Ubuntu
lxc package

[SRU] failure to start a container

Bug #1386840 reported by Brian Murray
30
This bug affects 6 people
Affects Status Importance Assigned to Milestone
lxc (Ubuntu)
Fix Released
High
Unassigned
Trusty
Fix Released
Undecided
Unassigned
Utopic
Fix Released
Undecided
Felipe Reyes

Bug Description

[Impact]

Without this patch containers that don't have a complete apparmor
configuration fail to start. Making lxc unusable to run Debian Sid and Jessie
(at least).

This bug is not present in Trusty, which ships 1.0.7 (Debian Sid runs OK).

[Test Case]

- Create a debian sid container
  $ sudo env SUITE=sid lxc-create -t debian -n sid

- Start the container
  $ sudo lxc-start -n sid

Expected behavior:

The container is started

Actual behavior:

$ sudo lxc-start -F -n sid
lxc-start: lsm/apparmor.c: mount_feature_enabled: 61 Permission denied - Error mounting securityfs
lxc-start: lsm/apparmor.c: apparmor_process_label_set: 186 If you really want to start this container, set
lxc-start: lsm/apparmor.c: apparmor_process_label_set: 187 lxc.aa_allow_incomplete = 1
lxc-start: lsm/apparmor.c: apparmor_process_label_set: 188 in your container configuration file
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 4
lxc-start: start.c: __lxc_start: 1087 failed to spawn 'sid'
lxc-start: cgmanager.c: cgm_remove_cgroup: 503 call to cgmanager_remove_sync failed: invalid request
lxc-start: cgmanager.c: cgm_remove_cgroup: 505 Error removing name=systemd:lxc/sid-2
lxc-start: cgmanager.c: cgm_remove_cgroup: 503 call to cgmanager_remove_sync failed: invalid request
lxc-start: cgmanager.c: cgm_remove_cgroup: 505 Error removing perf_event:lxc/sid-2
lxc-start: cgmanager.c: cgm_remove_cgroup: 503 call to cgmanager_remove_sync failed: invalid request
lxc-start: cgmanager.c: cgm_remove_cgroup: 505 Error removing net_prio:lxc/sid-2
lxc-start: cgmanager.c: cgm_remove_cgroup: 503 call to cgmanager_remove_sync failed: invalid request
lxc-start: cgmanager.c: cgm_remove_cgroup: 505 Error removing net_cls:lxc/sid-2
lxc-start: cgmanager.c: cgm_remove_cgroup: 503 call to cgmanager_remove_sync failed: invalid request
lxc-start: cgmanager.c: cgm_remove_cgroup: 505 Error removing memory:lxc/sid-2
lxc-start: cgmanager.c: cgm_remove_cgroup: 503 call to cgmanager_remove_sync failed: invalid request
lxc-start: cgmanager.c: cgm_remove_cgroup: 505 Error removing hugetlb:lxc/sid-2
lxc-start: cgmanager.c: cgm_remove_cgroup: 503 call to cgmanager_remove_sync failed: invalid request
lxc-start: cgmanager.c: cgm_remove_cgroup: 505 Error removing freezer:lxc/sid-2
lxc-start: cgmanager.c: cgm_remove_cgroup: 503 call to cgmanager_remove_sync failed: invalid request
lxc-start: cgmanager.c: cgm_remove_cgroup: 505 Error removing devices:lxc/sid-2
lxc-start: cgmanager.c: cgm_remove_cgroup: 503 call to cgmanager_remove_sync failed: invalid request
lxc-start: cgmanager.c: cgm_remove_cgroup: 505 Error removing cpuset:lxc/sid-2
lxc-start: cgmanager.c: cgm_remove_cgroup: 503 call to cgmanager_remove_sync failed: invalid request
lxc-start: cgmanager.c: cgm_remove_cgroup: 505 Error removing cpuacct:lxc/sid-2
lxc-start: cgmanager.c: cgm_remove_cgroup: 503 call to cgmanager_remove_sync failed: invalid request
lxc-start: cgmanager.c: cgm_remove_cgroup: 505 Error removing cpu:lxc/sid-2
lxc-start: cgmanager.c: cgm_remove_cgroup: 503 call to cgmanager_remove_sync failed: invalid request
lxc-start: cgmanager.c: cgm_remove_cgroup: 505 Error removing blkio:lxc/sid-2
lxc-start: lxc_start.c: main: 337 The container failed to start.
lxc-start: lxc_start.c: main: 341 Additional information can be obtained by setting the --logfile and --logpriority options.

[Regression Potential]

No regressions expected, different versions of Ubuntu and Debian containers
were tested with this patch applied.

[Other Info]

On utopic using lxc version 1.1.0~alpha2-0ubuntu3, I was unable to start a container.

$ sudo lxc-start -F -n lxc-errors
lxc-start: lsm/apparmor.c: mount_feature_enabled: 61 Permission denied - Error mounting securityfs
lxc-start: lsm/apparmor.c: apparmor_process_label_set: 186 If you really want to start this container, set
lxc-start: lsm/apparmor.c: apparmor_process_label_set: 187 lxc.aa_allow_incomplete = 1
lxc-start: lsm/apparmor.c: apparmor_process_label_set: 188 in your container configuration file
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 4
lxc-start: start.c: __lxc_start: 1087 failed to spawn 'lxc-errors'
lxc-start: cgmanager.c: cgm_remove_cgroup: 503 call to cgmanager_remove_sync failed: invalid request
lxc-start: cgmanager.c: cgm_remove_cgroup: 505 Error removing name=systemd:lxc/lxc-errors-2

Switching to the version of lxc in http://ppa.launchpad.net/ubuntu-lxc/daily/ resolved the failure to start for me.

See original description
Brian Murray (brian-murray)
tags: added: utopic
Serge Hallyn (serge-hallyn)
Changed in lxc (Ubuntu):
importance: Undecided → High
status: New → Triaged
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in lxc (Ubuntu Trusty):
status: New → Confirmed
Changed in lxc (Ubuntu Utopic):
status: New → Confirmed
Revision history for this message
maxadamo (massimilianoadamo) wrote :

This the workaround:
apt-get install apparmor-utils
aa-complain /usr/bin/lxc-start

here, I think, there should be the solution:
https://lists.linuxcontainers.org/pipermail/lxc-devel/2014-October/010662.html

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

I am pushing lxc_1.1.0~alpha2-0ubuntu7 which should fix this bug. I'm hoping someone will SRU the patch to T and U.

Note that any container which actually specifies the securityfs mount in its config (as the default unprivileged ubuntu configs do) should not have this problem.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxc - 1.1.0~alpha2-0ubuntu7

---------------
lxc (1.1.0~alpha2-0ubuntu7) vivid; urgency=medium

  * Cherrypick 0010-apparmor-check-for-mount-feature-at-a-better-time.patch
    from upstream to fix startup failure with certain setups (LP: #1386840)
 -- Serge Hallyn <email address hidden> Tue, 11 Nov 2014 14:54:44 -0600

Changed in lxc (Ubuntu):
status: Triaged → Fix Released
Felipe Reyes (freyes)
Changed in lxc (Ubuntu Trusty):
assignee: nobody → Felipe Reyes (freyes)
Changed in lxc (Ubuntu Utopic):
assignee: nobody → Felipe Reyes (freyes)
Revision history for this message
Felipe Reyes (freyes) wrote :

Patch to backport the fix into utopic.

description: updated
summary: - failure to start a container
+ [SRU] failure to start a container
Changed in lxc (Ubuntu Utopic):
assignee: Felipe Reyes (freyes) → nobody
assignee: nobody → Felipe Reyes (freyes)
Changed in lxc (Ubuntu Trusty):
assignee: Felipe Reyes (freyes) → nobody
status: Confirmed → Incomplete
Felipe Reyes (freyes)
Changed in lxc (Ubuntu Utopic):
status: Confirmed → In Progress
Revision history for this message
Felipe Reyes (freyes) wrote :

Here I'm attaching a patch built on top of the latest version of the package (1.1.0~alpha2-0ubuntu3.1)

Felipe Reyes (freyes)
tags: added: cts
Revision history for this message
Chris J Arges (arges) wrote :

Sponsored for Utopic.

Revision history for this message
Chris J Arges (arges) wrote : Please test proposed package

Hello Brian, or anyone else affected,

Accepted lxc into utopic-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/lxc/1.1.0~alpha2-0ubuntu3.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in lxc (Ubuntu Utopic):
status: In Progress → Fix Committed
tags: added: verification-needed
Revision history for this message
TripleDES (tripledes) wrote :

Using 1.1.0~alpha2-0ubuntu3.2 fixes the issue. Thanks!

tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxc - 1.1.0~alpha2-0ubuntu3.2

---------------
lxc (1.1.0~alpha2-0ubuntu3.2) utopic; urgency=medium

  * Cherrypick 0007-apparmor-check-for-mount-feature-at-a-better-time.patch
    from upstream to fix startup failure with certain setups (LP: #1386840)
 -- Felipe Reyes <email address hidden> Thu, 05 Feb 2015 14:20:59 -0600

Changed in lxc (Ubuntu Utopic):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for lxc has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Stéphane Graber (stgraber)
Changed in lxc (Ubuntu Trusty):
status: Incomplete → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.