[Touch-packages] [Bug 1843490] Re: lxc.cgroup.devices.allow prevents unprivileged container from starting

Stéphane Graber Tue, 10 Sep 2019 17:15:54 -0700

"lxc.cgroup.devices" is meaningless for unprivileged containers as those
can never create those devices anyway, so they'll only ever have access
to whatever devices lxc provides and nothing more. All our own default
configs specifically do not set that cgroup controller for unprivileged
containers.


The error you're getting specifically suggests that the cgroups that are
delegated to your unprivileged users do not include the devices
controller which does match what I'm seeing in /proc/self/cgroup on my
system here.

If you wanted to be able to write to the devices cgroup, you would need
your user session to have the devices cgroup in /proc/self/cgroup point
to a path that your user can write to. At which point the config should
work, though still effectively be meaningless.

** Changed in: lxc (Ubuntu)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1843490

Title:
  lxc.cgroup.devices.allow prevents unprivileged container from starting

Status in lxc package in Ubuntu:
  Invalid

Bug description:
  Adding lxc.cgroup.devices.allow directives to an unprivileged
  container config prevent the container from starting. These lxc-start
  errors look relevant:

  
  lxc-start testbox 20190910192712.171 WARN     cgfsng - 
cgroups/cgfsng.c:get_hierarchy:204 - There is no useable devices controller
  lxc-start testbox 20190910192712.171 ERROR    cgfsng - 
cgroups/cgfsng.c:cg_legacy_set_data:2191 - Failed to setup limits for the 
"devices" controller. The controller seems to be unused by "cgfsng" cgroup 
driver or not enabled on the cgroup hierarchy
  lxc-start testbox 20190910192712.171 WARN     cgfsng - 
cgroups/cgfsng.c:__cg_legacy_setup_limits:2228 - Failed to set "devices.allow" 
to "c 10:57 rwm"

  
  It seems to me that I used lxc.cgroup.devices.allow directives without 
trouble a few years ago. I wonder which system upgrades broke it.

  
  To reproduce:

  (Note: subuid, subgid, and lxc-usernet are already configured for this
  user.)

  $ lsb_release -a
  No LSB modules are available.
  Distributor ID:       Ubuntu
  Description:  Ubuntu 19.04
  Release:      19.04
  Codename:     disco

  $ dpkg-query --show libpam-cgfs lxc1
  libpam-cgfs   3.0.3-0ubuntu1
  lxc1  3.0.3-0ubuntu1

  $ lxc-create -t download -n testbox -- -d ubuntu -r bionic -a amd64
  The cached copy has expired, re-downloading...
  Setting up the GPG keyring
  Downloading the image index
  Downloading the rootfs
  Downloading the metadata
  The image cache is now ready
  Unpacking the rootfs

  ---
  You just created an Ubuntu bionic amd64 (20190910_07:42) container.

  To enable SSH, run: apt install openssh-server
  No default root or user password are set by LXC.

  $ echo "lxc.cgroup.devices.allow = c 10:57 rwm" >> lxc/testbox/config

  $ lxc-start -n testbox -o debug.out -l trace
  lxc-start: testbox: lxccontainer.c: wait_on_daemonized_start: 842 Received 
container state "ABORTING" instead of "RUNNING"
  lxc-start: testbox: tools/lxc_start.c: main: 330 The container failed to start
  lxc-start: testbox: tools/lxc_start.c: main: 333 To get more details, run the 
container in foreground mode
  lxc-start: testbox: tools/lxc_start.c: main: 336 Additional information can 
be obtained by setting the --logfile and --logpriority options

  $ cat debug.out
  lxc-start testbox 20190910192712.380 INFO     confile - 
confile.c:set_config_idmaps:1555 - Read uid map: type u nsid 0 hostid 100000 
range 65536
  lxc-start testbox 20190910192712.380 INFO     confile - 
confile.c:set_config_idmaps:1555 - Read uid map: type g nsid 0 hostid 100000 
range 65536
  lxc-start testbox 20190910192712.382 TRACE    commands - 
commands.c:lxc_cmd:300 - Connection refused - Command "get_init_pid" failed to 
connect command socket
  lxc-start testbox 20190910192712.383 TRACE    commands - 
commands.c:lxc_cmd:300 - Connection refused - Command "get_state" failed to 
connect command socket
  lxc-start testbox 20190910192712.383 TRACE    start - 
start.c:lxc_init_handler:748 - Created anonymous pair {4,5} of unix sockets
  lxc-start testbox 20190910192712.383 TRACE    commands - 
commands.c:lxc_cmd_init:1248 - Creating abstract unix socket 
"/home/ubuntu/lxc/testbox/command"
  lxc-start testbox 20190910192712.383 TRACE    start - 
start.c:lxc_init_handler:760 - Unix domain socket 6 for command server is ready
  lxc-start testbox 20190910192712.388 INFO     lxccontainer - 
lxccontainer.c:do_lxcapi_start:961 - Set process title to [lxc monitor] 
/home/ubuntu/lxc testbox
  lxc-start testbox 20190910192712.392 TRACE    start - start.c:lxc_start:2052 
- Doing lxc_start
  lxc-start testbox 20190910192712.393 INFO     lsm - lsm/lsm.c:lsm_init:50 - 
LSM security driver AppArmor
  lxc-start testbox 20190910192712.393 TRACE    start - start.c:lxc_init:777 - 
Initialized LSM
  lxc-start testbox 20190910192712.395 TRACE    seccomp - 
seccomp.c:get_new_ctx:458 - Added arch 2 to main seccomp context
  lxc-start testbox 20190910192712.395 TRACE    seccomp - 
seccomp.c:get_new_ctx:466 - Removed native arch from main seccomp context
  lxc-start testbox 20190910192712.395 TRACE    seccomp - 
seccomp.c:get_new_ctx:458 - Added arch 3 to main seccomp context
  lxc-start testbox 20190910192712.395 TRACE    seccomp - 
seccomp.c:get_new_ctx:466 - Removed native arch from main seccomp context
  lxc-start testbox 20190910192712.395 TRACE    seccomp - 
seccomp.c:get_new_ctx:471 - Arch 4 already present in main seccomp context
  lxc-start testbox 20190910192712.395 INFO     seccomp - 
seccomp.c:parse_config_v2:759 - Processing "reject_force_umount  # comment this 
to allow umount -f;  not recommended"
  lxc-start testbox 20190910192712.395 INFO     seccomp - 
seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts
  lxc-start testbox 20190910192712.395 INFO     seccomp - 
seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for 
reject_force_umount action 0(kill)
  lxc-start testbox 20190910192712.396 INFO     seccomp - 
seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts
  lxc-start testbox 20190910192712.396 INFO     seccomp - 
seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for 
reject_force_umount action 0(kill)
  lxc-start testbox 20190910192712.396 INFO     seccomp - 
seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts
  lxc-start testbox 20190910192712.396 INFO     seccomp - 
seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for 
reject_force_umount action 0(kill)
  lxc-start testbox 20190910192712.396 INFO     seccomp - 
seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts
  lxc-start testbox 20190910192712.396 INFO     seccomp - 
seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for 
reject_force_umount action 0(kill)
  lxc-start testbox 20190910192712.396 INFO     seccomp - 
seccomp.c:parse_config_v2:759 - Processing "[all]"
  lxc-start testbox 20190910192712.396 INFO     seccomp - 
seccomp.c:parse_config_v2:759 - Processing "kexec_load errno 1"
  lxc-start testbox 20190910192712.396 INFO     seccomp - 
seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for kexec_load 
action 327681(errno)
  lxc-start testbox 20190910192712.396 INFO     seccomp - 
seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for 
kexec_load action 327681(errno)
  lxc-start testbox 20190910192712.397 INFO     seccomp - 
seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for 
kexec_load action 327681(errno)
  lxc-start testbox 20190910192712.397 INFO     seccomp - 
seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for 
kexec_load action 327681(errno)
  lxc-start testbox 20190910192712.397 INFO     seccomp - 
seccomp.c:parse_config_v2:759 - Processing "open_by_handle_at errno 1"
  lxc-start testbox 20190910192712.397 INFO     seccomp - 
seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for 
open_by_handle_at action 327681(errno)
  lxc-start testbox 20190910192712.397 INFO     seccomp - 
seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for 
open_by_handle_at action 327681(errno)
  lxc-start testbox 20190910192712.397 INFO     seccomp - 
seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for 
open_by_handle_at action 327681(errno)
  lxc-start testbox 20190910192712.398 INFO     seccomp - 
seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for 
open_by_handle_at action 327681(errno)
  lxc-start testbox 20190910192712.398 INFO     seccomp - 
seccomp.c:parse_config_v2:759 - Processing "init_module errno 1"
  lxc-start testbox 20190910192712.398 INFO     seccomp - 
seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for init_module 
action 327681(errno)
  lxc-start testbox 20190910192712.398 INFO     seccomp - 
seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for 
init_module action 327681(errno)
  lxc-start testbox 20190910192712.398 INFO     seccomp - 
seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for 
init_module action 327681(errno)
  lxc-start testbox 20190910192712.398 INFO     seccomp - 
seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for 
init_module action 327681(errno)
  lxc-start testbox 20190910192712.398 INFO     seccomp - 
seccomp.c:parse_config_v2:759 - Processing "finit_module errno 1"
  lxc-start testbox 20190910192712.399 INFO     seccomp - 
seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for finit_module 
action 327681(errno)
  lxc-start testbox 20190910192712.399 INFO     seccomp - 
seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for 
finit_module action 327681(errno)
  lxc-start testbox 20190910192712.399 INFO     seccomp - 
seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for 
finit_module action 327681(errno)
  lxc-start testbox 20190910192712.399 INFO     seccomp - 
seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for 
finit_module action 327681(errno)
  lxc-start testbox 20190910192712.399 INFO     seccomp - 
seccomp.c:parse_config_v2:759 - Processing "delete_module errno 1"
  lxc-start testbox 20190910192712.399 INFO     seccomp - 
seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for delete_module 
action 327681(errno)
  lxc-start testbox 20190910192712.400 INFO     seccomp - 
seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for 
delete_module action 327681(errno)
  lxc-start testbox 20190910192712.400 INFO     seccomp - 
seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for 
delete_module action 327681(errno)
  lxc-start testbox 20190910192712.400 INFO     seccomp - 
seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for 
delete_module action 327681(errno)
  lxc-start testbox 20190910192712.400 INFO     seccomp - 
seccomp.c:parse_config_v2:970 - Merging compat seccomp contexts into main 
context
  lxc-start testbox 20190910192712.400 TRACE    seccomp - 
seccomp.c:parse_config_v2:980 - Merged first compat seccomp context into main 
context
  lxc-start testbox 20190910192712.400 TRACE    seccomp - 
seccomp.c:parse_config_v2:996 - Merged second compat seccomp context into main 
context
  lxc-start testbox 20190910192712.400 TRACE    start - start.c:lxc_init:784 - 
Read seccomp policy
  lxc-start testbox 20190910192712.400 TRACE    start - 
start.c:lxc_serve_state_clients:466 - Set container state to STARTING
  lxc-start testbox 20190910192712.400 TRACE    start - 
start.c:lxc_serve_state_clients:469 - No state clients registered
  lxc-start testbox 20190910192712.401 TRACE    start - start.c:lxc_init:792 - 
Set container state to "STARTING"
  lxc-start testbox 20190910192712.401 TRACE    start - start.c:lxc_init:855 - 
Set environment variables
  lxc-start testbox 20190910192712.402 TRACE    start - start.c:lxc_init:862 - 
Ran pre-start hooks
  lxc-start testbox 20190910192712.402 TRACE    start - 
start.c:setup_signal_fd:359 - Created signal file descriptor 7
  lxc-start testbox 20190910192712.402 TRACE    start - start.c:lxc_init:873 - 
Set up signal fd
  lxc-start testbox 20190910192712.412 DEBUG    terminal - 
terminal.c:lxc_terminal_peer_default:707 - No such device - The process does 
not have a controlling terminal
  lxc-start testbox 20190910192712.412 TRACE    start - start.c:lxc_init:881 - 
Created console
  lxc-start testbox 20190910192712.412 DEBUG    conf - 
conf.c:chown_mapped_root:3166 - trying to chown "/dev/pts/2" to 1000
  lxc-start testbox 20190910192712.547 TRACE    terminal - 
terminal.c:lxc_terminal_map_ids:1225 - Chowned terminal "/dev/pts/2"
  lxc-start testbox 20190910192712.547 TRACE    start - start.c:lxc_init:888 - 
Chowned console
  lxc-start testbox 20190910192712.549 TRACE    cgfsng - 
cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1031 - basecginfo is:
  lxc-start testbox 20190910192712.549 TRACE    cgfsng - 
cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1032 - 
12:pids:/user.slice/user-1000.slice/session-4.scope
  11:devices:/user.slice
  10:net_cls,net_prio:/
  9:perf_event:/
  8:cpu,cpuacct:/user.slice
  7:rdma:/
  6:cpuset:/
  5:hugetlb:/
  4:memory:/user.slice/user-1000.slice/session-4.scope
  3:blkio:/user.slice
  2:freezer:/user/ubuntu/0
  1:name=systemd:/user.slice/user-1000.slice/session-4.scope
  0::/user.slice/user-1000.slice/session-4.scope

  lxc-start testbox 20190910192712.549 TRACE    cgfsng - 
cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1035 - kernel subsystem 0: 
pids
  lxc-start testbox 20190910192712.549 TRACE    cgfsng - 
cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1035 - kernel subsystem 1: 
devices
  lxc-start testbox 20190910192712.549 TRACE    cgfsng - 
cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1035 - kernel subsystem 2: 
net_cls
  lxc-start testbox 20190910192712.549 TRACE    cgfsng - 
cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1035 - kernel subsystem 3: 
net_prio
  lxc-start testbox 20190910192712.549 TRACE    cgfsng - 
cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1035 - kernel subsystem 4: 
perf_event
  lxc-start testbox 20190910192712.549 TRACE    cgfsng - 
cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1035 - kernel subsystem 5: 
cpu
  lxc-start testbox 20190910192712.549 TRACE    cgfsng - 
cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1035 - kernel subsystem 6: 
cpuacct
  lxc-start testbox 20190910192712.550 TRACE    cgfsng - 
cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1035 - kernel subsystem 7: 
rdma
  lxc-start testbox 20190910192712.550 TRACE    cgfsng - 
cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1035 - kernel subsystem 8: 
cpuset
  lxc-start testbox 20190910192712.550 TRACE    cgfsng - 
cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1035 - kernel subsystem 9: 
hugetlb
  lxc-start testbox 20190910192712.550 TRACE    cgfsng - 
cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1035 - kernel subsystem 10: 
memory
  lxc-start testbox 20190910192712.550 TRACE    cgfsng - 
cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1035 - kernel subsystem 11: 
blkio
  lxc-start testbox 20190910192712.550 TRACE    cgfsng - 
cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1035 - kernel subsystem 12: 
freezer
  lxc-start testbox 20190910192712.550 TRACE    cgfsng - 
cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1035 - kernel subsystem 13: 
cgroup2
  lxc-start testbox 20190910192712.550 TRACE    cgfsng - 
cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1038 - named subsystem 0: 
name=systemd
  lxc-start testbox 20190910192712.553 TRACE    cgfsng - 
cgroups/cgfsng.c:cg_hybrid_init:2459 - Writable cgroup hierarchies:
  lxc-start testbox 20190910192712.553 TRACE    cgfsng - 
cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1012 -   Hierarchies:
  lxc-start testbox 20190910192712.553 TRACE    cgfsng - 
cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1017 -   0: base_cgroup: 
/user.slice/user-1000.slice/session-4.scope
  lxc-start testbox 20190910192712.553 TRACE    cgfsng - 
cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1018 -       mountpoint:  
/sys/fs/cgroup/systemd
  lxc-start testbox 20190910192712.553 TRACE    cgfsng - 
cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1019 -       controllers:
  lxc-start testbox 20190910192712.553 TRACE    cgfsng - 
cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1021 -       0: name=systemd
  lxc-start testbox 20190910192712.553 TRACE    cgfsng - 
cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1017 -   1: base_cgroup: 
/user/ubuntu/0
  lxc-start testbox 20190910192712.553 TRACE    cgfsng - 
cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1018 -       mountpoint:  
/sys/fs/cgroup/freezer
  lxc-start testbox 20190910192712.553 TRACE    cgfsng - 
cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1019 -       controllers:
  lxc-start testbox 20190910192712.553 TRACE    cgfsng - 
cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1021 -       0: freezer
  lxc-start testbox 20190910192712.554 TRACE    cgfsng - 
cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1017 -   2: base_cgroup: 
/user.slice/user-1000.slice/session-4.scope
  lxc-start testbox 20190910192712.554 TRACE    cgfsng - 
cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1018 -       mountpoint:  
/sys/fs/cgroup/memory
  lxc-start testbox 20190910192712.554 TRACE    cgfsng - 
cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1019 -       controllers:
  lxc-start testbox 20190910192712.554 TRACE    cgfsng - 
cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1021 -       0: memory
  lxc-start testbox 20190910192712.554 TRACE    cgroup - 
cgroups/cgroup.c:cgroup_init:56 - Initialized cgroup driver cgfsng
  lxc-start testbox 20190910192712.554 TRACE    cgroup - 
cgroups/cgroup.c:cgroup_init:61 - Running with hybrid cgroup layout
  lxc-start testbox 20190910192712.554 TRACE    start - start.c:lxc_init:895 - 
Initialized cgroup driver
  lxc-start testbox 20190910192712.554 INFO     start - start.c:lxc_init:897 - 
Container "testbox" is initialized
  lxc-start testbox 20190910192712.561 TRACE    start - start.c:lxc_spawn:1684 
- Cloned child process 8596
  lxc-start testbox 20190910192712.561 INFO     start - start.c:lxc_spawn:1688 
- Cloned CLONE_NEWUSER
  lxc-start testbox 20190910192712.561 INFO     start - start.c:lxc_spawn:1688 
- Cloned CLONE_NEWNS
  lxc-start testbox 20190910192712.561 INFO     start - start.c:lxc_spawn:1688 
- Cloned CLONE_NEWPID
  lxc-start testbox 20190910192712.561 INFO     start - start.c:lxc_spawn:1688 
- Cloned CLONE_NEWUTS
  lxc-start testbox 20190910192712.561 INFO     start - start.c:lxc_spawn:1688 
- Cloned CLONE_NEWIPC
  lxc-start testbox 20190910192712.561 DEBUG    start - 
start.c:lxc_try_preserve_namespaces:196 - Preserved user namespace via fd 14
  lxc-start testbox 20190910192712.561 DEBUG    start - 
start.c:lxc_try_preserve_namespaces:196 - Preserved mnt namespace via fd 15
  lxc-start testbox 20190910192712.562 DEBUG    start - 
start.c:lxc_try_preserve_namespaces:196 - Preserved pid namespace via fd 16
  lxc-start testbox 20190910192712.562 DEBUG    start - 
start.c:lxc_try_preserve_namespaces:196 - Preserved uts namespace via fd 17
  lxc-start testbox 20190910192712.562 DEBUG    start - 
start.c:lxc_try_preserve_namespaces:196 - Preserved ipc namespace via fd 18
  lxc-start testbox 20190910192712.562 DEBUG    conf - 
conf.c:idmaptool_on_path_and_privileged:2836 - The binary "/usr/bin/newuidmap" 
does have the setuid bit set
  lxc-start testbox 20190910192712.562 DEBUG    conf - 
conf.c:idmaptool_on_path_and_privileged:2836 - The binary "/usr/bin/newgidmap" 
does have the setuid bit set
  lxc-start testbox 20190910192712.562 TRACE    caps - 
caps.c:lxc_ambient_caps_up:192 - Raised = 
cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read+eip
 in inheritable and ambient capability set
  lxc-start testbox 20190910192712.563 DEBUG    conf - conf.c:lxc_map_ids:2928 
- Functional newuidmap and newgidmap binary found
  lxc-start testbox 20190910192712.595 TRACE    conf - conf.c:lxc_map_ids:3002 
- newuidmap wrote mapping "newuidmap 8596 0 100000 65536"
  lxc-start testbox 20190910192712.626 TRACE    conf - conf.c:lxc_map_ids:3002 
- newgidmap wrote mapping "newgidmap 8596 0 100000 65536"
  lxc-start testbox 20190910192712.632 INFO     start - start.c:do_start:1136 - 
Unshared CLONE_NEWNET
  lxc-start testbox 20190910192712.633 INFO     cgfsng - 
cgroups/cgfsng.c:__cg_legacy_setup_limits:2237 - Limits for the legacy cgroup 
hierarchies have been setup
  lxc-start testbox 20190910192712.635 TRACE    conf - 
conf.c:get_minimal_idmap:4265 - Allocated minimal idmapping
  lxc-start testbox 20190910192712.637 TRACE    conf - 
conf.c:userns_exec_1:4345 - Establishing uid mapping for "8601" in new user 
namespace: nsuid 0 - hostid 100000 - range 65536
  lxc-start testbox 20190910192712.637 TRACE    conf - 
conf.c:userns_exec_1:4345 - Establishing uid mapping for "8601" in new user 
namespace: nsuid 65536 - hostid 1000 - range 1
  lxc-start testbox 20190910192712.637 TRACE    conf - 
conf.c:userns_exec_1:4345 - Establishing gid mapping for "8601" in new user 
namespace: nsuid 0 - hostid 100000 - range 65536
  lxc-start testbox 20190910192712.637 TRACE    conf - 
conf.c:userns_exec_1:4345 - Establishing gid mapping for "8601" in new user 
namespace: nsuid 65536 - hostid 1000 - range 1
  lxc-start testbox 20190910192712.638 DEBUG    conf - 
conf.c:idmaptool_on_path_and_privileged:2836 - The binary "/usr/bin/newuidmap" 
does have the setuid bit set
  lxc-start testbox 20190910192712.638 DEBUG    conf - 
conf.c:idmaptool_on_path_and_privileged:2836 - The binary "/usr/bin/newgidmap" 
does have the setuid bit set
  lxc-start testbox 20190910192712.638 DEBUG    conf - conf.c:lxc_map_ids:2928 
- Functional newuidmap and newgidmap binary found
  lxc-start testbox 20190910192712.670 TRACE    conf - conf.c:lxc_map_ids:3002 
- newuidmap wrote mapping "newuidmap 8601 0 100000 65536 65536 1000 1"
  lxc-start testbox 20190910192712.702 TRACE    conf - conf.c:lxc_map_ids:3002 
- newgidmap wrote mapping "newgidmap 8601 0 100000 65536 65536 1000 1"
  lxc-start testbox 20190910192712.703 TRACE    conf - 
conf.c:run_userns_fn:4091 - Calling function "chown_cgroup_wrapper"
  lxc-start testbox 20190910192712.709 DEBUG    start - start.c:lxc_spawn:1742 
- Preserved net namespace via fd 10
  lxc-start testbox 20190910192712.709 WARN     start - start.c:lxc_spawn:1746 
- Operation not permitted - Failed to allocate new network namespace id
  lxc-start testbox 20190910192712.713 INFO     network - 
network.c:lxc_create_network_unpriv_exec:2150 - Execing lxc-user-nic create 
/home/ubuntu/lxc testbox 8596 veth lxcbr0 (null)
  lxc-start testbox 20190910192712.134 TRACE    network - 
network.c:lxc_create_network_unpriv_exec:2181 - Received output 
"eth0:58:vethC0OBRR:59" from lxc-user-nic
  lxc-start testbox 20190910192712.134 TRACE    network - 
network.c:lxc_network_send_veth_names_to_child:3077 - Sent network device name 
"eth0" to child
  lxc-start testbox 20190910192712.134 TRACE    network - 
network.c:lxc_network_recv_veth_names_from_parent:3102 - Received network 
device name "eth0" from parent
  lxc-start testbox 20190910192712.134 NOTICE   utils - 
utils.c:lxc_switch_uid_gid:1378 - Switched to gid 0
  lxc-start testbox 20190910192712.134 NOTICE   utils - 
utils.c:lxc_switch_uid_gid:1387 - Switched to uid 0
  lxc-start testbox 20190910192712.134 NOTICE   utils - 
utils.c:lxc_setgroups:1400 - Dropped additional groups
  lxc-start testbox 20190910192712.134 INFO     start - start.c:do_start:1242 - 
Unshared CLONE_NEWCGROUP
  lxc-start testbox 20190910192712.135 TRACE    conf - 
conf.c:remount_all_slave:3349 - Remounted all mount table entries as MS_SLAVE
  lxc-start testbox 20190910192712.135 DEBUG    storage - 
storage/storage.c:get_storage_by_name:231 - Detected rootfs type "dir"
  lxc-start testbox 20190910192712.135 TRACE    dir - 
storage/dir.c:dir_mount:203 - Mounted "/home/ubuntu/lxc/testbox/rootfs" on 
"/usr/lib/x86_64-linux-gnu/lxc"
  lxc-start testbox 20190910192712.135 DEBUG    conf - 
conf.c:lxc_mount_rootfs:1332 - Mounted rootfs "/home/ubuntu/lxc/testbox/rootfs" 
onto "/usr/lib/x86_64-linux-gnu/lxc" with options "(null)"
  lxc-start testbox 20190910192712.135 INFO     conf - conf.c:setup_utsname:791 
- Set hostname to "testbox"
  lxc-start testbox 20190910192712.136 DEBUG    network - 
network.c:setup_hw_addr:2767 - Mac address "00:16:3e:0b:60:a9" on "eth0" has 
been setup
  lxc-start testbox 20190910192712.138 DEBUG    network - 
network.c:lxc_setup_netdev_in_child_namespaces:3032 - Network device "eth0" has 
been setup
  lxc-start testbox 20190910192712.138 INFO     network - 
network.c:lxc_setup_network_in_child_namespaces:3053 - network has been setup
  lxc-start testbox 20190910192712.138 INFO     conf - 
conf.c:mount_autodev:1118 - Preparing "/dev"
  lxc-start testbox 20190910192712.138 TRACE    conf - 
conf.c:mount_autodev:1142 - Mounted tmpfs on "/usr/lib/x86_64-linux-gnu/lxc/dev"
  lxc-start testbox 20190910192712.138 INFO     conf - 
conf.c:mount_autodev:1165 - Prepared "/dev"
  lxc-start testbox 20190910192712.139 INFO     conf - 
conf.c:run_script_argv:356 - Executing script "/usr/share/lxcfs/lxc.mount.hook" 
for container "testbox", config section "lxc"
  lxc-start testbox 20190910192712.168 INFO     conf - 
conf.c:lxc_fill_autodev:1209 - Populating "/dev"
  lxc-start testbox 20190910192712.168 DEBUG    conf - 
conf.c:lxc_fill_autodev:1282 - Bind mounted host device node "/dev/full" onto 
"/usr/lib/x86_64-linux-gnu/lxc/dev/full"
  lxc-start testbox 20190910192712.168 DEBUG    conf - 
conf.c:lxc_fill_autodev:1282 - Bind mounted host device node "/dev/null" onto 
"/usr/lib/x86_64-linux-gnu/lxc/dev/null"
  lxc-start testbox 20190910192712.168 DEBUG    conf - 
conf.c:lxc_fill_autodev:1282 - Bind mounted host device node "/dev/random" onto 
"/usr/lib/x86_64-linux-gnu/lxc/dev/random"
  lxc-start testbox 20190910192712.169 DEBUG    conf - 
conf.c:lxc_fill_autodev:1282 - Bind mounted host device node "/dev/tty" onto 
"/usr/lib/x86_64-linux-gnu/lxc/dev/tty"
  lxc-start testbox 20190910192712.169 DEBUG    conf - 
conf.c:lxc_fill_autodev:1282 - Bind mounted host device node "/dev/urandom" 
onto "/usr/lib/x86_64-linux-gnu/lxc/dev/urandom"
  lxc-start testbox 20190910192712.169 DEBUG    conf - 
conf.c:lxc_fill_autodev:1282 - Bind mounted host device node "/dev/zero" onto 
"/usr/lib/x86_64-linux-gnu/lxc/dev/zero"
  lxc-start testbox 20190910192712.169 INFO     conf - 
conf.c:lxc_fill_autodev:1286 - Populated "/dev"
  lxc-start testbox 20190910192712.169 DEBUG    conf - conf.c:mount_entry:2027 
- Remounting "/sys/fs/fuse/connections" on 
"/usr/lib/x86_64-linux-gnu/lxc/sys/fs/fuse/connections" to respect bind or 
remount options
  lxc-start testbox 20190910192712.169 DEBUG    conf - conf.c:mount_entry:2048 
- Flags for "/sys/fs/fuse/connections" were 4096, required extra flags are 0
  lxc-start testbox 20190910192712.169 DEBUG    conf - conf.c:mount_entry:2058 
- Mountflags already were 4096, skipping remount
  lxc-start testbox 20190910192712.169 DEBUG    conf - conf.c:mount_entry:2102 
- Mounted "/sys/fs/fuse/connections" on 
"/usr/lib/x86_64-linux-gnu/lxc/sys/fs/fuse/connections" with filesystem type 
"none"
  lxc-start testbox 20190910192712.169 DEBUG    conf - conf.c:mount_entry:2027 
- Remounting "/sys/kernel/debug" on 
"/usr/lib/x86_64-linux-gnu/lxc/sys/kernel/debug" to respect bind or remount 
options
  lxc-start testbox 20190910192712.169 DEBUG    conf - conf.c:mount_entry:2048 
- Flags for "/sys/kernel/debug" were 4096, required extra flags are 0
  lxc-start testbox 20190910192712.169 DEBUG    conf - conf.c:mount_entry:2058 
- Mountflags already were 4096, skipping remount
  lxc-start testbox 20190910192712.169 DEBUG    conf - conf.c:mount_entry:2102 
- Mounted "/sys/kernel/debug" on 
"/usr/lib/x86_64-linux-gnu/lxc/sys/kernel/debug" with filesystem type "none"
  lxc-start testbox 20190910192712.169 DEBUG    conf - conf.c:mount_entry:2027 
- Remounting "/sys/kernel/security" on 
"/usr/lib/x86_64-linux-gnu/lxc/sys/kernel/security" to respect bind or remount 
options
  lxc-start testbox 20190910192712.169 DEBUG    conf - conf.c:mount_entry:2048 
- Flags for "/sys/kernel/security" were 4110, required extra flags are 14
  lxc-start testbox 20190910192712.169 DEBUG    conf - conf.c:mount_entry:2102 
- Mounted "/sys/kernel/security" on 
"/usr/lib/x86_64-linux-gnu/lxc/sys/kernel/security" with filesystem type "none"
  lxc-start testbox 20190910192712.169 DEBUG    conf - conf.c:mount_entry:2027 
- Remounting "/sys/fs/pstore" on "/usr/lib/x86_64-linux-gnu/lxc/sys/fs/pstore" 
to respect bind or remount options
  lxc-start testbox 20190910192712.169 DEBUG    conf - conf.c:mount_entry:2048 
- Flags for "/sys/fs/pstore" were 4110, required extra flags are 14
  lxc-start testbox 20190910192712.169 DEBUG    conf - conf.c:mount_entry:2102 
- Mounted "/sys/fs/pstore" on "/usr/lib/x86_64-linux-gnu/lxc/sys/fs/pstore" 
with filesystem type "none"
  lxc-start testbox 20190910192712.169 DEBUG    conf - conf.c:mount_entry:2102 
- Mounted "mqueue" on "/usr/lib/x86_64-linux-gnu/lxc/dev/mqueue" with 
filesystem type "mqueue"
  lxc-start testbox 20190910192712.169 DEBUG    conf - conf.c:mount_entry:2027 
- Remounting "/sys/firmware/efi/efivars" on 
"/usr/lib/x86_64-linux-gnu/lxc/sys/firmware/efi/efivars" to respect bind or 
remount options
  lxc-start testbox 20190910192712.169 DEBUG    conf - conf.c:mount_entry:2048 
- Flags for "/sys/firmware/efi/efivars" were 4110, required extra flags are 14
  lxc-start testbox 20190910192712.169 DEBUG    conf - conf.c:mount_entry:2102 
- Mounted "/sys/firmware/efi/efivars" on 
"/usr/lib/x86_64-linux-gnu/lxc/sys/firmware/efi/efivars" with filesystem type 
"none"
  lxc-start testbox 20190910192712.169 DEBUG    conf - conf.c:mount_entry:2027 
- Remounting "/proc/sys/fs/binfmt_misc" on 
"/usr/lib/x86_64-linux-gnu/lxc/proc/sys/fs/binfmt_misc" to respect bind or 
remount options
  lxc-start testbox 20190910192712.169 DEBUG    conf - conf.c:mount_entry:2048 
- Flags for "/proc/sys/fs/binfmt_misc" were 4096, required extra flags are 0
  lxc-start testbox 20190910192712.169 DEBUG    conf - conf.c:mount_entry:2058 
- Mountflags already were 4096, skipping remount
  lxc-start testbox 20190910192712.169 DEBUG    conf - conf.c:mount_entry:2102 
- Mounted "/proc/sys/fs/binfmt_misc" on 
"/usr/lib/x86_64-linux-gnu/lxc/proc/sys/fs/binfmt_misc" with filesystem type 
"none"
  lxc-start testbox 20190910192712.169 INFO     conf - 
conf.c:mount_file_entries:2333 - Finished setting up mounts
  lxc-start testbox 20190910192712.169 DEBUG    conf - 
conf.c:lxc_setup_dev_console:1771 - Mounted pts device "/dev/pts/2" onto 
"/usr/lib/x86_64-linux-gnu/lxc/dev/console"
  lxc-start testbox 20190910192712.169 INFO     utils - 
utils.c:lxc_mount_proc_if_needed:1231 - I am 1, /proc/self points to "1"
  lxc-start testbox 20190910192712.170 TRACE    conf - 
conf.c:lxc_pivot_root:1540 - pivot_root("/usr/lib/x86_64-linux-gnu/lxc") 
successful
  lxc-start testbox 20190910192712.170 WARN     conf - 
conf.c:lxc_setup_devpts:1616 - Invalid argument - Failed to unmount old devpts 
instance
  lxc-start testbox 20190910192712.170 DEBUG    conf - 
conf.c:lxc_setup_devpts:1653 - Mount new devpts instance with options 
"gid=5,newinstance,ptmxmode=0666,mode=0620,max=1024"
  lxc-start testbox 20190910192712.170 DEBUG    conf - 
conf.c:lxc_setup_devpts:1672 - Created dummy "/dev/ptmx" file as bind mount 
target
  lxc-start testbox 20190910192712.170 DEBUG    conf - 
conf.c:lxc_setup_devpts:1677 - Bind mounted "/dev/pts/ptmx" to "/dev/ptmx"
  lxc-start testbox 20190910192712.170 DEBUG    conf - 
conf.c:lxc_allocate_ttys:989 - Created tty "/dev/pts/0" with master fd 11 and 
slave fd 14
  lxc-start testbox 20190910192712.170 DEBUG    conf - 
conf.c:lxc_allocate_ttys:989 - Created tty "/dev/pts/1" with master fd 15 and 
slave fd 16
  lxc-start testbox 20190910192712.170 DEBUG    conf - 
conf.c:lxc_allocate_ttys:989 - Created tty "/dev/pts/2" with master fd 17 and 
slave fd 18
  lxc-start testbox 20190910192712.170 DEBUG    conf - 
conf.c:lxc_allocate_ttys:989 - Created tty "/dev/pts/3" with master fd 19 and 
slave fd 20
  lxc-start testbox 20190910192712.170 INFO     conf - 
conf.c:lxc_allocate_ttys:1005 - Finished creating 4 tty devices
  lxc-start testbox 20190910192712.170 TRACE    conf - 
conf.c:lxc_send_ttys_to_parent:1057 - Sent tty "/dev/pts/0" with master fd 11 
and slave fd 14 to parent
  lxc-start testbox 20190910192712.170 TRACE    conf - 
conf.c:lxc_send_ttys_to_parent:1057 - Sent tty "/dev/pts/1" with master fd 15 
and slave fd 16 to parent
  lxc-start testbox 20190910192712.170 TRACE    conf - 
conf.c:lxc_send_ttys_to_parent:1057 - Sent tty "/dev/pts/2" with master fd 17 
and slave fd 18 to parent
  lxc-start testbox 20190910192712.170 TRACE    conf - 
conf.c:lxc_send_ttys_to_parent:1057 - Sent tty "/dev/pts/3" with master fd 19 
and slave fd 20 to parent
  lxc-start testbox 20190910192712.170 TRACE    conf - 
conf.c:lxc_send_ttys_to_parent:1063 - Sent 4 ttys to parent
  lxc-start testbox 20190910192712.170 DEBUG    conf - 
conf.c:lxc_setup_ttys:940 - Bind mounted "/dev/pts/0" onto "/dev/tty1"
  lxc-start testbox 20190910192712.170 DEBUG    conf - 
conf.c:lxc_setup_ttys:940 - Bind mounted "/dev/pts/1" onto "/dev/tty2"
  lxc-start testbox 20190910192712.170 DEBUG    conf - 
conf.c:lxc_setup_ttys:940 - Bind mounted "/dev/pts/2" onto "/dev/tty3"
  lxc-start testbox 20190910192712.170 DEBUG    conf - 
conf.c:lxc_setup_ttys:940 - Bind mounted "/dev/pts/3" onto "/dev/tty4"
  lxc-start testbox 20190910192712.170 INFO     conf - 
conf.c:lxc_setup_ttys:949 - Finished setting up 4 /dev/tty<N> device(s)
  lxc-start testbox 20190910192712.170 INFO     conf - 
conf.c:setup_personality:1716 - Set personality to "0x0"
  lxc-start testbox 20190910192712.170 DEBUG    conf - conf.c:setup_caps:2506 - 
Capabilities have been setup
  lxc-start testbox 20190910192712.170 NOTICE   conf - conf.c:lxc_setup:3692 - 
The container "testbox" is set up
  lxc-start testbox 20190910192712.170 INFO     lsm - 
lsm/lsm.c:lsm_process_label_set_at:178 - Set AppArmor label to 
"lxc-container-default-cgns"
  lxc-start testbox 20190910192712.170 INFO     apparmor - 
lsm/apparmor.c:apparmor_process_label_set:249 - Changed apparmor profile to 
lxc-container-default-cgns
  #
  # pseudo filter code start
  #
  # filter for arch x86_64 (3221225534)
  if ($arch == 3221225534)
    # filter for syscall "finit_module" (313) [priority: 65535]
    if ($syscall == 313)
      action ERRNO(1);
    # filter for syscall "open_by_handle_at" (304) [priority: 65535]
    if ($syscall == 304)
      action ERRNO(1);
    # filter for syscall "kexec_load" (246) [priority: 65535]
    if ($syscall == 246)
      action ERRNO(1);
    # filter for syscall "delete_module" (176) [priority: 65535]
    if ($syscall == 176)
      action ERRNO(1);
    # filter for syscall "init_module" (175) [priority: 65535]
    if ($syscall == 175)
      action ERRNO(1);
    # filter for syscall "umount2" (166) [priority: 65533]
    if ($syscall == 166)
      if ($a1.hi32 & 0x00000000 == 0)
        if ($a1.lo32 & 0x00000001 == 1)
          action ERRNO(13);
    # default action
    action ALLOW;
  # filter for arch x86 (1073741827)
  if ($arch == 1073741827)
    # filter for syscall "finit_module" (350) [priority: 65535]
    if ($syscall == 350)
      action ERRNO(1);
    # filter for syscall "open_by_handle_at" (342) [priority: 65535]
    if ($syscall == 342)
      action ERRNO(1);
    # filter for syscall "kexec_load" (283) [priority: 65535]
    if ($syscall == 283)
      action ERRNO(1);
    # filter for syscall "delete_module" (129) [priority: 65535]
    if ($syscall == 129)
      action ERRNO(1);
    # filter for syscall "init_module" (128) [priority: 65535]
    if ($syscall == 128)
      action ERRNO(1);
    # filter for syscall "umount2" (52) [priority: 65534]
    if ($syscall == 52)
      if ($a1 & 0x00000001 == 1)
        action ERRNO(13);
    # default action
    action ALLOW;
  # filter for arch x32 (3221225534)
  if ($arch == 3221225534)
    # filter for syscall "kexec_load" (1073742352) [priority: 65535]
    if ($syscall == 1073742352)
      action ERRNO(1);
    # filter for syscall "finit_module" (1073742137) [priority: 65535]
    if ($syscall == 1073742137)
      action ERRNO(1);
    # filter for syscall "open_by_handle_at" (1073742128) [priority: 65535]
    if ($syscall == 1073742128)
      action ERRNO(1);
    # filter for syscall "delete_module" (1073742000) [priority: 65535]
    if ($syscall == 1073742000)
      action ERRNO(1);
    # filter for syscall "init_module" (1073741999) [priority: 65535]
    if ($syscall == 1073741999)
      action ERRNO(1);
    # filter for syscall "umount2" (1073741990) [priority: 65534]
    if ($syscall == 1073741990)
      if ($a1 & 0x00000001 == 1)
        action ERRNO(13);
    # default action
    action ALLOW;
  # invalid architecture action
  action KILL;
  #
  # pseudo filter code end
  #
  lxc-start testbox 20190910192712.171 WARN     cgfsng - 
cgroups/cgfsng.c:get_hierarchy:204 - There is no useable devices controller
  lxc-start testbox 20190910192712.171 ERROR    cgfsng - 
cgroups/cgfsng.c:cg_legacy_set_data:2191 - Failed to setup limits for the 
"devices" controller. The controller seems to be unused by "cgfsng" cgroup 
driver or not enabled on the cgroup hierarchy
  lxc-start testbox 20190910192712.171 WARN     cgfsng - 
cgroups/cgfsng.c:__cg_legacy_setup_limits:2228 - Failed to set "devices.allow" 
to "c 10:57 rwm"
  lxc-start testbox 20190910192712.171 ERROR    start - start.c:lxc_spawn:1802 
- Failed to setup legacy device cgroup controller limits
  lxc-start testbox 20190910192712.171 DEBUG    network - 
network.c:lxc_delete_network:3180 - Deleted network devices
  lxc-start testbox 20190910192712.171 TRACE    start - 
start.c:lxc_serve_state_socket_pair:536 - Sent container state "ABORTING" to 5
  lxc-start testbox 20190910192712.171 TRACE    start - 
start.c:lxc_serve_state_clients:466 - Set container state to ABORTING
  lxc-start testbox 20190910192712.171 TRACE    start - 
start.c:lxc_serve_state_clients:469 - No state clients registered
  lxc-start testbox 20190910192712.171 DEBUG    lxccontainer - 
lxccontainer.c:wait_on_daemonized_start:830 - First child 8588 exited
  lxc-start testbox 20190910192712.171 ERROR    lxccontainer - 
lxccontainer.c:wait_on_daemonized_start:842 - Received container state 
"ABORTING" instead of "RUNNING"
  lxc-start testbox 20190910192712.171 ERROR    lxc_start - 
tools/lxc_start.c:main:330 - The container failed to start
  lxc-start testbox 20190910192712.171 ERROR    lxc_start - 
tools/lxc_start.c:main:333 - To get more details, run the container in 
foreground mode
  lxc-start testbox 20190910192712.171 ERROR    lxc_start - 
tools/lxc_start.c:main:336 - Additional information can be obtained by setting 
the --logfile and --logpriority options
  lxc-start testbox 20190910192712.171 ERROR    start - 
start.c:__lxc_start:1939 - Failed to spawn container "testbox"
  lxc-start testbox 20190910192712.171 TRACE    start - 
start.c:lxc_serve_state_clients:466 - Set container state to STOPPING
  lxc-start testbox 20190910192712.171 TRACE    start - 
start.c:lxc_serve_state_clients:469 - No state clients registered
  lxc-start testbox 20190910192712.171 TRACE    conf - 
conf.c:get_minimal_idmap:4265 - Allocated minimal idmapping
  lxc-start testbox 20190910192712.171 TRACE    conf - 
conf.c:userns_exec_1:4345 - Establishing uid mapping for "8669" in new user 
namespace: nsuid 0 - hostid 100000 - range 65536
  lxc-start testbox 20190910192712.171 TRACE    conf - 
conf.c:userns_exec_1:4345 - Establishing uid mapping for "8669" in new user 
namespace: nsuid 65536 - hostid 1000 - range 1
  lxc-start testbox 20190910192712.171 TRACE    conf - 
conf.c:userns_exec_1:4345 - Establishing gid mapping for "8669" in new user 
namespace: nsuid 0 - hostid 100000 - range 65536
  lxc-start testbox 20190910192712.171 TRACE    conf - 
conf.c:userns_exec_1:4345 - Establishing gid mapping for "8669" in new user 
namespace: nsuid 65536 - hostid 1000 - range 1
  lxc-start testbox 20190910192712.171 DEBUG    conf - 
conf.c:idmaptool_on_path_and_privileged:2836 - The binary "/usr/bin/newuidmap" 
does have the setuid bit set
  lxc-start testbox 20190910192712.171 DEBUG    conf - 
conf.c:idmaptool_on_path_and_privileged:2836 - The binary "/usr/bin/newgidmap" 
does have the setuid bit set
  lxc-start testbox 20190910192712.171 DEBUG    conf - conf.c:lxc_map_ids:2928 
- Functional newuidmap and newgidmap binary found
  lxc-start testbox 20190910192712.173 TRACE    conf - conf.c:lxc_map_ids:3002 
- newuidmap wrote mapping "newuidmap 8669 0 100000 65536 65536 1000 1"
  lxc-start testbox 20190910192712.175 TRACE    conf - conf.c:lxc_map_ids:3002 
- newgidmap wrote mapping "newgidmap 8669 0 100000 65536 65536 1000 1"
  lxc-start testbox 20190910192712.175 TRACE    conf - 
conf.c:run_userns_fn:4091 - Calling function "cgroup_rmdir_wrapper"
  lxc-start testbox 20190910192712.176 TRACE    start - start.c:lxc_fini:1001 - 
Closed command socket
  lxc-start testbox 20190910192712.176 TRACE    start - start.c:lxc_fini:1012 - 
Set container state to "STOPPED"
  lxc-start testbox 20190910192712.176 INFO     conf - 
conf.c:run_script_argv:356 - Executing script 
"/usr/share/lxcfs/lxc.reboot.hook" for container "testbox", config section "lxc"

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1843490/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1843490] Re: lxc.cgroup.devices.allow prevents unprivileged container from starting

Reply via email to