On 10/29/2010 04:42 PM, Jean-Philippe Menil wrote: > Hi, > > i'm trying to test the lxc support in libvirt, but but libvirt failed to > start container with error "lxcContainerAvailable:897 : clone call > returned Operation not permitted, container support is not enabled" > What's the kernel version you use? Just as the error message says, the system call 'clone' failed, It's probly caused by lacking of kernel support. At least you should make sure 'clone' support these flags: CLONE_NEWPID, CLONE_NEWNS, CLONE_NEWUTS, CLONE_NEWIPC, SIGCHLD - Osier > Althought i've compiled libvirt with th lxc support: > configure: Configuration summary > configure: ===================== > configure: > configure: Drivers > configure: > configure: Xen: no > configure: Proxy: no > configure: QEMU: yes > configure: UML: yes > configure: OpenVZ: no > configure: VBox: no > configure: XenAPI: no > configure: LXC: yes > configure: PHYP: no > configure: ONE: no > configure: ESX: no > configure: Test: yes > configure: Remote: yes > configure: Network: yes > configure: Libvirtd: yes > configure: netcf: no > configure: macvtap: yes > configure: virtport: no > > Here is my xml: > <domain type='lxc'> > <name>lxc1</name> > <memory>500000</memory> > <os> > <type>exe</type> > <init>/bin/sh</init> > </os> > <vcpu>1</vcpu> > <clock offset='utc'/> > <on_poweroff>destroy</on_poweroff> > <on_reboot>restart</on_reboot> > <on_crash>destroy</on_crash> > <devices> > <emulator>/usr/lib/libvirt/libvirt_lxc</emulator> > <filesystem type='mount'> > <source dir='/var/lib/lxc/lxc1/rootfs'/> > <target dir='/'/> > </filesystem> > <interface type='bridge'> > <source bridge='U13'/> > <target dev='veth0'/> > </interface> > <console type='pty' > > <target port='5'/> > </console> > </devices> > </domain> > > And here are the errors: > 10:41:09.968: debug : virCgroupNew:542 : New group / > 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 0:cpu > at /var/local/cgroup in > 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping > 1:cpuacct at /var/local/cgroup in > 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping > 2:cpuset at /var/local/cgroup in > 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping > 3:memory at /var/local/cgroup in > 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping > 4:devices at /var/local/cgroup in > 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping > 5:freezer at /var/local/cgroup in > 10:41:09.968: debug : virCgroupNew:542 : New group /libvirt > 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 0:cpu > at /var/local/cgroup in > 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping > 1:cpuacct at /var/local/cgroup in > 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping > 2:cpuset at /var/local/cgroup in > 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping > 3:memory at /var/local/cgroup in > 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping > 4:devices at /var/local/cgroup in > 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping > 5:freezer at /var/local/cgroup in > 10:41:09.968: debug : virCgroupMakeGroup:484 : Make group /libvirt > 10:41:09.968: debug : virCgroupMakeGroup:496 : Make controller > /var/local/cgroup/libvirt/ > 10:41:09.968: debug : virCgroupMakeGroup:496 : Make controller > /var/local/cgroup/libvirt/ > 10:41:09.968: debug : virCgroupMakeGroup:496 : Make controller > /var/local/cgroup/libvirt/ > 10:41:09.968: debug : virCgroupMakeGroup:496 : Make controller > /var/local/cgroup/libvirt/ > 10:41:09.968: debug : virCgroupMakeGroup:496 : Make controller > /var/local/cgroup/libvirt/ > 10:41:09.968: debug : virCgroupMakeGroup:496 : Make controller > /var/local/cgroup/libvirt/ > 10:41:09.968: debug : virCgroupNew:542 : New group /libvirt/lxc > 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 0:cpu > at /var/local/cgroup in > 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping > 1:cpuacct at /var/local/cgroup in > 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping > 2:cpuset at /var/local/cgroup in > 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping > 3:memory at /var/local/cgroup in > 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping > 4:devices at /var/local/cgroup in > 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping > 5:freezer at /var/local/cgroup in > 10:41:09.968: debug : virCgroupMakeGroup:484 : Make group /libvirt/lxc > 10:41:09.968: debug : virCgroupMakeGroup:496 : Make controller > /var/local/cgroup/libvirt/lxc/ > 10:41:09.968: debug : lxcControllerRun:595 : Setting up private /dev/pts > 10:41:10.012: debug : lxcControllerRun:621 : Mouting 'devpts' on > /var/lib/lxc/lxc1/rootfs/dev/pts > 10:41:10.012: debug : lxcControllerRun:636 : Opening tty on private > /var/lib/lxc/lxc1/rootfs/dev/pts/ptmx > 10:41:10.044: debug : lxcContainerAvailable:897 : clone call returned > Operation not permitted, container support is not enabled > 10:41:10.044: debug : lxcContainerStart:848 : Enable network namespaces > 10:41:10.076: debug : lxcContainerStart:854 : clone() completed, new > container PID is -1 > 10:41:10.076: error : lxcContainerStart:858 : Failed to run clone > container: Operation not permitted > 10:41:10.076: debug : vethDelete:159 : veth: veth1 > 10:41:10.076: debug : virRunWithHook:818 : ip link del veth1 > > Can someone tell me what i'm doing wrong? > > Many thanks. > > Regards. > > > > -- > libvir-list mailing list > libvir-list(a)redhat.com > https://www.redhat.com/mailman/listinfo/libvir-list -- libvir-list mailing list libvir-list(a)redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

10:41:10.076: error : lxcContainerStart:858 : Failed to run clone container: Operation not permitted

Le 29/10/2010 14:51, Serge Hallyn a écrit : >Quoting Jean-Philippe Menil (jean-philippe.menil(a)univ-nantes.fr): >>10:41:10.076: error : lxcContainerStart:858 : Failed to run clone >>container: Operation not permitted > >I would guess that the libvirt process creating the container has dropped >some >of the needed capabilities (CAP_SYS_ADMIN and a few others). Is libvirtd >running as root? What does /proc/$$/status for that process show? Hi, libvirt is running as root. root@redbreast:/tmp# ps aux | grep libvirtd | grep -v grep root 15718 0.0 0.0 157760 2924 ? Sl 15:35 0:00 /usr/sbin/libvirtd -d root@redbreast:/tmp# cat /proc/15718/status Name: libvirtd State: S (sleeping) Tgid: 15718 Pid: 15718 PPid: 1 TracerPid: 0 Uid: 0 0 0 0 Gid: 0 0 0 0 FDSize: 64 Groups: 0 VmPeak: 181892 kB VmSize: 157760 kB VmLck: 0 kB VmHWM: 2924 kB VmRSS: 2924 kB VmData: 115012 kB VmStk: 136 kB VmExe: 792 kB VmLib: 6372 kB VmPTE: 124 kB VmSwap: 0 kB Threads: 7 SigQ: 2/16382 SigPnd: 0000000000000000 ShdPnd: 0000000000000000 SigBlk: 0000000000000000 SigIgn: 0000000000001000 SigCgt: 0000000180014007 CapInh: 0000000000000000 CapPrm: ffffffffffffffff CapEff: ffffffffffffffff CapBnd: ffffffffffffffff Cpus_allowed: ffff Cpus_allowed_list: 0-15 Mems_allowed: 00000000,00000003 Mems_allowed_list: 0-1 voluntary_ctxt_switches: 321 nonvoluntary_ctxt_switches: 7 and root@redbreast:/tmp# cat /proc/15718/cgroup 1:blkio,net_cls,freezer,devices,memory,cpuacct,cpu,ns,debug,cpuset:/

root@redbreast:/tmp# mount | grep cgroup none on /var/local/cgroup type cgroup (rw) In the log, i can find the following: 15:35:58.853: debug : virCgroupMakeGroup:496 : Make controller /var/local/cgroup/libvirt/lxc/ 15:35:58.853: warning : lxcStartup:2109 : Unable to create cgroup for driver: Operation not permitted

>> root@redbreast:/tmp# cat /proc/15718/cgroup >> 1:blkio,net_cls,freezer,devices,memory,cpuacct,cpu,ns,debug,cpuset:/ > > The problem is probably the 'blkio' controller combined with the 'ns' > controller. The 'blkio' controller will refuse to allow creation of > any child cgroups. This will cause the libvirt warning you see below. > It will also break the 'ns' cgroup, because that *requires* that you > can create child cgroups when creating a new container.