Re: Lxc support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Oct 29, 2010 at 03:41:25PM +0200, Jean-Philippe Menil wrote:
> Le 29/10/2010 14:51, Serge Hallyn a Ãcrit :
> >Quoting Jean-Philippe Menil (jean-philippe.menil@xxxxxxxxxxxxxx):
> >>10:41:10.076: error : lxcContainerStart:858 : Failed to run clone
> >>container: Operation not permitted
> >
> >I would guess that the libvirt process creating the container has dropped 
> >some
> >of the needed capabilities (CAP_SYS_ADMIN and a few others).  Is libvirtd
> >running as root?  What does /proc/$$/status for that process show?
> Hi,
> 
> libvirt is running as root.
> 
> root@redbreast:/tmp# ps aux | grep libvirtd | grep -v grep
> root     15718  0.0  0.0 157760  2924 ?        Sl   15:35   0:00 
> /usr/sbin/libvirtd -d
> 
> root@redbreast:/tmp# cat /proc/15718/status
> Name:	libvirtd
> State:	S (sleeping)
> Tgid:	15718
> Pid:	15718
> PPid:	1
> TracerPid:	0
> Uid:	0	0	0	0
> Gid:	0	0	0	0
> FDSize:	64
> Groups:	0
> VmPeak:	  181892 kB
> VmSize:	  157760 kB
> VmLck:	       0 kB
> VmHWM:	    2924 kB
> VmRSS:	    2924 kB
> VmData:	  115012 kB
> VmStk:	     136 kB
> VmExe:	     792 kB
> VmLib:	    6372 kB
> VmPTE:	     124 kB
> VmSwap:	       0 kB
> Threads:	7
> SigQ:	2/16382
> SigPnd:	0000000000000000
> ShdPnd:	0000000000000000
> SigBlk:	0000000000000000
> SigIgn:	0000000000001000
> SigCgt:	0000000180014007
> CapInh:	0000000000000000
> CapPrm:	ffffffffffffffff
> CapEff:	ffffffffffffffff
> CapBnd:	ffffffffffffffff
> Cpus_allowed:	ffff
> Cpus_allowed_list:	0-15
> Mems_allowed:	00000000,00000003
> Mems_allowed_list:	0-1
> voluntary_ctxt_switches:	321
> nonvoluntary_ctxt_switches:	7
> 
> and
> 
> root@redbreast:/tmp# cat /proc/15718/cgroup
> 1:blkio,net_cls,freezer,devices,memory,cpuacct,cpu,ns,debug,cpuset:/

The problem is probably the 'blkio' controller combined with the 'ns'
controller. The 'blkio' controller will refuse to allow creation of
any child cgroups. This will cause the libvirt warning you see below.
It will also break the 'ns' cgroup, because that *requires* that you
can create child cgroups when creating a new container. 

> root@redbreast:/tmp# mount | grep cgroup
> none on /var/local/cgroup type cgroup (rw)
> 
> In the log, i can find the following:
> 15:35:58.853: debug : virCgroupMakeGroup:496 : Make controller 
> /var/local/cgroup/libvirt/lxc/
> 15:35:58.853: warning : lxcStartup:2109 : Unable to create cgroup for 
> driver: Operation not permitted


Daniel
-- 
|: Red Hat, Engineering, London    -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org        -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]