases
- container_stateless_copy
- container_only_migration
- storage_zfs_clone_copy
- unix_device_rename
- storage_lvm_use_thinpool
- storage_rsync_bwlimit
- network_vxlan_interface
- storage_btrfs_mount_options
- entity_description
- image_force_refresh
- storage_lvm_lv_resizing
- id_map_base
- file_symlinks
- container_push_target
- network_vlan_physical
- storage_images_delete
- container_edit_metadata
- container_snapshot_stateful_migration
- storage_driver_ceph
- storage_ceph_user_name
- resource_limits
- storage_volatile_initial_source
- storage_ceph_force_osd_reuse
- storage_block_filesystem_btrfs
- resources
- kernel_limits
- storage_api_volume_rename
- network_sriov
- console
- restrict_dev_incus
- migration_pre_copy
- infiniband
- dev_incus_events
- proxy
- network_dhcp_gateway
- file_get_symlink
- network_leases
- unix_device_hotplug
- storage_api_local_volume_handling
- operation_description
- clustering
- event_lifecycle
- storage_api_remote_volume_handling
- nvidia_runtime
- container_mount_propagation
- container_backup
- dev_incus_images
- container_local_cross_pool_handling
- proxy_unix
- proxy_udp
- clustering_join
- proxy_tcp_udp_multi_port_handling
- network_state
- proxy_unix_dac_properties
- container_protection_delete
- unix_priv_drop
- pprof_http
- proxy_haproxy_protocol
- network_hwaddr
- proxy_nat
- network_nat_order
- container_full
- backup_compression
- nvidia_runtime_config
- storage_api_volume_snapshots
- storage_unmapped
- projects
- network_vxlan_ttl
- container_incremental_copy
- usb_optional_vendorid
- snapshot_scheduling
- snapshot_schedule_aliases
- container_copy_project
- clustering_server_address
- clustering_image_replication
- container_protection_shift
- snapshot_expiry
- container_backup_override_pool
- snapshot_expiry_creation
- network_leases_location
- resources_cpu_socket
- resources_gpu
- resources_numa
- kernel_features
- id_map_current
- event_location
- storage_api_remote_volume_snapshots
- network_nat_address
- container_nic_routes
- cluster_internal_copy
- seccomp_notify
- lxc_features
- container_nic_ipvlan
- network_vlan_sriov
- storage_cephfs
- container_nic_ipfilter
- resources_v2
- container_exec_user_group_cwd
- container_syscall_intercept
- container_disk_shift
- storage_shifted
- resources_infiniband
- daemon_storage
- instances
- image_types
- resources_disk_sata
- clustering_roles
- images_expiry
- resources_network_firmware
- backup_compression_algorithm
- ceph_data_pool_name
- container_syscall_intercept_mount
- compression_squashfs
- container_raw_mount
- container_nic_routed
- container_syscall_intercept_mount_fuse
- container_disk_ceph
- virtual-machines
- image_profiles
- clustering_architecture
- resources_disk_id
- storage_lvm_stripes
- vm_boot_priority
- unix_hotplug_devices
- api_filtering
- instance_nic_network
- clustering_sizing
- firewall_driver
- projects_limits
- container_syscall_intercept_hugetlbfs
- limits_hugepages
- container_nic_routed_gateway
- projects_restrictions
- custom_volume_snapshot_expiry
- volume_snapshot_scheduling
- trust_ca_certificates
- snapshot_disk_usage
- clustering_edit_roles
- container_nic_routed_host_address
- container_nic_ipvlan_gateway
- resources_usb_pci
- resources_cpu_threads_numa
- resources_cpu_core_die
- api_os
- container_nic_routed_host_table
- container_nic_ipvlan_host_table
- container_nic_ipvlan_mode
- resources_system
- images_push_relay
- network_dns_search
- container_nic_routed_limits
- instance_nic_bridged_vlan
- network_state_bond_bridge
- usedby_consistency
- custom_block_volumes
- clustering_failure_domains
- resources_gpu_mdev
- console_vga_type
- projects_limits_disk
- network_type_macvlan
- network_type_sriov
- container_syscall_intercept_bpf_devices
- network_type_ovn
- projects_networks
- projects_networks_restricted_uplinks
- custom_volume_backup
- backup_override_name
- storage_rsync_compression
- network_type_physical
- network_ovn_external_subnets
- network_ovn_nat
- network_ovn_external_routes_remove
- tpm_device_type
- storage_zfs_clone_copy_rebase
- gpu_mdev
- resources_pci_iommu
- resources_network_usb
- resources_disk_address
- network_physical_ovn_ingress_mode
- network_ovn_dhcp
- network_physical_routes_anycast
- projects_limits_instances
- network_state_vlan
- instance_nic_bridged_port_isolation
- instance_bulk_state_change
- network_gvrp
- instance_pool_move
- gpu_sriov
- pci_device_type
- storage_volume_state
- network_acl
- migration_stateful
- disk_state_quota
- storage_ceph_features
- projects_compression
- projects_images_remote_cache_expiry
- certificate_project
- network_ovn_acl
- projects_images_auto_update
- projects_restricted_cluster_target
- images_default_architecture
- network_ovn_acl_defaults
- gpu_mig
- project_usage
- network_bridge_acl
- warnings
- projects_restricted_backups_and_snapshots
- clustering_join_token
- clustering_description
- server_trusted_proxy
- clustering_update_cert
- storage_api_project
- server_instance_driver_operational
- server_supported_storage_drivers
- event_lifecycle_requestor_address
- resources_gpu_usb
- clustering_evacuation
- network_ovn_nat_address
- network_bgp
- network_forward
- custom_volume_refresh
- network_counters_errors_dropped
- metrics
- image_source_project
- clustering_config
- network_peer
- linux_sysctl
- network_dns
- ovn_nic_acceleration
- certificate_self_renewal
- instance_project_move
- storage_volume_project_move
- cloud_init
- network_dns_nat
- database_leader
- instance_all_projects
- clustering_groups
- ceph_rbd_du
- instance_get_full
- qemu_metrics
- gpu_mig_uuid
- event_project
- clustering_evacuation_live
- instance_allow_inconsistent_copy
- network_state_ovn
- storage_volume_api_filtering
- image_restrictions
- storage_zfs_export
- network_dns_records
- storage_zfs_reserve_space
- network_acl_log
- storage_zfs_blocksize
- metrics_cpu_seconds
- instance_snapshot_never
- certificate_token
- instance_nic_routed_neighbor_probe
- event_hub
- agent_nic_config
- projects_restricted_intercept
- metrics_authentication
- images_target_project
- images_all_projects
- cluster_migration_inconsistent_copy
- cluster_ovn_chassis
- container_syscall_intercept_sched_setscheduler
- storage_lvm_thinpool_metadata_size
- storage_volume_state_total
- instance_file_head
- instances_nic_host_name
- image_copy_profile
- container_syscall_intercept_sysinfo
- clustering_evacuation_mode
- resources_pci_vpd
- qemu_raw_conf
- storage_cephfs_fscache
- network_load_balancer
- vsock_api
- instance_ready_state
- network_bgp_holdtime
- storage_volumes_all_projects
- metrics_memory_oom_total
- storage_buckets
- storage_buckets_create_credentials
- metrics_cpu_effective_total
- projects_networks_restricted_access
- storage_buckets_local
- loki
- acme
- internal_metrics
- cluster_join_token_expiry
- remote_token_expiry
- init_preseed
- storage_volumes_created_at
- cpu_hotplug
- projects_networks_zones
- network_txqueuelen
- cluster_member_state
- instances_placement_scriptlet
- storage_pool_source_wipe
- zfs_block_mode
- instance_generation_id
- disk_io_cache
- amd_sev
- storage_pool_loop_resize
- migration_vm_live
- ovn_nic_nesting
- oidc
- network_ovn_l3only
- ovn_nic_acceleration_vdpa
- cluster_healing
- instances_state_total
- auth_user
- security_csm
- instances_rebuild
- numa_cpu_placement
- custom_volume_iso
- network_allocations
- zfs_delegate
- storage_api_remote_volume_snapshot_copy
- operations_get_query_all_projects
- metadata_configuration
- syslog_socket
- event_lifecycle_name_and_project
- instances_nic_limits_priority
- disk_initial_volume_configuration
- operation_wait
- image_restriction_privileged
- cluster_internal_custom_volume_copy
- disk_io_bus
- storage_cephfs_create_missing
- instance_move_config
- ovn_ssl_config
- certificate_description
- disk_io_bus_virtio_blk
- loki_config_instance
- instance_create_start
- clustering_evacuation_stop_options
- boot_host_shutdown_action
- agent_config_drive
- network_state_ovn_lr
- image_template_permissions
- storage_bucket_backup
- storage_lvm_cluster
- shared_custom_block_volumes
- auth_tls_jwt
- oidc_claim
- device_usb_serial
- numa_cpu_balanced
- image_restriction_nesting
- network_integrations
- instance_memory_swap_bytes
- network_bridge_external_create
- network_zones_all_projects
- storage_zfs_vdev
- container_migration_stateful
- profiles_all_projects
- instances_scriptlet_get_instances
- instances_scriptlet_get_cluster_members
- instances_scriptlet_get_project
- network_acl_stateless
- instance_state_started_at
- networks_all_projects
- network_acls_all_projects
- storage_buckets_all_projects
- resources_load
- instance_access
- project_access
- projects_force_delete
- resources_cpu_flags
- disk_io_bus_cache_filesystem
- instance_oci
- clustering_groups_config
- instances_lxcfs_per_instance
- clustering_groups_vm_cpu_definition
- disk_volume_subpath
- projects_limits_disk_pool
- network_ovn_isolated
api_status: stable
api_version: "1.0"
auth: trusted
public: false
auth_methods:
- tls
auth_user_name: test
auth_user_method: unix
environment:
addresses: []
architectures:
- aarch64
- armv6l
- armv7l
- armv8l
certificate: |
-----BEGIN CERTIFICATE-----
MIIB/jCCAYSgAwIBAgIRAPqnxLtjZ4g0E5CjfZstl28wCgYIKoZIzj0EAwMwMTEZ
MBcGA1UEChMQTGludXggQ29udGFpbmVyczEUMBIGA1UEAwwLcm9vdEBkZWJpYW4w
HhcNMjQwODI1MDE1MjE2WhcNMzQwODIzMDE1MjE2WjAxMRkwFwYDVQQKExBMaW51
eCBDb250YWluZXJzMRQwEgYDVQQDDAtyb290QGRlYmlhbjB2MBAGByqGSM49AgEG
BSuBBAAiA2IABNOqpWps74h3NFJSTY+PyekYBlDnwNK15sArvYa5qGvqVrT9L5un
Q7Hd1Yt82QiMlQNYXt1P0rpU1EN7+9Vf7KpDyijBtfpBGo6Gbn2YAn5gqF2RPKEx
c281q0yEKSDo66NgMF4wDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUF
BwMBMAwGA1UdEwEB/wQCMAAwKQYDVR0RBCIwIIIGZGViaWFuhwR/AAABhxAAAAAA
AAAAAAAAAAAAAAABMAoGCCqGSM49BAMDA2gAMGUCMDOhbWdO1RV0K5Xaftr7zVNM
PdJAImQQCgDBOSX2FKjvV9mywJ6GbeFSkv03t6RXKQIxAM+cMui2cd+RYP7Jt9iJ
xvUDqPdXaGFr+8jdxrEJaVLFdOKkeUKV98AJdjCYQKR0gQ==
-----END CERTIFICATE-----
certificate_fingerprint: cafa26b29f6f3cb4b88cffd3c34be6c2faf401a77433ff2221f3324b6cbd9f12
driver: lxc
driver_version: 6.0.1
firewall: nftables
kernel: Linux
kernel_architecture: aarch64
kernel_features:
idmapped_mounts: "true"
netnsid_getifaddrs: "true"
seccomp_listener: "true"
seccomp_listener_continue: "true"
uevent_injection: "true"
unpriv_binfmt: "false"
unpriv_fscaps: "true"
kernel_version: 6.1.0-23-arm64
lxc_features:
cgroup2: "true"
core_scheduling: "true"
devpts_fd: "true"
idmapped_mounts_v2: "true"
mount_injection_file: "true"
network_gateway_device_route: "true"
network_ipvlan: "true"
network_l2proxy: "true"
network_phys_macvlan_mtu: "true"
network_veth_router: "true"
pidfd: "true"
seccomp_allow_deny_syntax: "true"
seccomp_notify: "true"
seccomp_proxy_send_notify_fd: "true"
os_name: Debian GNU/Linux
os_version: "12"
project: default
server: incus
server_clustered: false
server_event_mode: full-mesh
server_name: debian
server_pid: 399
server_version: "6.4"
storage: dir
storage_version: "1"
storage_supported_drivers:
- name: dir
version: "1"
remote: false

Incus version:

incus/bookworm,now 1:6.4-202408230443-debian12 arm64 [installed]

Storage backend in use: dir

Issue description

Container in above environment cannot start after setting security.syscalls.intercept.mount: "true" to config.

Firstly I was trying to install Waydroid headlessly into an Incus container inside a libvirt VM on Raspberry Pi OS Lite. Later I encounter this issue when trying to enable mount capability for the container. More info.

Later I found even for brand new VM, this issue still occurs.

Steps to reproduce

Create a libvirt VM of arm64 with above environment on Raspberry Pi OS on Raspberry Pi 400 (or Raspberry Pi OS Lite on Raspberry Pi 5 Model B 8GB, both tested). Actually I think you may also reproduce it with any kind of arm64 machine or VM, but the above are the environments I tested.
Install Incus stable (6.4) from https://github.com/zabbly/incus or 6.0.1 from bookworm-backports.

test@debian:~$ incus admin init
Would you like to use clustering? (yes/no) [default=no]: 
Do you want to configure a new storage pool? (yes/no) [default=yes]: 
Name of the new storage pool [default=default]: 
Would you like to create a new local network bridge? (yes/no) [default=yes]: 
What should the new bridge be called? [default=incusbr0]: 
What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: 
What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: 
Would you like the server to be available over the network? (yes/no) [default=no]: 
Would you like stale cached images to be updated automatically? (yes/no) [default=yes]: 
Would you like a YAML "init" preseed to be printed? (yes/no) [default=no]: 
test@debian:~$ incus list
+------+-------+------+------+------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+------+-------+------+------+------+-----------+
test@debian:~$ incus launch images:ubuntu/22.04
Launching the instance
Instance name is: square-crayfish                    
test@debian:~$ incus list
+-----------------+---------+---------------------+-----------------------------------------------+-----------+-----------+
|      NAME       |  STATE  |        IPV4         |                     IPV6                      |   TYPE    | SNAPSHOTS |
+-----------------+---------+---------------------+-----------------------------------------------+-----------+-----------+
| square-crayfish | RUNNING | 10.27.74.228 (eth0) | fd42:c039:54ad:a040:216:3eff:feae:da39 (eth0) | CONTAINER | 0         |
+-----------------+---------+---------------------+-----------------------------------------------+-----------+-----------+
test@debian:~$ incus stop square-crayfish
test@debian:~$ incus config set square-crayfish security.
security.guestapi           security.protection.delete  
test@debian:~$ incus config set square-crayfish security.syscalls.intercept.mount=true
test@debian:~$ incus list
+-----------------+---------+------+------+-----------+-----------+
|      NAME       |  STATE  | IPV4 | IPV6 |   TYPE    | SNAPSHOTS |
+-----------------+---------+------+------+-----------+-----------+
| square-crayfish | STOPPED |      |      | CONTAINER | 0         |
+-----------------+---------+------+------+-----------+-----------+
test@debian:~$ incus start square-crayfish 
test@debian:~$ incus list
+-----------------+---------+------+------+-----------+-----------+
|      NAME       |  STATE  | IPV4 | IPV6 |   TYPE    | SNAPSHOTS |
+-----------------+---------+------+------+-----------+-----------+
| square-crayfish | STOPPED |      |      | CONTAINER | 0         |
+-----------------+---------+------+------+-----------+-----------+
test@debian:~$ incus start square-crayfish --console 
To detach from the console, press: <ctrl>+a q
Error: Failed running forkconsole: "container is not running: \"square-crayfish\""
                                                                              Error: stat /proc/-1: no such file or directory
test@debian:~$

Information to attach

incus monitor --pretty log when starting the container. It seems the container started and then quickly stopped.

test@debian:~$ incus monitor --pretty 
DEBUG  [2024-08-24T21:36:57-05:00] Event listener server handler started         id=e8436c89-2b61-4c76-83b8-8d4156718e04 local=/var/lib/incus/unix.socket remote=@
DEBUG  [2024-08-24T21:37:01-05:00] Handling API request                          ip=@ method=GET protocol=unix url=/1.0 username=test
DEBUG  [2024-08-24T21:37:01-05:00] Handling API request                          ip=@ method=GET protocol=unix url=/1.0/instances/square-crayfish username=test
DEBUG  [2024-08-24T21:37:01-05:00] Handling API request                          ip=@ method=GET protocol=unix url=/1.0/events username=test
DEBUG  [2024-08-24T21:37:01-05:00] Event listener server handler started         id=1076e0a6-5a43-4ac0-b5a0-d4d627e4497d local=/var/lib/incus/unix.socket remote=@
DEBUG  [2024-08-24T21:37:01-05:00] Handling API request                          ip=@ method=PUT protocol=unix url=/1.0/instances/square-crayfish/state username=test
DEBUG  [2024-08-24T21:37:01-05:00] New operation                                 class=task description="Starting instance" operation=dd34990a-865e-4fa8-bace-b90ccc987f08 project=default
INFO   [2024-08-24T21:37:01-05:00] ID: dd34990a-865e-4fa8-bace-b90ccc987f08, Class: task, Description: Starting instance  CreatedAt="2024-08-24 21:37:01.575465124 -0500 CDT" Err= Location=none MayCancel=false Metadata="map[]" Resources="map[instances:[/1.0/instances/square-crayfish]]" Status=Pending StatusCode=Pending UpdatedAt="2024-08-24 21:37:01.575465124 -0500 CDT"
INFO   [2024-08-24T21:37:01-05:00] Starting instance                             action=start created="2024-08-25 01:53:39.678839496 +0000 UTC" ephemeral=false instance=square-crayfish instanceType=container project=default stateful=false used="2024-08-25 02:35:20.347393563 +0000 UTC"
DEBUG  [2024-08-24T21:37:01-05:00] Started operation                             class=task description="Starting instance" operation=dd34990a-865e-4fa8-bace-b90ccc987f08 project=default
INFO   [2024-08-24T21:37:01-05:00] ID: dd34990a-865e-4fa8-bace-b90ccc987f08, Class: task, Description: Starting instance  CreatedAt="2024-08-24 21:37:01.575465124 -0500 CDT" Err= Location=none MayCancel=false Metadata="map[]" Resources="map[instances:[/1.0/instances/square-crayfish]]" Status=Running StatusCode=Running UpdatedAt="2024-08-24 21:37:01.575465124 -0500 CDT"
DEBUG  [2024-08-24T21:37:01-05:00] Start started                                 instance=square-crayfish instanceType=container project=default stateful=false
DEBUG  [2024-08-24T21:37:01-05:00] Instance operation lock created               action=start instance=square-crayfish project=default reusable=false
DEBUG  [2024-08-24T21:37:01-05:00] Handling API request                          ip=@ method=GET protocol=unix url=/1.0/operations/dd34990a-865e-4fa8-bace-b90ccc987f08 username=test
DEBUG  [2024-08-24T21:37:01-05:00] MountInstance started                         driver=dir instance=square-crayfish pool=default project=default
DEBUG  [2024-08-24T21:37:01-05:00] MountInstance finished                        driver=dir instance=square-crayfish pool=default project=default
DEBUG  [2024-08-24T21:37:01-05:00] Starting device                               device=eth0 instance=square-crayfish instanceType=container project=default type=nic
DEBUG  [2024-08-24T21:37:01-05:00] Starting device                               device=root instance=square-crayfish instanceType=container project=default type=disk
DEBUG  [2024-08-24T21:37:01-05:00] UpdateInstanceBackupFile started              driver=dir instance=square-crayfish pool=default project=default
DEBUG  [2024-08-24T21:37:01-05:00] UpdateInstanceBackupFile finished             driver=dir instance=square-crayfish pool=default project=default
DEBUG  [2024-08-24T21:37:01-05:00] Skipping unmount as in use                    driver=dir pool=default refCount=1 volName=square-crayfish
DEBUG  [2024-08-24T21:37:01-05:00] Handling API request                          ip=@ method=GET protocol=unix url="/internal/containers/square-crayfish/onstart?project=default" username=root
DEBUG  [2024-08-24T21:37:02-05:00] Scheduler: container square-crayfish started: re-balancing 
DEBUG  [2024-08-24T21:37:02-05:00] Connected to seccomp socket: pid=2740        
DEBUG  [2024-08-24T21:37:02-05:00] Event listener server handler stopped         listener=1076e0a6-5a43-4ac0-b5a0-d4d627e4497d local=/var/lib/incus/unix.socket remote=@
INFO   [2024-08-24T21:37:02-05:00] Started instance                              action=start created="2024-08-25 01:53:39.678839496 +0000 UTC" ephemeral=false instance=square-crayfish instanceType=container project=default stateful=false used="2024-08-25 02:35:20.347393563 +0000 UTC"
INFO   [2024-08-24T21:37:02-05:00] Action: instance-started, Source: /1.0/instances/square-crayfish, Requestor: unix/test (@) 
DEBUG  [2024-08-24T21:37:02-05:00] Instance operation lock finished              action=start err="<nil>" instance=square-crayfish project=default reusable=false
DEBUG  [2024-08-24T21:37:02-05:00] Start finished                                instance=square-crayfish instanceType=container project=default stateful=false
DEBUG  [2024-08-24T21:37:02-05:00] Success for operation                         class=task description="Starting instance" operation=dd34990a-865e-4fa8-bace-b90ccc987f08 project=default
INFO   [2024-08-24T21:37:02-05:00] ID: dd34990a-865e-4fa8-bace-b90ccc987f08, Class: task, Description: Starting instance  CreatedAt="2024-08-24 21:37:01.575465124 -0500 CDT" Err= Location=none MayCancel=false Metadata="map[]" Resources="map[instances:[/1.0/instances/square-crayfish]]" Status=Success StatusCode=Success UpdatedAt="2024-08-24 21:37:01.575465124 -0500 CDT"
DEBUG  [2024-08-24T21:37:02-05:00] Syscall handler received fds 37(/proc/<pid>), 38(/proc/<pid>/mem), and 40([seccomp notify]) 
DEBUG  [2024-08-24T21:37:02-05:00] Send seccomp notification for id(12030653473909927087) 
DEBUG  [2024-08-24T21:37:02-05:00] Syscall handler received fds 43(/proc/<pid>), 44(/proc/<pid>/mem), and 45([seccomp notify]) 
DEBUG  [2024-08-24T21:37:02-05:00] Send seccomp notification for id(12030653473909927088) 
DEBUG  [2024-08-24T21:37:02-05:00] Syscall handler received fds 37(/proc/<pid>), 38(/proc/<pid>/mem), and 40([seccomp notify]) 
DEBUG  [2024-08-24T21:37:02-05:00] Send seccomp notification for id(12030653473909927089) 
DEBUG  [2024-08-24T21:37:02-05:00] Handling API request                          ip=@ method=GET protocol=unix url="/internal/containers/square-crayfish/onstopns?netns=%2Fproc%2F2740%2Ffd%2F4&project=default&target=stop" username=root
DEBUG  [2024-08-24T21:37:02-05:00] Instance operation lock created               action=stop instance=square-crayfish project=default reusable=false
DEBUG  [2024-08-24T21:37:02-05:00] Instance initiated stop                       action=stop instance=square-crayfish instanceType=container project=default
DEBUG  [2024-08-24T21:37:02-05:00] Stopping device                               device=eth0 instance=square-crayfish instanceType=container project=default type=nic
DEBUG  [2024-08-24T21:37:03-05:00] Handling API request                          ip=@ method=GET protocol=unix url="/internal/containers/square-crayfish/onstop?project=default&target=stop" username=root
DEBUG  [2024-08-24T21:37:03-05:00] Instance operation lock inherited for stop    action=stop instance=square-crayfish instanceType=container project=default
DEBUG  [2024-08-24T21:37:03-05:00] Instance stopped, cleaning up                 instance=square-crayfish instanceType=container project=default
DEBUG  [2024-08-24T21:37:03-05:00] Stopping device                               device=root instance=square-crayfish instanceType=container project=default type=disk
DEBUG  [2024-08-24T21:37:03-05:00] Disconnected from seccomp socket after failed receive: pid=2740, err=EOF 
DEBUG  [2024-08-24T21:37:03-05:00] UnmountInstance started                       driver=dir instance=square-crayfish pool=default project=default
DEBUG  [2024-08-24T21:37:03-05:00] UnmountInstance finished                      driver=dir instance=square-crayfish pool=default project=default
DEBUG  [2024-08-24T21:37:03-05:00] Instance operation lock finished              action=stop err="<nil>" instance=square-crayfish project=default reusable=false
INFO   [2024-08-24T21:37:03-05:00] Shut down instance                            action=stop created="2024-08-25 01:53:39.678839496 +0000 UTC" ephemeral=false instance=square-crayfish instanceType=container project=default stateful=false used="2024-08-25 02:37:02.017136701 +0000 UTC"
INFO   [2024-08-24T21:37:03-05:00] Action: instance-shutdown, Source: /1.0/instances/square-crayfish 
DEBUG  [2024-08-24T21:37:03-05:00] Scheduler: container square-crayfish stopped: re-balancing

Here is the incus monitor --pretty log if I didn't add security.syscalls.intercept.mount: "true".

test@debian:~$ incus monitor --pretty 
DEBUG  [2024-08-24T21:35:17-05:00] Event listener server handler started         id=053cb52a-969e-43ed-b339-81929f1aa9d7 local=/var/lib/incus/unix.socket remote=@
DEBUG  [2024-08-24T21:35:19-05:00] Handling API request                          ip=@ method=GET protocol=unix url=/1.0 username=test
DEBUG  [2024-08-24T21:35:19-05:00] Handling API request                          ip=@ method=GET protocol=unix url=/1.0/instances/square-crayfish username=test
DEBUG  [2024-08-24T21:35:19-05:00] Handling API request                          ip=@ method=GET protocol=unix url=/1.0/events username=test
DEBUG  [2024-08-24T21:35:19-05:00] Event listener server handler started         id=2ebbb767-cda2-4927-afc3-914402dbc7d4 local=/var/lib/incus/unix.socket remote=@
DEBUG  [2024-08-24T21:35:19-05:00] Handling API request                          ip=@ method=PUT protocol=unix url=/1.0/instances/square-crayfish/state username=test
DEBUG  [2024-08-24T21:35:19-05:00] New operation                                 class=task description="Starting instance" operation=a1873f7f-03d4-4331-bfbc-b04cee350e93 project=default
INFO   [2024-08-24T21:35:19-05:00] ID: a1873f7f-03d4-4331-bfbc-b04cee350e93, Class: task, Description: Starting instance  CreatedAt="2024-08-24 21:35:19.934425656 -0500 CDT" Err= Location=none MayCancel=false Metadata="map[]" Resources="map[instances:[/1.0/instances/square-crayfish]]" Status=Pending StatusCode=Pending UpdatedAt="2024-08-24 21:35:19.934425656 -0500 CDT"
INFO   [2024-08-24T21:35:19-05:00] ID: a1873f7f-03d4-4331-bfbc-b04cee350e93, Class: task, Description: Starting instance  CreatedAt="2024-08-24 21:35:19.934425656 -0500 CDT" Err= Location=none MayCancel=false Metadata="map[]" Resources="map[instances:[/1.0/instances/square-crayfish]]" Status=Running StatusCode=Running UpdatedAt="2024-08-24 21:35:19.934425656 -0500 CDT"
DEBUG  [2024-08-24T21:35:19-05:00] Started operation                             class=task description="Starting instance" operation=a1873f7f-03d4-4331-bfbc-b04cee350e93 project=default
DEBUG  [2024-08-24T21:35:19-05:00] Start started                                 instance=square-crayfish instanceType=container project=default stateful=false
INFO   [2024-08-24T21:35:19-05:00] Starting instance                             action=start created="2024-08-25 01:53:39.678839496 +0000 UTC" ephemeral=false instance=square-crayfish instanceType=container project=default stateful=false used="2024-08-25 02:34:11.233590415 +0000 UTC"
DEBUG  [2024-08-24T21:35:19-05:00] Handling API request                          ip=@ method=GET protocol=unix url=/1.0/operations/a1873f7f-03d4-4331-bfbc-b04cee350e93 username=test
DEBUG  [2024-08-24T21:35:19-05:00] Instance operation lock created               action=start instance=square-crayfish project=default reusable=false
DEBUG  [2024-08-24T21:35:19-05:00] MountInstance started                         driver=dir instance=square-crayfish pool=default project=default
DEBUG  [2024-08-24T21:35:19-05:00] MountInstance finished                        driver=dir instance=square-crayfish pool=default project=default
DEBUG  [2024-08-24T21:35:19-05:00] Starting device                               device=eth0 instance=square-crayfish instanceType=container project=default type=nic
DEBUG  [2024-08-24T21:35:20-05:00] Starting device                               device=root instance=square-crayfish instanceType=container project=default type=disk
DEBUG  [2024-08-24T21:35:20-05:00] UpdateInstanceBackupFile started              driver=dir instance=square-crayfish pool=default project=default
DEBUG  [2024-08-24T21:35:20-05:00] UpdateInstanceBackupFile finished             driver=dir instance=square-crayfish pool=default project=default
DEBUG  [2024-08-24T21:35:20-05:00] Skipping unmount as in use                    driver=dir pool=default refCount=1 volName=square-crayfish
DEBUG  [2024-08-24T21:35:20-05:00] Handling API request                          ip=@ method=GET protocol=unix url="/internal/containers/square-crayfish/onstart?project=default" username=root
DEBUG  [2024-08-24T21:35:20-05:00] Scheduler: container square-crayfish started: re-balancing 
INFO   [2024-08-24T21:35:20-05:00] ID: a1873f7f-03d4-4331-bfbc-b04cee350e93, Class: task, Description: Starting instance  CreatedAt="2024-08-24 21:35:19.934425656 -0500 CDT" Err= Location=none MayCancel=false Metadata="map[]" Resources="map[instances:[/1.0/instances/square-crayfish]]" Status=Success StatusCode=Success UpdatedAt="2024-08-24 21:35:19.934425656 -0500 CDT"
INFO   [2024-08-24T21:35:20-05:00] Started instance                              action=start created="2024-08-25 01:53:39.678839496 +0000 UTC" ephemeral=false instance=square-crayfish instanceType=container project=default stateful=false used="2024-08-25 02:34:11.233590415 +0000 UTC"
INFO   [2024-08-24T21:35:20-05:00] Action: instance-started, Source: /1.0/instances/square-crayfish, Requestor: unix/test (@) 
DEBUG  [2024-08-24T21:35:20-05:00] Instance operation lock finished              action=start err="<nil>" instance=square-crayfish project=default reusable=false
DEBUG  [2024-08-24T21:35:20-05:00] Start finished                                instance=square-crayfish instanceType=container project=default stateful=false
DEBUG  [2024-08-24T21:35:20-05:00] Success for operation                         class=task description="Starting instance" operation=a1873f7f-03d4-4331-bfbc-b04cee350e93 project=default
DEBUG  [2024-08-24T21:35:20-05:00] Event listener server handler stopped         listener=2ebbb767-cda2-4927-afc3-914402dbc7d4 local=/var/lib/incus/unix.socket remote=@

stgraber commented 1 month ago

Pretty odd.

Can you show incus console --show-log square-crayfish and incus info --show-log square-crayfish?

x32767 commented 1 month ago

Thank you for response.

test@debian:~$ incus console --show-log square-crayfish
Failed to mount tmpfs at /dev/shm: Invalid argument
Failed to mount tmpfs at /run: Invalid argument
Failed to mount tmpfs at /run/lock: Invalid argument
[!!!!!!] Failed to mount API filesystems.
Exiting PID 1...

test@debian:~$ incus info --show-log square-crayfish
Name: square-crayfish
Status: STOPPED
Type: container
Architecture: aarch64
Created: 2024/08/24 20:53 CDT
Last Used: 2024/09/01 13:46 CDT

Log:

lxc square-crayfish 20240901184641.129 WARN     idmap_utils - ../src/lxc/idmap_utils.c:lxc_map_ids:165 - newuidmap binary is missing
lxc square-crayfish 20240901184641.129 WARN     idmap_utils - ../src/lxc/idmap_utils.c:lxc_map_ids:171 - newgidmap binary is missing
lxc square-crayfish 20240901184641.131 WARN     idmap_utils - ../src/lxc/idmap_utils.c:lxc_map_ids:165 - newuidmap binary is missing
lxc square-crayfish 20240901184641.131 WARN     idmap_utils - ../src/lxc/idmap_utils.c:lxc_map_ids:171 - newgidmap binary is missing

I then tried to fix it with apt install rootlesskit, but after that, it still cannot start.

test@debian:~$ incus start square-crayfish
test@debian:~$ incus list 
+-----------------+---------+------+------+-----------+-----------+
|      NAME       |  STATE  | IPV4 | IPV6 |   TYPE    | SNAPSHOTS |
+-----------------+---------+------+------+-----------+-----------+
| square-crayfish | STOPPED |      |      | CONTAINER | 0         |
+-----------------+---------+------+------+-----------+-----------+
test@debian:~$ incus info --show-log square-crayfish
Name: square-crayfish
Status: STOPPED
Type: container
Architecture: aarch64
Created: 2024/08/24 20:53 CDT
Last Used: 2024/09/01 13:50 CDT

Log:

test@debian:~$ incus console --show-log square-crayfish
Failed to mount tmpfs at /dev/shm: Invalid argument
Failed to mount tmpfs at /run: Invalid argument
Failed to mount tmpfs at /run/lock: Invalid argument
[!!!!!!] Failed to mount API filesystems.
Exiting PID 1...

stgraber commented 1 month ago

Interesting, I'll try it again on aarch64 here. I wonder if that's related to the new mount API somehow.

stgraber commented 1 month ago

Reproduced the issue here

stgraber commented 1 month ago

Sent a fix for this

lxc / incus

Cannot start Incus container in arm64 VM created on top of Raspberry Pi OS after adding security.syscalls.intercept.mount: "true" #1153

Required information

Issue description

Steps to reproduce

Information to attach