Description of problem: libvirt will not start an lxc container when the user namespace ID mapping feature is enabled. The same container starts successfully when the feature is disabled. Version-Release number of selected component (if applicable): libvirt-daemon-driver-lxc-1.1.3.5-2.fc20.x86_64 kernel-3.14.5-200.fc20.x86_64 How reproducible: Always Steps to Reproduce: 1. Create a container filesystem: # yum -y --releasever=20 --nogpg --installroot=/var/lib/libvirt/filesystems/mycontainer \ --disablerepo='*' --enablerepo=fedora install \ systemd passwd yum fedora-release vim-minimal openssh-server procps-ng # echo "pts/0" >> /var/lib/libvirt/filesystems/mycontainer/etc/securetty # chroot /var/lib/libvirt/filesystems/mycontainer /bin/passwd root 2. Create the container: # virt-install --connect lxc:/// --name mycontainer --ram 256 \ --filesystem /var/lib/libvirt/filesystems/mycontainer,/ 3. Enable the idmap feature: <idmap> <uid start='0' target='1000' count='10'/> <gid start='0' target='1000' count='10'/> </idmap> 4. Start the container: # virsh --connect lxc:/// start mycontainer Actual results: Error starting domain: internal error: guest failed to start: PATH=/bin:/sbin TERM=linux container=lxc-libvirt container_uuid=c134f57d-f4ff-4602-b7bb-c7370e83bc9f LIBVIRT_LXC_UUID=c134f57d-f4ff-4602-b7bb-c7370e83bc9f LIBVIRT_LXC_NAME=mycontainer /sbin/init error receiving signal from container: Input/output error Expected results: Container should start normally, as when idmap configuration is not present. Additional info: /var/log/libvirt/lxc/mycontainer.log contains: 2014-06-08 01:05:49.397+0000: starting up PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin LIBVIRT_DEBUG=3 LIBVIRT_LOG_OUTPUTS=3:stderr /usr/libexec/libvirt_lxc --name mycontainer --console 22 --security=selinux --handshake 25 --background --veth veth1 PATH=/bin:/sbin TERM=linux container=lxc-libvirt container_uuid=c134f57d-f4ff-4602-b7bb-c7370e83bc9f LIBVIRT_LXC_UUID=c134f57d-f4ff-4602-b7bb-c7370e83bc9f LIBVIRT_LXC_NAME=mycontainer /sbin/init 2014-06-08 01:05:49.512+0000: 1: info : libvirt version: 1.1.3.5, package: 2.fc20 (Fedora Project, 2014-05-19-22:55:50, buildvm-04.phx2.fedoraproject.org) 2014-06-08 01:05:49.512+0000: 1: error : lxcContainerMountFSDev:959 : Failed to mount /.oldroot//run/libvirt/lxc/mycontainer.dev on /dev: Invalid argument 2014-06-08 01:05:49.512+0000: 1: error : lxcContainerMountFSDevPTS:986 : Cannot create /dev/pts: Permission denied 2014-06-08 01:05:49.512+0000: 1: error : lxcContainerSetupDevices:1023 : Failed to symlink device /dev/stdin to /proc/self/fd/0: Permission denied 2014-06-08 01:05:49.512+0000: 2303: info : libvirt version: 1.1.3.5, package: 2.fc20 (Fedora Project, 2014-05-19-22:55:50, buildvm-04.phx2.fedoraproject.org) 2014-06-08 01:05:49.512+0000: 2303: error : virLXCControllerRun:2188 : error receiving signal from container: Input/output error error receiving signal from container: Input/output error 2014-06-08 01:05:49.533+0000: 2303: error : virCommandWait:2376 : internal error: Child process (ip link del veth1) unexpected exit status 1: Cannot find device "veth1"
The following upstream patch appears relevant to this issue: http://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=46f2d16f07137ff677f76fe5de04429b97a86bf5
After rebuilding libvirtd with the above patch applied, I can successfully start the LXC container with user namespace ID mapping enabled. (Though there are still other bugs to quash...)
libvirt-1.1.3.6-1.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/FEDORA-2014-10432/libvirt-1.1.3.6-1.fc20
libvirt-1.1.3.6-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.