[libvirt] Lxc support
Hi, i'm trying to test the lxc support in libvirt, but but libvirt failed to start container with error "lxcContainerAvailable:897 : clone call returned Operation not permitted, container support is not enabled" Althought i've compiled libvirt with th lxc support: configure: Configuration summary configure: ===================== configure: configure: Drivers configure: configure: Xen: no configure: Proxy: no configure: QEMU: yes configure: UML: yes configure: OpenVZ: no configure: VBox: no configure: XenAPI: no configure: LXC: yes configure: PHYP: no configure: ONE: no configure: ESX: no configure: Test: yes configure: Remote: yes configure: Network: yes configure: Libvirtd: yes configure: netcf: no configure: macvtap: yes configure: virtport: no Here is my xml: <domain type='lxc'> <name>lxc1</name> <memory>500000</memory> <os> <type>exe</type> <init>/bin/sh</init> </os> <vcpu>1</vcpu> <clock offset='utc'/> <on_poweroff>destroy</on_poweroff> <on_reboot>restart</on_reboot> <on_crash>destroy</on_crash> <devices> <emulator>/usr/lib/libvirt/libvirt_lxc</emulator> <filesystem type='mount'> <source dir='/var/lib/lxc/lxc1/rootfs'/> <target dir='/'/> </filesystem> <interface type='bridge'> <source bridge='U13'/> <target dev='veth0'/> </interface> <console type='pty' > <target port='5'/> </console> </devices> </domain> And here are the errors: 10:41:09.968: debug : virCgroupNew:542 : New group / 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 0:cpu at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 1:cpuacct at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 2:cpuset at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 3:memory at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 4:devices at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 5:freezer at /var/local/cgroup in 10:41:09.968: debug : virCgroupNew:542 : New group /libvirt 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 0:cpu at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 1:cpuacct at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 2:cpuset at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 3:memory at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 4:devices at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 5:freezer at /var/local/cgroup in 10:41:09.968: debug : virCgroupMakeGroup:484 : Make group /libvirt 10:41:09.968: debug : virCgroupMakeGroup:496 : Make controller /var/local/cgroup/libvirt/ 10:41:09.968: debug : virCgroupMakeGroup:496 : Make controller /var/local/cgroup/libvirt/ 10:41:09.968: debug : virCgroupMakeGroup:496 : Make controller /var/local/cgroup/libvirt/ 10:41:09.968: debug : virCgroupMakeGroup:496 : Make controller /var/local/cgroup/libvirt/ 10:41:09.968: debug : virCgroupMakeGroup:496 : Make controller /var/local/cgroup/libvirt/ 10:41:09.968: debug : virCgroupMakeGroup:496 : Make controller /var/local/cgroup/libvirt/ 10:41:09.968: debug : virCgroupNew:542 : New group /libvirt/lxc 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 0:cpu at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 1:cpuacct at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 2:cpuset at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 3:memory at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 4:devices at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 5:freezer at /var/local/cgroup in 10:41:09.968: debug : virCgroupMakeGroup:484 : Make group /libvirt/lxc 10:41:09.968: debug : virCgroupMakeGroup:496 : Make controller /var/local/cgroup/libvirt/lxc/ 10:41:09.968: debug : lxcControllerRun:595 : Setting up private /dev/pts 10:41:10.012: debug : lxcControllerRun:621 : Mouting 'devpts' on /var/lib/lxc/lxc1/rootfs/dev/pts 10:41:10.012: debug : lxcControllerRun:636 : Opening tty on private /var/lib/lxc/lxc1/rootfs/dev/pts/ptmx 10:41:10.044: debug : lxcContainerAvailable:897 : clone call returned Operation not permitted, container support is not enabled 10:41:10.044: debug : lxcContainerStart:848 : Enable network namespaces 10:41:10.076: debug : lxcContainerStart:854 : clone() completed, new container PID is -1 10:41:10.076: error : lxcContainerStart:858 : Failed to run clone container: Operation not permitted 10:41:10.076: debug : vethDelete:159 : veth: veth1 10:41:10.076: debug : virRunWithHook:818 : ip link del veth1 Can someone tell me what i'm doing wrong? Many thanks. Regards.
On 10/29/2010 04:42 PM, Jean-Philippe Menil wrote:
Hi,
i'm trying to test the lxc support in libvirt, but but libvirt failed to start container with error "lxcContainerAvailable:897 : clone call returned Operation not permitted, container support is not enabled"
What's the kernel version you use? Just as the error message says, the system call 'clone' failed, It's probly caused by lacking of kernel support. At least you should make sure 'clone' support these flags: CLONE_NEWPID, CLONE_NEWNS, CLONE_NEWUTS, CLONE_NEWIPC, SIGCHLD - Osier
Althought i've compiled libvirt with th lxc support: configure: Configuration summary configure: ===================== configure: configure: Drivers configure: configure: Xen: no configure: Proxy: no configure: QEMU: yes configure: UML: yes configure: OpenVZ: no configure: VBox: no configure: XenAPI: no configure: LXC: yes configure: PHYP: no configure: ONE: no configure: ESX: no configure: Test: yes configure: Remote: yes configure: Network: yes configure: Libvirtd: yes configure: netcf: no configure: macvtap: yes configure: virtport: no
Here is my xml: <domain type='lxc'> <name>lxc1</name> <memory>500000</memory> <os> <type>exe</type> <init>/bin/sh</init> </os> <vcpu>1</vcpu> <clock offset='utc'/> <on_poweroff>destroy</on_poweroff> <on_reboot>restart</on_reboot> <on_crash>destroy</on_crash> <devices> <emulator>/usr/lib/libvirt/libvirt_lxc</emulator> <filesystem type='mount'> <source dir='/var/lib/lxc/lxc1/rootfs'/> <target dir='/'/> </filesystem> <interface type='bridge'> <source bridge='U13'/> <target dev='veth0'/> </interface> <console type='pty' > <target port='5'/> </console> </devices> </domain>
And here are the errors: 10:41:09.968: debug : virCgroupNew:542 : New group / 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 0:cpu at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 1:cpuacct at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 2:cpuset at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 3:memory at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 4:devices at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 5:freezer at /var/local/cgroup in 10:41:09.968: debug : virCgroupNew:542 : New group /libvirt 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 0:cpu at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 1:cpuacct at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 2:cpuset at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 3:memory at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 4:devices at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 5:freezer at /var/local/cgroup in 10:41:09.968: debug : virCgroupMakeGroup:484 : Make group /libvirt 10:41:09.968: debug : virCgroupMakeGroup:496 : Make controller /var/local/cgroup/libvirt/ 10:41:09.968: debug : virCgroupMakeGroup:496 : Make controller /var/local/cgroup/libvirt/ 10:41:09.968: debug : virCgroupMakeGroup:496 : Make controller /var/local/cgroup/libvirt/ 10:41:09.968: debug : virCgroupMakeGroup:496 : Make controller /var/local/cgroup/libvirt/ 10:41:09.968: debug : virCgroupMakeGroup:496 : Make controller /var/local/cgroup/libvirt/ 10:41:09.968: debug : virCgroupMakeGroup:496 : Make controller /var/local/cgroup/libvirt/ 10:41:09.968: debug : virCgroupNew:542 : New group /libvirt/lxc 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 0:cpu at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 1:cpuacct at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 2:cpuset at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 3:memory at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 4:devices at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 5:freezer at /var/local/cgroup in 10:41:09.968: debug : virCgroupMakeGroup:484 : Make group /libvirt/lxc 10:41:09.968: debug : virCgroupMakeGroup:496 : Make controller /var/local/cgroup/libvirt/lxc/ 10:41:09.968: debug : lxcControllerRun:595 : Setting up private /dev/pts 10:41:10.012: debug : lxcControllerRun:621 : Mouting 'devpts' on /var/lib/lxc/lxc1/rootfs/dev/pts 10:41:10.012: debug : lxcControllerRun:636 : Opening tty on private /var/lib/lxc/lxc1/rootfs/dev/pts/ptmx 10:41:10.044: debug : lxcContainerAvailable:897 : clone call returned Operation not permitted, container support is not enabled 10:41:10.044: debug : lxcContainerStart:848 : Enable network namespaces 10:41:10.076: debug : lxcContainerStart:854 : clone() completed, new container PID is -1 10:41:10.076: error : lxcContainerStart:858 : Failed to run clone container: Operation not permitted 10:41:10.076: debug : vethDelete:159 : veth: veth1 10:41:10.076: debug : virRunWithHook:818 : ip link del veth1
Can someone tell me what i'm doing wrong?
Many thanks.
Regards.
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Le 29/10/2010 12:00, Osier a écrit :
On 10/29/2010 04:42 PM, Jean-Philippe Menil wrote:
Hi,
i'm trying to test the lxc support in libvirt, but but libvirt failed to start container with error "lxcContainerAvailable:897 : clone call returned Operation not permitted, container support is not enabled"
What's the kernel version you use? Just as the error message says, the system call 'clone' failed, It's probly caused by lacking of kernel support.
At least you should make sure 'clone' support these flags:
CLONE_NEWPID, CLONE_NEWNS, CLONE_NEWUTS, CLONE_NEWIPC, SIGCHLD
- Osier
Althought i've compiled libvirt with th lxc support: configure: Configuration summary configure: ===================== configure: configure: Drivers configure: configure: Xen: no configure: Proxy: no configure: QEMU: yes configure: UML: yes configure: OpenVZ: no configure: VBox: no configure: XenAPI: no configure: LXC: yes configure: PHYP: no configure: ONE: no configure: ESX: no configure: Test: yes configure: Remote: yes configure: Network: yes configure: Libvirtd: yes configure: netcf: no configure: macvtap: yes configure: virtport: no
Here is my xml: <domain type='lxc'> <name>lxc1</name> <memory>500000</memory> <os> <type>exe</type> <init>/bin/sh</init> </os> <vcpu>1</vcpu> <clock offset='utc'/> <on_poweroff>destroy</on_poweroff> <on_reboot>restart</on_reboot> <on_crash>destroy</on_crash> <devices> <emulator>/usr/lib/libvirt/libvirt_lxc</emulator> <filesystem type='mount'> <source dir='/var/lib/lxc/lxc1/rootfs'/> <target dir='/'/> </filesystem> <interface type='bridge'> <source bridge='U13'/> <target dev='veth0'/> </interface> <console type='pty' > <target port='5'/> </console> </devices> </domain>
And here are the errors: 10:41:09.968: debug : virCgroupNew:542 : New group / 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 0:cpu at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 1:cpuacct at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 2:cpuset at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 3:memory at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 4:devices at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 5:freezer at /var/local/cgroup in 10:41:09.968: debug : virCgroupNew:542 : New group /libvirt 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 0:cpu at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 1:cpuacct at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 2:cpuset at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 3:memory at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 4:devices at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 5:freezer at /var/local/cgroup in 10:41:09.968: debug : virCgroupMakeGroup:484 : Make group /libvirt 10:41:09.968: debug : virCgroupMakeGroup:496 : Make controller /var/local/cgroup/libvirt/ 10:41:09.968: debug : virCgroupMakeGroup:496 : Make controller /var/local/cgroup/libvirt/ 10:41:09.968: debug : virCgroupMakeGroup:496 : Make controller /var/local/cgroup/libvirt/ 10:41:09.968: debug : virCgroupMakeGroup:496 : Make controller /var/local/cgroup/libvirt/ 10:41:09.968: debug : virCgroupMakeGroup:496 : Make controller /var/local/cgroup/libvirt/ 10:41:09.968: debug : virCgroupMakeGroup:496 : Make controller /var/local/cgroup/libvirt/ 10:41:09.968: debug : virCgroupNew:542 : New group /libvirt/lxc 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 0:cpu at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 1:cpuacct at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 2:cpuset at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 3:memory at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 4:devices at /var/local/cgroup in 10:41:09.968: debug : virCgroupDetect:232 : Detected mount/mapping 5:freezer at /var/local/cgroup in 10:41:09.968: debug : virCgroupMakeGroup:484 : Make group /libvirt/lxc 10:41:09.968: debug : virCgroupMakeGroup:496 : Make controller /var/local/cgroup/libvirt/lxc/ 10:41:09.968: debug : lxcControllerRun:595 : Setting up private /dev/pts 10:41:10.012: debug : lxcControllerRun:621 : Mouting 'devpts' on /var/lib/lxc/lxc1/rootfs/dev/pts 10:41:10.012: debug : lxcControllerRun:636 : Opening tty on private /var/lib/lxc/lxc1/rootfs/dev/pts/ptmx 10:41:10.044: debug : lxcContainerAvailable:897 : clone call returned Operation not permitted, container support is not enabled 10:41:10.044: debug : lxcContainerStart:848 : Enable network namespaces 10:41:10.076: debug : lxcContainerStart:854 : clone() completed, new container PID is -1 10:41:10.076: error : lxcContainerStart:858 : Failed to run clone container: Operation not permitted 10:41:10.076: debug : vethDelete:159 : veth: veth1 10:41:10.076: debug : virRunWithHook:818 : ip link del veth1
Can someone tell me what i'm doing wrong?
Many thanks.
Regards.
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list Hi,
thanks for your response. The kernel is a 2.6.36 wit hthe following: root@redbreast:/tmp# cat /boot/config-2.6.36-dsiun-1a | grep -i pid CONFIG_PROC_PID_CPUSET=y CONFIG_PID_NS=y # CONFIG_SPI_SPIDEV is not set CONFIG_HID_PID=y root@redbreast:/tmp# cat /boot/config-2.6.36-dsiun-1a | grep -i cgroup CONFIG_CGROUPS=y CONFIG_CGROUP_DEBUG=y CONFIG_CGROUP_NS=y CONFIG_CGROUP_FREEZER=y CONFIG_CGROUP_DEVICE=y CONFIG_CGROUP_CPUACCT=y CONFIG_CGROUP_MEM_RES_CTLR=y CONFIG_CGROUP_MEM_RES_CTLR_SWAP=y CONFIG_CGROUP_SCHED=y CONFIG_BLK_CGROUP=m # CONFIG_DEBUG_BLK_CGROUP is not set CONFIG_NET_CLS_CGROUP=y Can you explain, how can i check the clone flags? Many thanks. Regards.
On Fri, Oct 29, 2010 at 12:27:59PM +0200, Jean-Philippe Menil wrote:
Le 29/10/2010 12:00, Osier a écrit :
On 10/29/2010 04:42 PM, Jean-Philippe Menil wrote:
Hi,
i'm trying to test the lxc support in libvirt, but but libvirt failed to start container with error "lxcContainerAvailable:897 : clone call returned Operation not permitted, container support is not enabled"
What's the kernel version you use? Just as the error message says, the system call 'clone' failed, It's probly caused by lacking of kernel support.
At least you should make sure 'clone' support these flags:
CLONE_NEWPID, CLONE_NEWNS, CLONE_NEWUTS, CLONE_NEWIPC, SIGCHLD
thanks for your response. The kernel is a 2.6.36 wit hthe following: root@redbreast:/tmp# cat /boot/config-2.6.36-dsiun-1a | grep -i pid CONFIG_PROC_PID_CPUSET=y CONFIG_PID_NS=y # CONFIG_SPI_SPIDEV is not set CONFIG_HID_PID=y
You need to check for _NS= here, and want to see the following $ grep _NS= /boot/config-2.6.34.6-54.fc13.x86_64 CONFIG_CGROUP_NS=y CONFIG_UTS_NS=y CONFIG_IPC_NS=y CONFIG_USER_NS=y CONFIG_PID_NS=y CONFIG_NET_NS=y Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
Quoting Jean-Philippe Menil (jean-philippe.menil@univ-nantes.fr):
10:41:10.076: error : lxcContainerStart:858 : Failed to run clone container: Operation not permitted
I would guess that the libvirt process creating the container has dropped some of the needed capabilities (CAP_SYS_ADMIN and a few others). Is libvirtd running as root? What does /proc/$$/status for that process show?
Le 29/10/2010 14:51, Serge Hallyn a écrit :
Quoting Jean-Philippe Menil (jean-philippe.menil@univ-nantes.fr):
10:41:10.076: error : lxcContainerStart:858 : Failed to run clone container: Operation not permitted
I would guess that the libvirt process creating the container has dropped some of the needed capabilities (CAP_SYS_ADMIN and a few others). Is libvirtd running as root? What does /proc/$$/status for that process show? Hi,
libvirt is running as root. root@redbreast:/tmp# ps aux | grep libvirtd | grep -v grep root 15718 0.0 0.0 157760 2924 ? Sl 15:35 0:00 /usr/sbin/libvirtd -d root@redbreast:/tmp# cat /proc/15718/status Name: libvirtd State: S (sleeping) Tgid: 15718 Pid: 15718 PPid: 1 TracerPid: 0 Uid: 0 0 0 0 Gid: 0 0 0 0 FDSize: 64 Groups: 0 VmPeak: 181892 kB VmSize: 157760 kB VmLck: 0 kB VmHWM: 2924 kB VmRSS: 2924 kB VmData: 115012 kB VmStk: 136 kB VmExe: 792 kB VmLib: 6372 kB VmPTE: 124 kB VmSwap: 0 kB Threads: 7 SigQ: 2/16382 SigPnd: 0000000000000000 ShdPnd: 0000000000000000 SigBlk: 0000000000000000 SigIgn: 0000000000001000 SigCgt: 0000000180014007 CapInh: 0000000000000000 CapPrm: ffffffffffffffff CapEff: ffffffffffffffff CapBnd: ffffffffffffffff Cpus_allowed: ffff Cpus_allowed_list: 0-15 Mems_allowed: 00000000,00000003 Mems_allowed_list: 0-1 voluntary_ctxt_switches: 321 nonvoluntary_ctxt_switches: 7 and root@redbreast:/tmp# cat /proc/15718/cgroup 1:blkio,net_cls,freezer,devices,memory,cpuacct,cpu,ns,debug,cpuset:/ root@redbreast:/tmp# mount | grep cgroup none on /var/local/cgroup type cgroup (rw) In the log, i can find the following: 15:35:58.853: debug : virCgroupMakeGroup:496 : Make controller /var/local/cgroup/libvirt/lxc/ 15:35:58.853: warning : lxcStartup:2109 : Unable to create cgroup for driver: Operation not permitted If i do an: root@redbreast:~# ls -la /var/local/cgroup/libvirt/lxc/ ls: impossible d'accéder à /var/local/cgroup/libvirt/lxc/: Aucun fichier ou dossier de ce type root@redbreast:~# mkdir /var/local/cgroup/libvirt/lxc/ mkdir: impossible de créer le répertoire « /var/local/cgroup/libvirt/lxc/ »: Opération non permise However, i mount the cgroup with the rw flag.
On Fri, Oct 29, 2010 at 03:41:25PM +0200, Jean-Philippe Menil wrote:
Le 29/10/2010 14:51, Serge Hallyn a écrit :
Quoting Jean-Philippe Menil (jean-philippe.menil@univ-nantes.fr):
10:41:10.076: error : lxcContainerStart:858 : Failed to run clone container: Operation not permitted
I would guess that the libvirt process creating the container has dropped some of the needed capabilities (CAP_SYS_ADMIN and a few others). Is libvirtd running as root? What does /proc/$$/status for that process show? Hi,
libvirt is running as root.
root@redbreast:/tmp# ps aux | grep libvirtd | grep -v grep root 15718 0.0 0.0 157760 2924 ? Sl 15:35 0:00 /usr/sbin/libvirtd -d
root@redbreast:/tmp# cat /proc/15718/status Name: libvirtd State: S (sleeping) Tgid: 15718 Pid: 15718 PPid: 1 TracerPid: 0 Uid: 0 0 0 0 Gid: 0 0 0 0 FDSize: 64 Groups: 0 VmPeak: 181892 kB VmSize: 157760 kB VmLck: 0 kB VmHWM: 2924 kB VmRSS: 2924 kB VmData: 115012 kB VmStk: 136 kB VmExe: 792 kB VmLib: 6372 kB VmPTE: 124 kB VmSwap: 0 kB Threads: 7 SigQ: 2/16382 SigPnd: 0000000000000000 ShdPnd: 0000000000000000 SigBlk: 0000000000000000 SigIgn: 0000000000001000 SigCgt: 0000000180014007 CapInh: 0000000000000000 CapPrm: ffffffffffffffff CapEff: ffffffffffffffff CapBnd: ffffffffffffffff Cpus_allowed: ffff Cpus_allowed_list: 0-15 Mems_allowed: 00000000,00000003 Mems_allowed_list: 0-1 voluntary_ctxt_switches: 321 nonvoluntary_ctxt_switches: 7
and
root@redbreast:/tmp# cat /proc/15718/cgroup 1:blkio,net_cls,freezer,devices,memory,cpuacct,cpu,ns,debug,cpuset:/
The problem is probably the 'blkio' controller combined with the 'ns' controller. The 'blkio' controller will refuse to allow creation of any child cgroups. This will cause the libvirt warning you see below. It will also break the 'ns' cgroup, because that *requires* that you can create child cgroups when creating a new container.
root@redbreast:/tmp# mount | grep cgroup none on /var/local/cgroup type cgroup (rw)
In the log, i can find the following: 15:35:58.853: debug : virCgroupMakeGroup:496 : Make controller /var/local/cgroup/libvirt/lxc/ 15:35:58.853: warning : lxcStartup:2109 : Unable to create cgroup for driver: Operation not permitted
Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
Le 29/10/2010 15:59, Daniel P. Berrange a écrit :
On Fri, Oct 29, 2010 at 03:41:25PM +0200, Jean-Philippe Menil wrote:
Le 29/10/2010 14:51, Serge Hallyn a écrit :
Quoting Jean-Philippe Menil (jean-philippe.menil@univ-nantes.fr):
10:41:10.076: error : lxcContainerStart:858 : Failed to run clone container: Operation not permitted
I would guess that the libvirt process creating the container has dropped some of the needed capabilities (CAP_SYS_ADMIN and a few others). Is libvirtd running as root? What does /proc/$$/status for that process show? Hi,
libvirt is running as root.
root@redbreast:/tmp# ps aux | grep libvirtd | grep -v grep root 15718 0.0 0.0 157760 2924 ? Sl 15:35 0:00 /usr/sbin/libvirtd -d
root@redbreast:/tmp# cat /proc/15718/status Name: libvirtd State: S (sleeping) Tgid: 15718 Pid: 15718 PPid: 1 TracerPid: 0 Uid: 0 0 0 0 Gid: 0 0 0 0 FDSize: 64 Groups: 0 VmPeak: 181892 kB VmSize: 157760 kB VmLck: 0 kB VmHWM: 2924 kB VmRSS: 2924 kB VmData: 115012 kB VmStk: 136 kB VmExe: 792 kB VmLib: 6372 kB VmPTE: 124 kB VmSwap: 0 kB Threads: 7 SigQ: 2/16382 SigPnd: 0000000000000000 ShdPnd: 0000000000000000 SigBlk: 0000000000000000 SigIgn: 0000000000001000 SigCgt: 0000000180014007 CapInh: 0000000000000000 CapPrm: ffffffffffffffff CapEff: ffffffffffffffff CapBnd: ffffffffffffffff Cpus_allowed: ffff Cpus_allowed_list: 0-15 Mems_allowed: 00000000,00000003 Mems_allowed_list: 0-1 voluntary_ctxt_switches: 321 nonvoluntary_ctxt_switches: 7
and
root@redbreast:/tmp# cat /proc/15718/cgroup 1:blkio,net_cls,freezer,devices,memory,cpuacct,cpu,ns,debug,cpuset:/
The problem is probably the 'blkio' controller combined with the 'ns' controller. The 'blkio' controller will refuse to allow creation of any child cgroups. This will cause the libvirt warning you see below. It will also break the 'ns' cgroup, because that *requires* that you can create child cgroups when creating a new container.
root@redbreast:/tmp# mount | grep cgroup none on /var/local/cgroup type cgroup (rw)
In the log, i can find the following: 15:35:58.853: debug : virCgroupMakeGroup:496 : Make controller /var/local/cgroup/libvirt/lxc/ 15:35:58.853: warning : lxcStartup:2109 : Unable to create cgroup for driver: Operation not permitted
Daniel Yes, you are right. Removing the blk_cgroup module, and now everything work's fine.
Many thanks for your help. Regards.
On 10/30/2010 01:19 AM, Jean-Philippe Menil wrote: <snip>
root@redbreast:/tmp# cat /proc/15718/cgroup 1:blkio,net_cls,freezer,devices,memory,cpuacct,cpu,ns,debug,cpuset:/
The problem is probably the 'blkio' controller combined with the 'ns' controller. The 'blkio' controller will refuse to allow creation of any child cgroups. This will cause the libvirt warning you see below. It will also break the 'ns' cgroup, because that *requires* that you can create child cgroups when creating a new container.
Is this the kind of thing we should a runtime check for, with appropriate warning when detected?
participants (5)
-
Daniel P. Berrange -
Jean-Philippe Menil -
Justin Clift -
Osier -
Serge Hallyn