fork error on centos 7.2

tailhook / vagga

Vagga is a containerization tool without daemons

http://vagga.readthedocs.org

MIT License

1.86k stars 96 forks source link

fork error on centos 7.2 #156

Open satra opened 8 years ago

satra commented 8 years ago

we now have centos 7.2 with an updated shadowutils installed, but running into a forking error.

vagga git hash: gf875e05

uname: Linux node053 3.10.0-229.el7.x86_64 #1 SMP Fri Mar 6 11:36:42 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

strace output: https://www.dropbox.com/s/qc5ztndrk9gho02/strace2.log?dl=0

satra commented 8 years ago

@tailhook - any thoughts here?

tailhook commented 8 years ago

Well, no good ideas so far. Try look at kernel config and see if options CONFIG_USER_NS, CONFIG_SYSVIPC, CONFIG_IPC_NS, CONFIG_NET_NS, CONFIG_PID_NS and CONFIG_UTS are set to =y

satra commented 8 years ago

all options are set.

CONFIG_NAMESPACES=y
CONFIG_UTS_NS=y
CONFIG_IPC_NS=y
CONFIG_USER_NS=y
CONFIG_PID_NS=y
CONFIG_NET_NS=y
CONFIG_SYSVIPC=y

if it helps i can't seem to get lxc-create (from lxc 1.1.5) to work either on this system, but the error is different.

tailhook commented 8 years ago

@satra intresting, what error do you get from LXC?

satra commented 8 years ago

$ lxc-create -t download -n p1 -- -d ubuntu -r trusty -a amd64
unshare: Invalid argument
read pipe: No such file or directory
lxc-create: lxccontainer.c: do_create_container_dir: 879 Failed to chown container dir
lxc-create: lxc_create.c: main: 274 Error creating container p1

tailhook commented 8 years ago

Well, unshare: Invalid argument is exactly the same error. Everything later is just symptoms rather than failure reason.

tailhook commented 8 years ago

@satra have you tried to run either of these with sudo? Don't you run it in chroot? Do you have some MAC activated? (from strace it looks like you don't have selinux, maybe app armor or anything in centos).

Anyway, it looks like the kernel issue. Maybe CentOS have some patches in the kernel? I'm not sure where to look at.

satra commented 8 years ago

i don't have sudo privileges on the node. i can check if that helps.

regarding MAC's we do have cgroups enabled.

i'll try to run it in a vanilla centos vm/chroot to see if it works.

tailhook commented 8 years ago

Well, user namespaces doesn't work in chroot. (I believe it should return "Permission Denied" rather than "Invalid argument" but I'm not sure).

Cgroups should probably have no meaning.

i don't have sudo privileges on the node. i can check if that helps.

I'm not sure, if that would be helpful. But if user namespaces work for root, this means either kernel has patched to work for root only (it is in some distributions), or we reached another undocumented limitation of namespaces. The chroot one is one such limitation that were discovered experimentally. There are plenty of others, though. It may also be useful to see CapXXX lines from /proc/self/status.

tailhook commented 8 years ago

Well, it looks like in RHEL 7 with kernel 3.10 (which Centos inherits AFAIK), doesn't allow unprivileged users to use user namespaces because they explicitly disabled the functionality: https://bugzilla.redhat.com/show_bug.cgi?id=917708