[libvirt] [PATCH v3 00/12] Add user namespace support for libvirt lxc

Richard Weinberger richard at sigma-star.at
Tue Jun 11 07:06:29 UTC 2013 

Am 11.06.2013 08:17, schrieb Gao feng:
> On 06/11/2013 02:02 PM, Richard Weinberger wrote:
>> Am 11.06.2013 05:12, schrieb Gao feng:
>>> On 06/11/2013 04:51 AM, Richard Weinberger wrote:
>>>> Am 10.06.2013 21:53, schrieb Richard Weinberger:
>>>>> Am 10.06.2013 21:17, schrieb Richard Weinberger:
>>>>>> Hi!
>>>>>>
>>>>>> Am 04.06.2013 13:03, schrieb Daniel P. Berrange:
>>>>>>>> It's still under review. needs some ACK.
>>>>>>>> If you can help to test or ACK this patchset, it will be very helpful. :)
>>>>>>>>
>>>>>>>> Actually, I just want to ping...
>>>>>>>
>>>>>>> I've been away on holiday for 2 weeks, so not had a chance to review
>>>>>>> it yet. I'll get to it this week. I hope we'll get this in the 1.0.6
>>>>>>> release this month.
>>>>>>
>>>>>> Finally I've found some time to test version 4 of the userns patch set.
>>>>>> But I'm unable to create a container.
>>>>>>
>>>>>> ---cut---
>>>>>> linux:~ # LANG=C /opt/libvirt/bin/virsh -c lxc:/// create c1.conf
>>>>>> error: Failed to create domain from c1.conf
>>>>>> error: Interner Fehler guest failed to start: PATH=/bin:/sbin TERM=linux container=lxc-libvirt container_uuid=3f86c48b-b027-4838-ba17-6202a1d7398b
>>>>>> LIBVIRT_LXC_UUID=3f86c48b-b027-4838-ba17-6202a1d7398b LIBVIRT_LXC_NAME=c1 /bin/bash
>>>>>> error receiving signal from container: Input/output error
>>>>>> ---cut---
>>>>>>
>>>>>> lxcContainerWaitForContinue() in src/lxc/lxc_controller.c fails with EIO.
>>>>>> Maybe because the clone()'ed child dies and the file descriptor used for synchronization becomes invalid.
>>>>>>
>>>>>> Here my container config:
>>>>>> ---cut---
>>>>>> <domain type='lxc'>
>>>>>>      <name>c1</name>
>>>>>>      <memory>102400</memory>
>>>>>>      <os>
>>>>>>        <type>exe</type>
>>>>>>        <init>/bin/bash</init>
>>>>>>      </os>
>>>>>>      <idmap>
>>>>>>            <uid start='0' target='100000' count='100000'/>
>>>>>>            <gid start='0' target='100000' count='100000'/>
>>>>>>      </idmap>
>>>>>>      <devices>
>>>>>>        <console type='pty'/>
>>>>>>            <filesystem type='mount'>
>>>>>>              <source dir='/root/c1/rootfs'/>
>>>>>>              <target dir='/'/>
>>>>>>            </filesystem>
>>>>>>      </devices>
>>>>>> </domain>
>>>>>> ---cut---
>>>>>>
>>>>>> Any ideas how to debug this further?
>>>>>> This is Linux 3.9.0 with all namespaces enabled.
>>>>>
>>>>> Whoops, forgot to add the libvirtd debug output:
>>>>>
>>>>> ---cut---
>>>>> 2013-06-10 19:41:24.661+0000: 29211: debug : virCommandRunAsync:2241 : About to run
>>>>> PATH=/usr/lib64/mpi/gcc/openmpi/bin:/sbin:/usr/sbin:/usr/local/sbin:/root/bin:/usr/local/bin:/usr/bin:/bin:/usr/X11R6/bin:/usr/games LIBVIRT_DEBUG=1 LIBVIRT_LOG_OUTPUTS=1:stderr
>>>>> /opt/libvirt/lib/libvirt_lxc --name c1 --console 20 --security=none --handshake 23 --background
>>>>> 2013-06-10 19:41:24.663+0000: 29211: debug : virFileClose:90 : Closed fd 24
>>>>> 2013-06-10 19:41:24.663+0000: 29211: debug : virCommandRunAsync:2246 : Command result 0, with PID 29303
>>>>> 2013-06-10 19:41:24.664+0000: 29303: debug : virFileClose:90 : Closed fd 3
>>>>> 2013-06-10 19:41:24.665+0000: 29303: debug : virFileClose:90 : Closed fd 4
>>>>> 2013-06-10 19:41:24.666+0000: 29303: debug : virFileClose:90 : Closed fd 5
>>>>> 2013-06-10 19:41:24.666+0000: 29303: debug : virFileClose:90 : Closed fd 6
>>>>> 2013-06-10 19:41:24.667+0000: 29303: debug : virFileClose:90 : Closed fd 7
>>>>> 2013-06-10 19:41:24.667+0000: 29303: debug : virFileClose:90 : Closed fd 8
>>>>> 2013-06-10 19:41:24.668+0000: 29303: debug : virFileClose:90 : Closed fd 9
>>>>> 2013-06-10 19:41:24.668+0000: 29303: debug : virFileClose:90 : Closed fd 10
>>>>> 2013-06-10 19:41:24.668+0000: 29303: debug : virFileClose:90 : Closed fd 11
>>>>> 2013-06-10 19:41:24.668+0000: 29303: debug : virFileClose:90 : Closed fd 12
>>>>> 2013-06-10 19:41:24.668+0000: 29303: debug : virFileClose:90 : Closed fd 13
>>>>> 2013-06-10 19:41:24.669+0000: 29303: debug : virFileClose:90 : Closed fd 14
>>>>> 2013-06-10 19:41:24.669+0000: 29303: debug : virFileClose:90 : Closed fd 15
>>>>> 2013-06-10 19:41:24.670+0000: 29303: debug : virFileClose:90 : Closed fd 16
>>>>> 2013-06-10 19:41:24.670+0000: 29303: debug : virFileClose:90 : Closed fd 17
>>>>> 2013-06-10 19:41:24.670+0000: 29303: debug : virFileClose:90 : Closed fd 18
>>>>> 2013-06-10 19:41:24.671+0000: 29303: debug : virFileClose:90 : Closed fd 19
>>>>> 2013-06-10 19:41:24.671+0000: 29303: debug : virFileClose:90 : Closed fd 22
>>>>> 2013-06-10 19:41:24.790+0000: 29211: debug : virCommandRun:2115 : Result status 0, stdout: '(null)' stderr: '(null)'
>>>>> ---cut---
>>>>>
>>>>> Looks like libvirt_lxc was executed and died silently.
>>>>
>>>> Found the problem. /opt/libvirt/var/log/libvirt/lxc/c1.log contained the info I needed.
>>>> Search permissions for /root were missing. m(
>>>> Would be nice if virsh would be able to tell one this...
>>>>
>>>
>>> :)
>>> have fun with user namespace & libvirt.
>>> And thanks for your test.
>>
>> Yeah. So far it looks very good.
>> I was able to convert my containers from my custom lxc/userns setup to libvirt+userns.
>>
>> One more question, is it by design that virsh lxc-enter-namespace does not setup
>> uid/gid mappings?
>>
>
> lxc-enter-namespace doesn't have the need to setup uid/gid mappings, Since lxc-enter-namespace
> is running on the host side, the uid/gid mappings already exist, But we should call setid for
> the child task of lxc-enter-namespace, this child task running in the container.
>
> I will improve lxc-enter-namespace after this patchset being accepted.

This makes sense.
As of now I'm using su to become uid 0.

Thanks,
//richard

More information about the libvir-list mailing list