Bug 1105832

Summary: libvirt-lxc container will not start when user namespace ID map enabled
Product: [Fedora] Fedora Reporter: Michael Hampton <error>
Component: libvirtAssignee: Libvirt Maintainers <libvirt-maint>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: agedosier, berrange, clalancette, crobinso, d.sastre.medina, itamar, jforbes, laine, libvirt-maint, veillard, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: libvirt-1.1.3.6-1.fc20 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-19 10:14:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michael Hampton 2014-06-08 01:09:12 UTC 
Description of problem:
libvirt will not start an lxc container when the user namespace ID mapping feature is enabled. The same container starts successfully when the feature is disabled.

Version-Release number of selected component (if applicable):
libvirt-daemon-driver-lxc-1.1.3.5-2.fc20.x86_64
kernel-3.14.5-200.fc20.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Create a container filesystem:
# yum -y --releasever=20 --nogpg --installroot=/var/lib/libvirt/filesystems/mycontainer \
          --disablerepo='*' --enablerepo=fedora install \
          systemd passwd yum fedora-release vim-minimal openssh-server procps-ng
 # echo "pts/0" >> /var/lib/libvirt/filesystems/mycontainer/etc/securetty
 # chroot /var/lib/libvirt/filesystems/mycontainer /bin/passwd root

2. Create the container:
# virt-install --connect lxc:/// --name mycontainer --ram 256 \
              --filesystem /var/lib/libvirt/filesystems/mycontainer,/

3. Enable the idmap feature:
  <idmap>
    <uid start='0' target='1000' count='10'/>
    <gid start='0' target='1000' count='10'/>
  </idmap>

4. Start the container:
# virsh --connect lxc:/// start mycontainer

Actual results:
Error starting domain: internal error: guest failed to start: PATH=/bin:/sbin TERM=linux container=lxc-libvirt container_uuid=c134f57d-f4ff-4602-b7bb-c7370e83bc9f LIBVIRT_LXC_UUID=c134f57d-f4ff-4602-b7bb-c7370e83bc9f LIBVIRT_LXC_NAME=mycontainer /sbin/init
error receiving signal from container: Input/output error

Expected results:
Container should start normally, as when idmap configuration is not present.

Additional info:
/var/log/libvirt/lxc/mycontainer.log contains:

2014-06-08 01:05:49.397+0000: starting up
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin LIBVIRT_DEBUG=3 LIBVIRT_LOG_OUTPUTS=3:stderr /usr/libexec/libvirt_lxc --name mycontainer --console 22 --security=selinux --handshake 25 --background --veth veth1
PATH=/bin:/sbin TERM=linux container=lxc-libvirt container_uuid=c134f57d-f4ff-4602-b7bb-c7370e83bc9f LIBVIRT_LXC_UUID=c134f57d-f4ff-4602-b7bb-c7370e83bc9f LIBVIRT_LXC_NAME=mycontainer /sbin/init
2014-06-08 01:05:49.512+0000: 1: info : libvirt version: 1.1.3.5, package: 2.fc20 (Fedora Project, 2014-05-19-22:55:50, buildvm-04.phx2.fedoraproject.org)
2014-06-08 01:05:49.512+0000: 1: error : lxcContainerMountFSDev:959 : Failed to mount /.oldroot//run/libvirt/lxc/mycontainer.dev on /dev: Invalid argument
2014-06-08 01:05:49.512+0000: 1: error : lxcContainerMountFSDevPTS:986 : Cannot create /dev/pts: Permission denied
2014-06-08 01:05:49.512+0000: 1: error : lxcContainerSetupDevices:1023 : Failed to symlink device /dev/stdin to /proc/self/fd/0: Permission denied
2014-06-08 01:05:49.512+0000: 2303: info : libvirt version: 1.1.3.5, package: 2.fc20 (Fedora Project, 2014-05-19-22:55:50, buildvm-04.phx2.fedoraproject.org)
2014-06-08 01:05:49.512+0000: 2303: error : virLXCControllerRun:2188 : error receiving signal from container: Input/output error
error receiving signal from container: Input/output error
2014-06-08 01:05:49.533+0000: 2303: error : virCommandWait:2376 : internal error: Child process (ip link del veth1) unexpected exit status 1: Cannot find device "veth1"
Comment 1 Michael Hampton 2014-07-02 18:01:59 UTC 
The following upstream patch appears relevant to this issue:

http://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=46f2d16f07137ff677f76fe5de04429b97a86bf5
Comment 2 Michael Hampton 2014-07-02 18:57:53 UTC 
After rebuilding libvirtd with the above patch applied, I can successfully start the LXC container with user namespace ID mapping enabled. (Though there are still other bugs to quash...)
Comment 3 Fedora Update System 2014-09-14 19:00:40 UTC 
libvirt-1.1.3.6-1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/FEDORA-2014-10432/libvirt-1.1.3.6-1.fc20
Comment 4 Fedora Update System 2014-09-19 10:14:04 UTC 
libvirt-1.1.3.6-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.