On Tue, Apr 20, 2021 at 04:15:18PM +0200, Michal Privoznik wrote:
This is the bug I'm facing. I deliberately configured a container so that the source of a <filesystem/> to passthrough doesn't exist. The start fails with: lxcContainerPivotRoot:669 : Failed to create /non-existent/path/.oldroot: Permission denied which is expected. But what is NOT expected is that CGroup hierarchy is left behind. This is because the controller sets up the CGroup hierarchy, user namespace, moves interfaces, etc. and finally checks whether container setup (done in a separate process) succeeded. Only after all this the error is propagated to the LXC driver. The driver aborts the startup and tries to perform the cleanup, but this is missing CGroups because those weren't detected yet. Ideally, whenever a function fails, it tries to unroll back so that is has no artifacts left behind (look at all those frees/FD closes/etc. at end of functions). But with CGroups it is different - the controller process can't clean up after itself, because it is still running inside that CGroup. Therefore, what we have to do is to let the driver detect CGroups as soon as they are created, and proceed with controller execution only after that. Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx> --- src/lxc/lxc_controller.c | 19 +++++++++++++++++-- src/lxc/lxc_process.c | 20 ++++++++++++++++++++ 2 files changed, 37 insertions(+), 2 deletions(-)
[...]
diff --git a/src/lxc/lxc_process.c b/src/lxc/lxc_process.c
index 493e19f03d..55e74e913b 100644
--- a/src/lxc/lxc_process.c
+++ b/src/lxc/lxc_process.c
@@ -1473,6 +1473,7 @@ int virLXCProcessStart(virConnectPtr conn,
if (g_atomic_int_add(&driver->nactive, 1) == 0 && driver->inhibitCallback)
driver->inhibitCallback(true, driver->inhibitOpaque);
+ /* The first synchronization point is when the controller creates CGroups. */
if (lxcContainerWaitForContinue(handshakefds[0]) < 0) {
char out[1024];
@@ -1504,6 +1505,25 @@ int virLXCProcessStart(virConnectPtr conn,
goto cleanup;
}
+ if (lxcContainerSendContinue(handshakefds[3]) < 0) {
+ virReportSystemError(errno, "%s",
+ _("Failed to send continue signal to controller"));
+ goto cleanup;
+ }
+
+ /* The second synchronization point is when the controller finished
+ * creating the container. */
+ if (lxcContainerWaitForContinue(handshakefds[0]) < 0) {
+ char out[1024];
+
+ if (!(virLXCProcessReadLogOutput(vm, logfile, pos, out, 1024) < 0)) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("guest failed to start: %s"), out);
It would be nice to differentiate the error message reported here to the one reported originally handful of lines above. Just for the sake of future debugging. Other than that the patches could be nicer to read if the variables were split or named differently, but after reading through a lot of the code around these parts I see that such a request would be unreasonable for this patch. Maybe a rewrite of the signalling could be an item for a TODO list, although I am not sure what would be the best way to handle this. Can we use for example eventfd()s? Would that help us at all? Anyway, with one of the error messages tweaked a bit: Reviewed-by: Martin Kletzander <mkletzan@xxxxxxxxxx>
Attachment:
signature.asc
Description: PGP signature
