[Bug 1576341] Re: fails in lxd container

Martin Pitt martin.pitt at ubuntu.com
Thu Apr 28 20:11:40 UTC 2016 

These four units belong to the systemd package itself:

> dev-hugepages.mount loaded failed failed Huge Pages File System
> systemd-journald-audit.socket loaded failed failed Journal Audit Socket

These units attempt to not start in containers with less privileges with
ConditionCapability=CAP_SYS_ADMIN and CAP_AUDIT_READ. This does work in
nspawn, but it seems the LXD unprivileged containers pretend to have all
these caps:

Capabilities for `1': =
cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_syslog,cap_wake_alarm,cap_block_suspend,37+ep

Which is misleading. Can we start containers with only those
capabilities which are actually namespace aware and available to the
container, and hide the rest?

> systemd-sysctl.service loaded failed failed Apply Kernel Variables

This is supposed to not start via ConditionPathIsReadWrite=/proc/sys/,
but tries anyway, and with debug logging I get

  systemd-sysctl.service: ConditionPathIsReadWrite=/proc/sys/ succeeded.

This is wrong as both "touch /proc/sys/foo" and "test -w /proc/sys" fail. I'll look into this.
 
> systemd-remount-fs.service loaded failed failed Remount Root and Kernel File Systems

This is has "ConditionPathExists=/etc/fstab", but that's true for lxd
containers because they have a dummy /etc/fstab with no entries, just a
comment (thus ConditionFileNotEmpty= would not work either). Checking
for the CAP_SYS_ADMIN capability would be appropriate (which is required
for mounting), but that wouldn't work because of the above issue.

This service does succeed in a container without apparmor restrictions
(--config raw.lxc=lxc.aa_profile=unconfined).

Adding ConditionPathIsReadWrite=!/ may be the simplest and most
straightforward solution here.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to open-iscsi in Ubuntu.
https://bugs.launchpad.net/bugs/1576341

Title:
  fails in lxd container

Status in lvm2 package in Ubuntu:
  Confirmed
Status in lxd package in Ubuntu:
  New
Status in open-iscsi package in Ubuntu:
  Confirmed
Status in systemd package in Ubuntu:
  Confirmed

Bug description:
  The ubuntu:xenial image shows 'degraded' state in lxd on initial boot.

  $ lxc launch xenial x1
  $ sleep 10
  $ lxc file pull x1/etc/cloud/build.info -
  build_name: server
  serial: 20160420-145324

  $ lxc exc x1 systemctl is-system-running
  degraded

  $ lxc exec x1 systemctl --state=failed
    UNIT                          LOAD   ACTIVE SUB    DESCRIPTION
  ● dev-hugepages.mount           loaded failed failed Huge Pages File System
  ● iscsid.service                loaded failed failed iSCSI initiator daemon (iscsid)
  ● open-iscsi.service            loaded failed failed Login to default iSCSI targets
  ● systemd-remount-fs.service    loaded failed failed Remount Root and Kernel File Systems
  ● systemd-sysctl.service        loaded failed failed Apply Kernel Variables
  ● lvm2-lvmetad.socket           loaded failed failed LVM2 metadata daemon socket
  ● systemd-journald-audit.socket loaded failed failed Journal Audit Socket

  LOAD   = Reflects whether the unit definition was properly loaded.
  ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
  SUB    = The low-level unit activation state, values depend on unit type.

  7 loaded units listed. Pass --all to see loaded but inactive units, too.
  To show all installed unit files use 'systemctl list-unit-files'.

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: open-iscsi 2.0.873+git0.3b4b4500-14ubuntu3
  ProcVersionSignature: Ubuntu 4.4.0-18.34-generic 4.4.6
  Uname: Linux 4.4.0-18-generic x86_64
  ApportVersion: 2.20.1-0ubuntu2
  Architecture: amd64
  Date: Thu Apr 28 17:28:04 2016
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
  SourcePackage: open-iscsi
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lvm2/+bug/1576341/+subscriptions

More information about the foundations-bugs mailing list