search

lxc / lxc

LXC - Linux Containers
https://linuxcontainers.org/lxc
Other
4.62k stars 1.12k forks source link

lxc-execute does not properly works with containers based on OCI template #2590

Closed tears-of-noobs closed 5 years ago

tears-of-noobs commented 6 years ago

Required information

--- Control groups --- Cgroups: enabled

Cgroup v1 mount points: /sys/fs/cgroup/systemd /sys/fs/cgroup/net_cls,net_prio /sys/fs/cgroup/blkio /sys/fs/cgroup/pids /sys/fs/cgroup/hugetlb /sys/fs/cgroup/freezer /sys/fs/cgroup/rdma /sys/fs/cgroup/devices /sys/fs/cgroup/memory /sys/fs/cgroup/cpu,cpuacct /sys/fs/cgroup/perf_event /sys/fs/cgroup/cpuset

Cgroup v2 mount points: /sys/fs/cgroup/unified

Cgroup v1 clone_children flag: enabled Cgroup device: enabled Cgroup sched: enabled Cgroup cpu account: enabled Cgroup memory controller: enabled Cgroup cpuset: enabled

--- Misc --- Veth pair device: enabled, loaded Macvlan: enabled, not loaded Vlan: enabled, loaded Bridges: enabled, loaded Advanced netfilter: enabled, not loaded CONFIG_NF_NAT_IPV4: enabled, not loaded CONFIG_NF_NAT_IPV6: enabled, not loaded CONFIG_IP_NF_TARGET_MASQUERADE: enabled, not loaded CONFIG_IP6_NF_TARGET_MASQUERADE: enabled, not loaded CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled, not loaded CONFIG_NETFILTER_XT_MATCH_COMMENT: enabled, not loaded FUSE (for use with lxcfs): enabled, loaded

--- Checkpoint/Restore --- checkpoint restore: enabled CONFIG_FHANDLE: enabled CONFIG_EVENTFD: enabled CONFIG_EPOLL: enabled CONFIG_UNIX_DIAG: enabled CONFIG_INET_DIAG: enabled CONFIG_PACKET_DIAG: enabled CONFIG_NETLINK_DIAG: enabled File capabilities:

Note : Before booting a new kernel, you can check its configuration usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig

   * `uname -a`

Linux pornhub.s 4.18.5-arch1-1-ARCH #1 SMP PREEMPT Fri Aug 24 12:48:58 UTC 2018 x86_64 GNU/Linux

   * `cat /proc/self/cgroup`

12:cpuset:/ 11:perf_event:/ 10:cpu,cpuacct:/ 9:memory:/user.slice/user-1000.slice/session-1.scope 8:devices:/user.slice 7:rdma:/ 6:freezer:/ 5:hugetlb:/ 4:pids:/user.slice/user-1000.slice/session-1.scope 3:blkio:/ 2:net_cls,net_prio:/ 1:name=systemd:/user.slice/user-1000.slice/session-1.scope 0::/user.slice/user-1000.slice/session-1.scope

   * `cat /proc/1/mounts`

proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0 sys /sys sysfs rw,nosuid,nodev,noexec,relatime 0 0 dev /dev devtmpfs rw,nosuid,relatime,size=3880704k,nr_inodes=970176,mode=755 0 0 run /run tmpfs rw,nosuid,nodev,relatime,mode=755 0 0 zroot / zfs rw,relatime,xattr,noacl 0 0 securityfs /sys/kernel/security securityfs rw,nosuid,nodev,noexec,relatime 0 0 tmpfs /dev/shm tmpfs rw,nosuid,nodev 0 0 devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0 tmpfs /sys/fs/cgroup tmpfs ro,nosuid,nodev,noexec,mode=755 0 0 cgroup2 /sys/fs/cgroup/unified cgroup2 rw,nosuid,nodev,noexec,relatime,nsdelegate 0 0 cgroup /sys/fs/cgroup/systemd cgroup rw,nosuid,nodev,noexec,relatime,xattr,name=systemd 0 0 pstore /sys/fs/pstore pstore rw,nosuid,nodev,noexec,relatime 0 0 bpf /sys/fs/bpf bpf rw,nosuid,nodev,noexec,relatime,mode=700 0 0 cgroup /sys/fs/cgroup/net_cls,net_prio cgroup rw,nosuid,nodev,noexec,relatime,net_cls,net_prio 0 0 cgroup /sys/fs/cgroup/blkio cgroup rw,nosuid,nodev,noexec,relatime,blkio 0 0 cgroup /sys/fs/cgroup/pids cgroup rw,nosuid,nodev,noexec,relatime,pids 0 0 cgroup /sys/fs/cgroup/hugetlb cgroup rw,nosuid,nodev,noexec,relatime,hugetlb 0 0 cgroup /sys/fs/cgroup/freezer cgroup rw,nosuid,nodev,noexec,relatime,freezer 0 0 cgroup /sys/fs/cgroup/rdma cgroup rw,nosuid,nodev,noexec,relatime,rdma 0 0 cgroup /sys/fs/cgroup/devices cgroup rw,nosuid,nodev,noexec,relatime,devices 0 0 cgroup /sys/fs/cgroup/memory cgroup rw,nosuid,nodev,noexec,relatime,memory 0 0 cgroup /sys/fs/cgroup/cpu,cpuacct cgroup rw,nosuid,nodev,noexec,relatime,cpu,cpuacct 0 0 cgroup /sys/fs/cgroup/perf_event cgroup rw,nosuid,nodev,noexec,relatime,perf_event 0 0 cgroup /sys/fs/cgroup/cpuset cgroup rw,nosuid,nodev,noexec,relatime,cpuset 0 0 debugfs /sys/kernel/debug debugfs rw,relatime 0 0 mqueue /dev/mqueue mqueue rw,relatime 0 0 systemd-1 /proc/sys/fs/binfmt_misc autofs rw,relatime,fd=37,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=3836 0 0 hugetlbfs /dev/hugepages hugetlbfs rw,relatime,pagesize=2M 0 0 tmpfs /tmp tmpfs rw,nosuid,nodev 0 0 configfs /sys/kernel/config configfs rw,relatime 0 0 binfmt_misc /proc/sys/fs/binfmt_misc binfmt_misc rw,relatime 0 0 /dev/nvme0n1p1 /boot ext4 rw,relatime,data=ordered 0 0 fusectl /sys/fs/fuse/connections fusectl rw,relatime 0 0 tmpfs /run/user/1000 tmpfs rw,nosuid,nodev,relatime,size=777908k,mode=700,uid=1000,gid=1000 0 0


# Issue description

`lxc-execute` does not work on any container based on OCI template. I tried `docker://alpine`, `docker://redis` and `docker://redis:alpine`
Each execution of `lxc-execute` bring me the errors:

lxc-execute c1 --logfile=/tmp/c1 --logpriority=DEBUG lxc-execute: c1: conf.c: lxc_setup: 3574 No such file or directory - Unable to open lxc.init.static lxc-execute: c1: start.c: do_start: 1234 Failed to setup container "c1" lxc-execute: c1: sync.c: __sync_wait: 59 An error occurred in another process (expected sequence number 5) lxc-execute: c1: start.c: __lxc_start: 1910 Failed to spawn container "c1" lxc-execute: c1: tools/lxc_execute.c: main: 240 Failed run an application inside container


# Steps to reproduce

 1. Install ArchLinux
 2. pacman -S lxc
 3. lxc-create c1 -t oci -- --url docker://alpine
 4. lxc-execute c1 --logfile=/tmp/c1 --logpriority=DEBUG

# Information to attach

 - [ ] any relevant kernel output (`dmesg`)
 - [ ] container log

lxc-execute c1 20180907031022.502 INFO lsm - lsm/lsm.c:lsm_init:47 - LSM security driver nop lxc-execute c1 20180907031022.503 INFO seccomp - seccomp.c:parse_config_v2:757 - Processing "reject_force_umount # comment this to allow umount -f; not recommended" lxc-execute c1 20180907031022.503 INFO seccomp - seccomp.c:do_resolve_add_rule:503 - Set seccomp rule to reject force umounts lxc-execute c1 20180907031022.503 INFO seccomp - seccomp.c:parse_config_v2:934 - Added native rule for arch 0 for reject_force_umount action 0(kill) lxc-execute c1 20180907031022.503 INFO seccomp - seccomp.c:do_resolve_add_rule:503 - Set seccomp rule to reject force umounts lxc-execute c1 20180907031022.503 INFO seccomp - seccomp.c:parse_config_v2:943 - Added compat rule for arch 1073741827 for reject_force_umount action 0(kill) lxc-execute c1 20180907031022.503 INFO seccomp - seccomp.c:do_resolve_add_rule:503 - Set seccomp rule to reject force umounts lxc-execute c1 20180907031022.503 INFO seccomp - seccomp.c:parse_config_v2:953 - Added compat rule for arch 1073741886 for reject_force_umount action 0(kill) lxc-execute c1 20180907031022.503 INFO seccomp - seccomp.c:do_resolve_add_rule:503 - Set seccomp rule to reject force umounts lxc-execute c1 20180907031022.503 INFO seccomp - seccomp.c:parse_config_v2:963 - Added native rule for arch -1073741762 for reject_force_umount action 0(kill) lxc-execute c1 20180907031022.503 INFO seccomp - seccomp.c:parse_config_v2:757 - Processing "[all]" lxc-execute c1 20180907031022.503 INFO seccomp - seccomp.c:parse_config_v2:757 - Processing "kexec_load errno 1" lxc-execute c1 20180907031022.503 INFO seccomp - seccomp.c:parse_config_v2:934 - Added native rule for arch 0 for kexec_load action 327681(errno) lxc-execute c1 20180907031022.503 INFO seccomp - seccomp.c:parse_config_v2:943 - Added compat rule for arch 1073741827 for kexec_load action 327681(errno) lxc-execute c1 20180907031022.503 INFO seccomp - seccomp.c:parse_config_v2:953 - Added compat rule for arch 1073741886 for kexec_load action 327681(errno) lxc-execute c1 20180907031022.503 INFO seccomp - seccomp.c:parse_config_v2:963 - Added native rule for arch -1073741762 for kexec_load action 327681(errno) lxc-execute c1 20180907031022.503 INFO seccomp - seccomp.c:parse_config_v2:757 - Processing "open_by_handle_at errno 1" lxc-execute c1 20180907031022.503 INFO seccomp - seccomp.c:parse_config_v2:934 - Added native rule for arch 0 for open_by_handle_at action 327681(errno) lxc-execute c1 20180907031022.503 INFO seccomp - seccomp.c:parse_config_v2:943 - Added compat rule for arch 1073741827 for open_by_handle_at action 327681(errno) lxc-execute c1 20180907031022.503 INFO seccomp - seccomp.c:parse_config_v2:953 - Added compat rule for arch 1073741886 for open_by_handle_at action 327681(errno) lxc-execute c1 20180907031022.503 INFO seccomp - seccomp.c:parse_config_v2:963 - Added native rule for arch -1073741762 for open_by_handle_at action 327681(errno) lxc-execute c1 20180907031022.503 INFO seccomp - seccomp.c:parse_config_v2:757 - Processing "init_module errno 1" lxc-execute c1 20180907031022.503 INFO seccomp - seccomp.c:parse_config_v2:934 - Added native rule for arch 0 for init_module action 327681(errno) lxc-execute c1 20180907031022.503 INFO seccomp - seccomp.c:parse_config_v2:943 - Added compat rule for arch 1073741827 for init_module action 327681(errno) lxc-execute c1 20180907031022.503 INFO seccomp - seccomp.c:parse_config_v2:953 - Added compat rule for arch 1073741886 for init_module action 327681(errno) lxc-execute c1 20180907031022.503 INFO seccomp - seccomp.c:parse_config_v2:963 - Added native rule for arch -1073741762 for init_module action 327681(errno) lxc-execute c1 20180907031022.503 INFO seccomp - seccomp.c:parse_config_v2:757 - Processing "finit_module errno 1" lxc-execute c1 20180907031022.503 INFO seccomp - seccomp.c:parse_config_v2:934 - Added native rule for arch 0 for finit_module action 327681(errno) lxc-execute c1 20180907031022.503 INFO seccomp - seccomp.c:parse_config_v2:943 - Added compat rule for arch 1073741827 for finit_module action 327681(errno) lxc-execute c1 20180907031022.503 INFO seccomp - seccomp.c:parse_config_v2:953 - Added compat rule for arch 1073741886 for finit_module action 327681(errno) lxc-execute c1 20180907031022.503 INFO seccomp - seccomp.c:parse_config_v2:963 - Added native rule for arch -1073741762 for finit_module action 327681(errno) lxc-execute c1 20180907031022.503 INFO seccomp - seccomp.c:parse_config_v2:757 - Processing "delete_module errno 1" lxc-execute c1 20180907031022.503 INFO seccomp - seccomp.c:parse_config_v2:934 - Added native rule for arch 0 for delete_module action 327681(errno) lxc-execute c1 20180907031022.503 INFO seccomp - seccomp.c:parse_config_v2:943 - Added compat rule for arch 1073741827 for delete_module action 327681(errno) lxc-execute c1 20180907031022.503 INFO seccomp - seccomp.c:parse_config_v2:953 - Added compat rule for arch 1073741886 for delete_module action 327681(errno) lxc-execute c1 20180907031022.503 INFO seccomp - seccomp.c:parse_config_v2:963 - Added native rule for arch -1073741762 for delete_module action 327681(errno) lxc-execute c1 20180907031022.503 INFO seccomp - seccomp.c:parse_config_v2:967 - Merging compat seccomp contexts into main context lxc-execute c1 20180907031022.505 DEBUG terminal - terminal.c:lxc_terminal_peer_default:711 - Using terminal "/dev/tty" as proxy lxc-execute c1 20180907031022.505 DEBUG terminal - terminal.c:lxc_terminal_signal_init:189 - Created signal fd 9 lxc-execute c1 20180907031022.505 DEBUG terminal - terminal.c:lxc_terminal_winsz:87 - Set window size to 239 columns and 86 rows lxc-execute c1 20180907031022.506 INFO start - start.c:lxc_init:866 - Container "c1" is initialized lxc-execute c1 20180907031022.507 DEBUG cgfsng - cgroups/cgfsng.c:cg_legacy_handle_cpuset_hierarchy:613 - "cgroup.clone_children" was already set to "1" lxc-execute c1 20180907031022.510 INFO start - start.c:lxc_spawn:1657 - Cloned CLONE_NEWNS lxc-execute c1 20180907031022.511 INFO start - start.c:lxc_spawn:1657 - Cloned CLONE_NEWPID lxc-execute c1 20180907031022.511 INFO start - start.c:lxc_spawn:1657 - Cloned CLONE_NEWUTS lxc-execute c1 20180907031022.511 INFO start - start.c:lxc_spawn:1657 - Cloned CLONE_NEWIPC lxc-execute c1 20180907031022.511 INFO start - start.c:lxc_spawn:1657 - Cloned CLONE_NEWNET lxc-execute c1 20180907031022.511 DEBUG start - start.c:lxc_try_preserve_namespaces:205 - Preserved mnt namespace via fd 15 lxc-execute c1 20180907031022.511 DEBUG start - start.c:lxc_try_preserve_namespaces:205 - Preserved pid namespace via fd 16 lxc-execute c1 20180907031022.511 DEBUG start - start.c:lxc_try_preserve_namespaces:205 - Preserved uts namespace via fd 17 lxc-execute c1 20180907031022.511 DEBUG start - start.c:lxc_try_preserve_namespaces:205 - Preserved ipc namespace via fd 18 lxc-execute c1 20180907031022.511 DEBUG start - start.c:lxc_try_preserve_namespaces:205 - Preserved net namespace via fd 19 lxc-execute c1 20180907031022.511 INFO cgfsng - cgroups/cgfsng.c:cg_legacy_setup_limits:2196 - Limits for the legacy cgroup hierarchies have been setup lxc-execute c1 20180907031022.512 DEBUG start - start.c:lxc_spawn:1711 - Preserved net namespace via fd 10 lxc-execute c1 20180907031022.512 INFO start - start.c:do_start:1213 - Unshared CLONE_NEWCGROUP lxc-execute c1 20180907031022.514 DEBUG storage - storage/storage.c:get_storage_by_name:229 - Detected rootfs type "dir" lxc-execute c1 20180907031022.514 DEBUG conf - conf.c:lxc_mount_rootfs:1343 - Mounted rootfs "/var/lib/lxc/c1/rootfs" onto "/usr/lib/lxc/rootfs" with options "(null)" lxc-execute c1 20180907031022.514 INFO conf - conf.c:setup_utsname:802 - Set hostname to "c1" lxc-execute c1 20180907031022.514 INFO network - network.c:lxc_setup_network_in_child_namespaces:3037 - network has been setup lxc-execute c1 20180907031022.514 INFO conf - conf.c:mount_autodev:1129 - Preparing "/dev" lxc-execute c1 20180907031022.514 INFO conf - conf.c:mount_autodev:1176 - Prepared "/dev" lxc-execute c1 20180907031022.515 ERROR conf - conf.c:lxc_setup:3574 - No such file or directory - Unable to open lxc.init.static lxc-execute c1 20180907031022.515 ERROR start - start.c:do_start:1234 - Failed to setup container "c1" lxc-execute c1 20180907031022.516 ERROR sync - sync.c:__sync_wait:59 - An error occurred in another process (expected sequence number 5) lxc-execute c1 20180907031022.516 DEBUG network - network.c:lxc_delete_network:3164 - Deleted network devices lxc-execute c1 20180907031022.517 ERROR start - start.c:lxc_start:1910 - Failed to spawn container "c1" lxc-execute c1 20180907031022.563 ERROR lxc_execute - tools/lxc_execute.c:main:240 - Failed run an application inside container

 - [ ] the containers configuration file

Template used to create this container: /usr/share/lxc/templates/lxc-oci

Parameters passed to the template: --url docker://alpine

Template script checksum (SHA-1): 514ea15bea74c72d94e29782d32e446ab677c926

For additional config options, please look at lxc.container.conf(5)

Uncomment the following line to support nesting containers:

lxc.include = /usr/share/lxc/config/nesting.conf

(Be aware this has security implications)

lxc.net.0.type = empty lxc.rootfs.path = dir:/var/lib/lxc/c1/rootfs lxc.execute.cmd = '"/bin/sh" ' lxc.mount.auto = proc:mixed sys:mixed cgroup:mixed lxc.environment = PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin lxc.include = /usr/share/lxc/config/common.conf lxc.include = /usr/share/lxc/config/oci.common.conf lxc.uts.name = c1 lxc.init.uid = 0 lxc.init.gid = 0 lxc.init.cwd = /

brauner commented 5 years ago

ArchLinux does not install init.lxc.static which we found out just a little while ago. So you see:

lxc-execute c1 20180907031022.515 ERROR    conf - conf.c:lxc_setup:3574 - No such file or directory - Unable to open lxc.init.static

so ArchLinux should start to ship init.lxc.static.

brauner commented 5 years ago

Sorry I can't be more helpful than that.