Ubuntu
procps package

lxc. procps can not be installed

Bug #1300927 reported by Andy Igoshin
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
procps (Ubuntu)
Invalid
Medium
Unassigned

Bug Description

ubuntu 12.04, host kernel - linux-image-3.11.0-18-generic

lxc

apt-get upgrade procps (inside lxc)

Setting up procps (1:3.2.8-11ubuntu6.3) ...
start: Job failed to start
invoke-rc.d: initscript procps, action "start" failed.
dpkg: error processing procps (--configure):
 subprocess installed post-installation script returned error exit status 1

See original description
Andy Igoshin (andy-igoshin)
description: updated
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Thanks for reporting this bug. Could you please post the contents of

/var/log/upstart/procps*

Changed in procps (Ubuntu):
status: New → Incomplete
Revision history for this message
Andy Igoshin (andy-igoshin) wrote :
Download full text (10.4 KiB)

/var/log/upstart/procps.log

error: permission denied on key 'kernel.printk'
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
error: permission denied on key 'kernel.kptr_restrict'
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
error: permission denied on key 'kernel.yama.ptrace_scope'
vm.mmap_min_addr = 65536
error: permission denied on key 'kernel.core_uses_pid'
error: permission denied on key 'fs.suid_dumpable'
error: "Invalid argument" setting key "net.core.somaxconn"
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
error: permission denied on key 'kernel.printk'
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
error: permission denied on key 'kernel.kptr_restrict'
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
error: permission denied on key 'kernel.yama.ptrace_scope'
vm.mmap_min_addr = 65536
error: permission denied on key 'kernel.core_uses_pid'
error: permission denied on key 'fs.suid_dumpable'
error: "Invalid argument" setting key "net.core.somaxconn"
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
error: permission denied on key 'kernel.printk'
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
error: permission denied on key 'kernel.kptr_restrict'
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
error: permission denied on key 'kernel.yama.ptrace_scope'
vm.mmap_min_addr = 65536
error: permission denied on key 'kernel.core_uses_pid'
error: permission denied on key 'fs.suid_dumpable'
error: "Invalid argument" setting key "net.core.somaxconn"
net.ipv4.conf.default.rp_filter = 1
net.ipv4...

Serge Hallyn (serge-hallyn)
Changed in procps (Ubuntu):
status: Incomplete → New
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Thanks for the info. I was mis-remembering and thought we had
changed the procps job to ignore eperm failures, but in fact it
only ignores failures due to unknown keys.

A container is in fact not allowed to change any sysctl values
other than /proc/sys/kernel/shm*.

We could make sysctl ignore the write failures, but that may not
be the safest thing to do long-term.

In the meantime, in your container you should edit /etc/sysctl.conf
and /etc/sysctl.d/* and remove the net.core.somaxconn, fs.suid_dumpable,
kernel.yama.ptrace_scope, kernel.core_uses_pid, kernel.printk, and
kernel,ptr_restrict entries.

Changed in procps (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Andy Igoshin (andy-igoshin) wrote :

thanks! now the problem is resolved.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Thanks. I've been thinking about what to do with this bug... I could be
persuaded otherwise, but currently my thinking is: (a) it is not safe to
always ignore errors, as users should be told if they have a bad sysctl
listed in case it is important; (b) for the same reason, it is best not to
ignore all errors in containers. Therefore I will mark this bug invalid.

Changed in procps (Ubuntu):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.