[Wolves] Ubuntu 16.04 LXC Unprivileged containers and limits

Simon Burke simon at samandsimon.co.uk
Tue Aug 2 15:09:48 UTC 2016 

So I'm currently looking to replace our horrid dev team environment, and
was looking to use a mix of Ansible, and LXC.

However I've come across an issue where I can start privileged containers
with and without memory and cpu limits (via
lxc.cgroup.memory.limit_in_bytes = 512M etc). But with an unprivileged
user, I can run containers without any constraints, but as soon as I try to
impose a limit... the container fails to start:

      lxc-start 20160802160535.160 ERROR    lxc_cgfsng -
cgfsng.c:cgfsng_setup_limits:1645 - No devices cgroup setup for unpriv1
      lxc-start 20160802160535.160 ERROR    lxc_start -
start.c:lxc_spawn:1226 - failed to setup the devices cgroup for 'unpriv1'
      lxc-start 20160802160535.160 ERROR    lxc_start -
start.c:__lxc_start:1353 - failed to spawn 'unpriv1'
      lxc-start 20160802160535.191 INFO     lxc_conf -
conf.c:run_script_argv:367 - Executing script
'/usr/share/lxcfs/lxc.reboot.hook' for container 'unpriv1', config section
'lxc'
      lxc-start 20160802160535.695 WARN     lxc_commands -
commands.c:lxc_cmd_rsp_recv:172 - command get_cgroup failed to receive
response
      lxc-start 20160802160540.700 ERROR    lxc_start_ui -
lxc_start.c:main:344 - The container failed to start.

The conf file for the container:

      # Distribution configuration
      lxc.include = /usr/share/lxc/config/ubuntu.common.conf
      lxc.include = /usr/share/lxc/config/ubuntu.userns.conf
      lxc.arch = x86_64

      # Container specific configuration
      lxc.id_map = u 0 165536 65536
      lxc.id_map = g 0 165536 65536
      lxc.rootfs = /home/lxc/.local/share/lxc/unpriv1/rootfs
      lxc.rootfs.backend = dir
      lxc.utsname = unpriv1
      lxc.mount.auto = cgroup
      lxc.cgroup.memory.limit_in_bytes = 512M

      # Network configuration
      lxc.network.type = veth
      lxc.network.link = br0


Does anyone have reasonable suggestions as to what the heck I'm missing. I
realise it is likely cgroup config that is missing, but Im struggling to
find decent documentation for it...

Thanks.

More information about the Wolves mailing list