From a side-channel discussion: <cbrauner> all the fully unprivileged tests need to be disabled on cgroup v2. You can't run fully unprivileged containers on pure cgroup2 layouts. The delegation model doesn't allow it. Not without systemd making a fully empty delegated cgroup hierarchy available.
<stgraber> I think I'd prefer if those tests could figure out they're running on a cgroup2 systemd system and then do the systemd-run wrapper around lxc-start (or whatever it is) as that's realistically what users of unpriv LXC would do. Something along those lines: `systemd-run --unit=myshell --user --scope -p "Delegate=yes" lxc-start` -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1943704 Title: lxc fails autopkgtests on (pure) cgroups v2 enabled system Status in lxc package in Ubuntu: New Bug description: lxc fails 4 autopkgtests if ran on a cgroups v2 enabled systemd (248.3-1ubuntu7) using a pure unified hierarchy (in favor of the hybrid hierarchy used before). https://autopkgtest.ubuntu.com/packages/lxc FAIL: lxc-tests: lxc-test-apparmor-mount (0s) FAIL: lxc-tests: lxc-test-autostart (360s) FAIL: lxc-tests: lxc-test-no-new-privs (361s) FAIL: lxc-tests: lxc-test-unpriv (0s) I needed to skip the "lxc-test-exit-code" test to avoid my local autopkgtest to hang but that seems to be working on the Ubuntu infrastructure, so its probably related to my local environment: diff --git a/debian/tests/exercise b/debian/tests/exercise index 4a22f33..70231ee 100755 --- a/debian/tests/exercise +++ b/debian/tests/exercise @@ -88,6 +88,10 @@ for testbin in lxc-test-*; do echo "${testbin}" | grep -qv "\.in$" || continue STRING="lxc-tests: $testbin" + # Skip some tests because for testing + [ "$testbin" = "lxc-test-exit-code" ] && \ + ignore "$STRING" && continue + # Some tests can't be run standalone [ "$testbin" = "lxc-test-may-control" ] && continue Reproducer (while being connected to the Canonical VPN, or setup another squid proxy): $ autopkgtest-buildvm-ubuntu-cloud -v -r impish $ autopkgtest lxc -s -U --apt-pocket=proposed=src:systemd --env "http_proxy=http://squid.internal:3128"; --env "https_proxy=http://squid.internal:3128"; --env "no_proxy=127.0.0.1,127.0.1.1,localhost,localdomain,novalocal,internal,archive.ubuntu.com,security.ubuntu.com,ddebs.ubuntu.com,changelogs.ubuntu.com,launchpad.net,10.24.0.0/24" -- qemu autopkgtest-impish-amd64.img I used "../lxc_4.0.10-0ubuntu4+wip0_amd64.changes" instead of the "lxc" SRCPKG name, to use a custom package, skipping the additional "lxc-test-exit-code" test. Interestingly, the same set of tests fails if I run the test using the old (non cgroups v2) systemd (248.3-1ubuntu3), i.e. by leaving out the "--apt-pocket=proposed=src:systemd" parameter. Although, they fail in a slightly different way (see attached lxc-vs-old-systemd.log). Running a baseline test using the old systemd passed on the Ubuntu infrastructure. – I cannot really explain this infra-baseline vs local-autopkgtest difference... But it doesn't matter too much either, as we need to fix the situation for the new (cgroupv2) enabled systemd. Logs (full logs attached): FAIL: lxc-tests: lxc-test-apparmor-mount (0s) --- /usr/sbin/deluser: The user `lxcunpriv' does not exist. ./lxc-test-apparmor-mount: 152: cannot create /sys/fs/cgroup/-.mount/lxctest/tasks: Permission denied lxc-destroy: tmp.6hX6BylHCU: tools/lxc_destroy.c: main: 242 Container is not defined umount: /sys/kernel/security/apparmor/features/mount: not mounted. sed: can't read /run/lxc/nics: No such file or directory --- => "./lxc-test-apparmor-mount: 152: cannot create /sys/fs/cgroup/-.mount/lxctest/tasks: Permission denied" seems to be relevant/related to unified cgroup hierarchy here. => fails in a different way with old (non cgroup v2) systemd, locally FAIL: lxc-tests: lxc-test-autostart (21s) --- Setting up the GPG keyring Downloading the image index ERROR: Failed to download http://images.linuxcontainers.org//meta/1.0/index-system lxc-create: lxc-test-auto: lxccontainer.c: create_run_template: 1621 Failed to create container from template lxc-create: lxc-test-auto: tools/lxc_create.c: main: 319 Failed to create container lxc-test-auto FAIL --- => fails in the same way with old (non cgroup v2) systemd, locally. FAIL: lxc-tests: lxc-test-no-new-privs (22s) --- + DONE=0 + trap cleanup EXIT SIGHUP SIGINT SIGTERM + '[' '!' -d /etc/lxc ']' + ARCH=i386 + type dpkg ++ dpkg --print-architecture + ARCH=amd64 + lxc-create -t download -n c1 -- -d ubuntu -r xenial -a amd64 Setting up the GPG keyring Downloading the image index ERROR: Failed to download http://images.linuxcontainers.org//meta/1.0/index-system lxc-create: c1: lxccontainer.c: create_run_template: 1621 Failed to create container from template lxc-create: c1: tools/lxc_create.c: main: 319 Failed to create container c1 + cleanup + cd / + lxc-destroy -n c1 -f lxc-destroy: c1: tools/lxc_destroy.c: main: 242 Container is not defined + true + '[' 0 -eq 0 ']' + echo FAIL FAIL + exit 1 --- => fails in the same way with old (non cgroup v2) systemd, locally. FAIL: lxc-tests: lxc-test-unpriv (0s) --- ./lxc-test-unpriv: line 163: /sys/fs/cgroup/-.mount/lxctest/tasks: Permission denied cat: /tmp/tmp.w4zIOZHyAA: No such file or directory --- => "./lxc-test-unpriv: line 163: /sys/fs/cgroup/-.mount/lxctest/tasks: Permission denied" seems to be relevant/related to unified cgroup hierarchy here. => fails in a different way with old (non cgroup v2) systemd, locally. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1943704/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
