New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Container fails to start with x86_64 Kernel and x86 userland #654
Comments
Just curious, why you run x86_64 kernel with x86 userland? |
Better performance, I have a old 64 bit capable laptop which gets strained when running full 64 bit system. So running 64bit kernel with 32 bit userland which has improved memory footprints compared to full 64 bit system (Well haven't benchmarked it though). |
Hi, this seems like it may be a problem in your libseccomp. Exactly what release are you on? On Ubuntu 15.10, I do: sudo lxc-create -t download -n t1 -- -d ubuntu -r trusty -a i386 |
@hallyn Sorry for delayed response on my system ldd shows below output. vasudev@rudra:~/Documents/Debian/collab-maint/lcdf-typetools$ ldd /usr/bin/lxc-create
linux-gate.so.1 (0xf774a000)
liblxc.so.1 => /usr/lib/i386-linux-gnu/liblxc.so.1 (0xf76b1000)
libcap.so.2 => /lib/i386-linux-gnu/libcap.so.2 (0xf76ab000)
libapparmor.so.1 => /lib/i386-linux-gnu/libapparmor.so.1 (0xf7698000)
libselinux.so.1 => /lib/i386-linux-gnu/libselinux.so.1 (0xf7670000)
libseccomp.so.2 => /lib/i386-linux-gnu/libseccomp.so.2 (0xf7655000)
libutil.so.1 => /lib/i386-linux-gnu/i686/cmov/libutil.so.1 (0xf7651000)
libpthread.so.0 => /lib/i386-linux-gnu/i686/cmov/libpthread.so.0 (0xf7635000)
libc.so.6 => /lib/i386-linux-gnu/i686/cmov/libc.so.6 (0xf7489000)
libcgmanager.so.0 => /lib/i386-linux-gnu/libcgmanager.so.0 (0xf745b000)
libnih.so.1 => /lib/libnih.so.1 (0xf7444000)
libnih-dbus.so.1 => /lib/libnih-dbus.so.1 (0xf743b000)
libdbus-1.so.3 => /lib/i386-linux-gnu/libdbus-1.so.3 (0xf73df000)
/lib/ld-linux.so.2 (0x565b7000)
libattr.so.1 => /lib/i386-linux-gnu/libattr.so.1 (0xf73d8000)
libpcre.so.3 => /lib/i386-linux-gnu/libpcre.so.3 (0xf7365000)
libdl.so.2 => /lib/i386-linux-gnu/i686/cmov/libdl.so.2 (0xf7360000)
librt.so.1 => /lib/i386-linux-gnu/i686/cmov/librt.so.1 (0xf7357000)
libsystemd.so.0 => /lib/i386-linux-gnu/libsystemd.so.0 (0xf72c9000)
libm.so.6 => /lib/i386-linux-gnu/i686/cmov/libm.so.6 (0xf7282000)
libresolv.so.2 => /lib/i386-linux-gnu/i686/cmov/libresolv.so.2 (0xf726b000)
liblzma.so.5 => /lib/i386-linux-gnu/liblzma.so.5 (0xf7242000)
libgcrypt.so.20 => /lib/i386-linux-gnu/libgcrypt.so.20 (0xf7191000)
libgcc_s.so.1 => /lib/i386-linux-gnu/libgcc_s.so.1 (0xf7174000)
libgpg-error.so.0 => /lib/i386-linux-gnu/libgpg-error.so.0 (0xf715e000) And vasudev@rudra:~/Documents/Debian/collab-maint/lcdf-typetools$ dpkg -S /lib/i386-linux-gnu/libseccomp.so.2.2.3
libseccomp2:i386: /lib/i386-linux-gnu/libseccomp.so.2.2.3 |
Oh, I see. So your host is 32-bit userspace. I haven't looked (and won't be able to for a week) but I can easily imagine that case being mishandled in the lxc seccomp code. |
The problem occurs when:
I'm still trying to decide what lxc should do differently. You can seccomp_arch_exist(compat_ctx, arch) before the seccomp_arch_add is called. But I'm wondering what we should |
lxc uses uname to check the kernel version. Seccomp respects userspace. In the case of 32-bit userspace on 64-bit kernel, this was a bad combination. When we run into that case, make sure that the compat seccomp context is 32-bit, and the lxc->seccomp_ctx is the 64-bit. Closes lxc#654 Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Thanks guys for fixing this issue!. |
lxc uses uname to check the kernel version. Seccomp respects userspace. In the case of 32-bit userspace on 64-bit kernel, this was a bad combination. When we run into that case, make sure that the compat seccomp context is 32-bit, and the lxc->seccomp_ctx is the 64-bit. Closes lxc#654 Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
It seems 473ebc7 was reverted again and thus this issue still persists? @copyninja @stgraber shall this be reopened again? |
@evgeni Is the reverted lxc released?. I basically first tested this on lxc shipped from Debian so if its really reverted then I think issue needs to be reopened. |
@copyninja as far as I can tell even the fixed one is not released as both commits are only in the 2.0 (master) branch. |
@evgeni that is bad :(. If the fix is reverted I think this issue should be reopened but I can't do it. |
lxc uses uname to check the kernel version. Seccomp respects userspace. In the case of 32-bit userspace on 64-bit kernel, this was a bad combination. When we run into that case, make sure that the compat seccomp context is 32-bit, and the lxc->seccomp_ctx is the 64-bit. Closes lxc#654 Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
lxc uses uname to check the kernel version. Seccomp respects userspace. In the case of 32-bit userspace on 64-bit kernel, this was a bad combination. When we run into that case, make sure that the compat seccomp context is 32-bit, and the lxc->seccomp_ctx is the 64-bit. Closes #654 Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Hi, For those who are interested, I could patch debian’s LXC 1:1.0.6-6+deb8u5 to run on a i386 userspace with an amd64 kernel. The patch is here: 0099-seccomp-64bit-kernel-32bit-userspace.patch For more info, see my comment. |
This commit deals with different kernel and userspace layouts and nesting. Here are three examples: 1. 64bit kernel and 64bit userspace running 32bit containers 2. 64bit kernel and 32bit userspace running 64bit containers 3. 64bit kernel and 64bit userspace running 32bit containers running 64bit containers Two things to lookout for: 1. The compat arch that is detected might have already been present in the main context. So check that it actually hasn't been and only then add it. 2. The contexts don't need merging if the architectures are the same and also can't be. With these changes I can run all crazy/weird combinations with proper seccomp isolation. Closes lxc#654. Link: https://bugs.chromium.org/p/chromium/issues/detail?id=832366 Reported-by: Chirantan Ekbote <chirantan@chromium.org> Reported-by: Sonny Rao <sonnyrao@chromium.org> Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
@copyninja, @nboullis, @evgeni see #2274 and #2275. |
This commit deals with different kernel and userspace layouts and nesting. Here are three examples: 1. 64bit kernel and 64bit userspace running 32bit containers 2. 64bit kernel and 32bit userspace running 64bit containers 3. 64bit kernel and 64bit userspace running 32bit containers running 64bit containers Two things to lookout for: 1. The compat arch that is detected might have already been present in the main context. So check that it actually hasn't been and only then add it. 2. The contexts don't need merging if the architectures are the same and also can't be. With these changes I can run all crazy/weird combinations with proper seccomp isolation. Closes #654. Link: https://bugs.chromium.org/p/chromium/issues/detail?id=832366 Reported-by: Chirantan Ekbote <chirantan@chromium.org> Reported-by: Sonny Rao <sonnyrao@chromium.org> Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
This commit deals with different kernel and userspace layouts and nesting. Here are three examples: 1. 64bit kernel and 64bit userspace running 32bit containers 2. 64bit kernel and 32bit userspace running 64bit containers 3. 64bit kernel and 64bit userspace running 32bit containers running 64bit containers Two things to lookout for: 1. The compat arch that is detected might have already been present in the main context. So check that it actually hasn't been and only then add it. 2. The contexts don't need merging if the architectures are the same and also can't be. With these changes I can run all crazy/weird combinations with proper seccomp isolation. Closes lxc#654. Link: https://bugs.chromium.org/p/chromium/issues/detail?id=832366 Reported-by: Chirantan Ekbote <chirantan@chromium.org> Reported-by: Sonny Rao <sonnyrao@chromium.org> Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Hi,
I've bit of weird setup in my laptop. I run Debian unstable with x86_64 kernel but 386 userland. uname command output on my system looks like below
Linux rudra 4.1.0-2-amd64 #1 SMP Debian 4.1.6-1 (2015-08-23) x86_64 GNU/Linux
I've created a container using below configuration
Now when I try to start the container with lxc-start I see below error
Is it possible to run lxc undex x86_64 kernel with 386 (x86) user land?..
The text was updated successfully, but these errors were encountered: