Re: [libvirt] [PATCH v3 00/12] Add user namespace support for libvirt lxc

On 06/11/2013 02:02 PM, Richard Weinberger wrote: > Am 11.06.2013 05:12, schrieb Gao feng: >> On 06/11/2013 04:51 AM, Richard Weinberger wrote: >>> Am 10.06.2013 21:53, schrieb Richard Weinberger: >>>> Am 10.06.2013 21:17, schrieb Richard Weinberger: >>>>> Hi! >>>>> >>>>> Am 04.06.2013 13:03, schrieb Daniel P. Berrange: >>>>>>> It's still under review. needs some ACK. >>>>>>> If you can help to test or ACK this patchset, it will be very helpful. :) >>>>>>> >>>>>>> Actually, I just want to ping... >>>>>> >>>>>> I've been away on holiday for 2 weeks, so not had a chance to review >>>>>> it yet. I'll get to it this week. I hope we'll get this in the 1.0.6 >>>>>> release this month. >>>>> >>>>> Finally I've found some time to test version 4 of the userns patch set. >>>>> But I'm unable to create a container. >>>>> >>>>> ---cut--- >>>>> linux:~ # LANG=C /opt/libvirt/bin/virsh -c lxc:/// create c1.conf >>>>> error: Failed to create domain from c1.conf >>>>> error: Interner Fehler guest failed to start: PATH=/bin:/sbin TERM=linux container=lxc-libvirt container_uuid=3f86c48b-b027-4838-ba17-6202a1d7398b >>>>> LIBVIRT_LXC_UUID=3f86c48b-b027-4838-ba17-6202a1d7398b LIBVIRT_LXC_NAME=c1 /bin/bash >>>>> error receiving signal from container: Input/output error >>>>> ---cut--- >>>>> >>>>> lxcContainerWaitForContinue() in src/lxc/lxc_controller.c fails with EIO. >>>>> Maybe because the clone()'ed child dies and the file descriptor used for synchronization becomes invalid. >>>>> >>>>> Here my container config: >>>>> ---cut--- >>>>> <domain type='lxc'> >>>>> <name>c1</name> >>>>> <memory>102400</memory> >>>>> <os> >>>>> <type>exe</type> >>>>> <init>/bin/bash</init> >>>>> </os> >>>>> <idmap> >>>>> <uid start='0' target='100000' count='100000'/> >>>>> <gid start='0' target='100000' count='100000'/> >>>>> </idmap> >>>>> <devices> >>>>> <console type='pty'/> >>>>> <filesystem type='mount'> >>>>> <source dir='/root/c1/rootfs'/> >>>>> <target dir='/'/> >>>>> </filesystem> >>>>> </devices> >>>>> </domain> >>>>> ---cut--- >>>>> >>>>> Any ideas how to debug this further? >>>>> This is Linux 3.9.0 with all namespaces enabled. >>>> >>>> Whoops, forgot to add the libvirtd debug output: >>>> >>>> ---cut--- >>>> 2013-06-10 19:41:24.661+0000: 29211: debug : virCommandRunAsync:2241 : About to run >>>> PATH=/usr/lib64/mpi/gcc/openmpi/bin:/sbin:/usr/sbin:/usr/local/sbin:/root/bin:/usr/local/bin:/usr/bin:/bin:/usr/X11R6/bin:/usr/games LIBVIRT_DEBUG=1 LIBVIRT_LOG_OUTPUTS=1:stderr >>>> /opt/libvirt/lib/libvirt_lxc --name c1 --console 20 --security=none --handshake 23 --background >>>> 2013-06-10 19:41:24.663+0000: 29211: debug : virFileClose:90 : Closed fd 24 >>>> 2013-06-10 19:41:24.663+0000: 29211: debug : virCommandRunAsync:2246 : Command result 0, with PID 29303 >>>> 2013-06-10 19:41:24.664+0000: 29303: debug : virFileClose:90 : Closed fd 3 >>>> 2013-06-10 19:41:24.665+0000: 29303: debug : virFileClose:90 : Closed fd 4 >>>> 2013-06-10 19:41:24.666+0000: 29303: debug : virFileClose:90 : Closed fd 5 >>>> 2013-06-10 19:41:24.666+0000: 29303: debug : virFileClose:90 : Closed fd 6 >>>> 2013-06-10 19:41:24.667+0000: 29303: debug : virFileClose:90 : Closed fd 7 >>>> 2013-06-10 19:41:24.667+0000: 29303: debug : virFileClose:90 : Closed fd 8 >>>> 2013-06-10 19:41:24.668+0000: 29303: debug : virFileClose:90 : Closed fd 9 >>>> 2013-06-10 19:41:24.668+0000: 29303: debug : virFileClose:90 : Closed fd 10 >>>> 2013-06-10 19:41:24.668+0000: 29303: debug : virFileClose:90 : Closed fd 11 >>>> 2013-06-10 19:41:24.668+0000: 29303: debug : virFileClose:90 : Closed fd 12 >>>> 2013-06-10 19:41:24.668+0000: 29303: debug : virFileClose:90 : Closed fd 13 >>>> 2013-06-10 19:41:24.669+0000: 29303: debug : virFileClose:90 : Closed fd 14 >>>> 2013-06-10 19:41:24.669+0000: 29303: debug : virFileClose:90 : Closed fd 15 >>>> 2013-06-10 19:41:24.670+0000: 29303: debug : virFileClose:90 : Closed fd 16 >>>> 2013-06-10 19:41:24.670+0000: 29303: debug : virFileClose:90 : Closed fd 17 >>>> 2013-06-10 19:41:24.670+0000: 29303: debug : virFileClose:90 : Closed fd 18 >>>> 2013-06-10 19:41:24.671+0000: 29303: debug : virFileClose:90 : Closed fd 19 >>>> 2013-06-10 19:41:24.671+0000: 29303: debug : virFileClose:90 : Closed fd 22 >>>> 2013-06-10 19:41:24.790+0000: 29211: debug : virCommandRun:2115 : Result status 0, stdout: '(null)' stderr: '(null)' >>>> ---cut--- >>>> >>>> Looks like libvirt_lxc was executed and died silently. >>> >>> Found the problem. /opt/libvirt/var/log/libvirt/lxc/c1.log contained the info I needed. >>> Search permissions for /root were missing. m( >>> Would be nice if virsh would be able to tell one this... >>> >> >> :) >> have fun with user namespace & libvirt. >> And thanks for your test. > > Yeah. So far it looks very good. > I was able to convert my containers from my custom lxc/userns setup to libvirt+userns. > > One more question, is it by design that virsh lxc-enter-namespace does not setup > uid/gid mappings? > lxc-enter-namespace doesn't have the need to setup uid/gid mappings, Since lxc-enter-namespace is running on the host side, the uid/gid mappings already exist, But we should call setid for the child task of lxc-enter-namespace, this child task running in the container. I will improve lxc-enter-namespace after this patchset being accepted.