Description of problem: Enabling user namespaces gives the error: Kernel doesn't support user namespace: Link has been severed. All namespaces are enabled in the kernel. Version-Release number of selected component (if applicable): CentOS 7 libvirt-1.1.1-29.el7_0.3 kernel-3.10.0-123.9.3.el7.x86_64 How reproducible: Always Steps to Reproduce: 1. # cat /etc/libvirt/lxc/mycentos7.xml <domain type='lxc'> <name>mycentos7</name> <uuid>41752300-8c89-4699-83a4-5402822cb6d4</uuid> <memory unit='KiB'>2000</memory> <currentMemory unit='KiB'>2000</currentMemory> <vcpu placement='static'>1</vcpu> <os> <type arch='x86_64'>exe</type> <init>/sbin/init</init> </os> <idmap> <uid start='0' target='1000' count='10'/> <gid start='0' target='1000' count='10'/> </idmap> <clock offset='utc'/> <on_poweroff>destroy</on_poweroff> <on_reboot>restart</on_reboot> <on_crash>destroy</on_crash> <devices> <emulator>/usr/libexec/libvirt_lxc</emulator> <filesystem type='mount' accessmode='passthrough'> <source dir='/var/lib/libvirt/filesystems/mycentos7/'/> <target dir='/'/> </filesystem> <interface type='network'> <mac address='52:54:00:7e:21:28'/> <source network='default'/> </interface> <console type='pty'> <target type='lxc' port='0'/> </console> </devices> </domain> 2. virsh --connect lxc:/// define /etc/libvirt/lxc/mycentos7.xml Actual results: error: Failed to start domain mycentos7 error: internal error: guest failed to start: Kernel doesn't support user namespace: Link has been severed Expected results: Container to start normally. Additional info: # lxc-checkconfig Kernel configuration found at /boot/config-3.10.0-123.9.3.el7.x86_64 --- Namespaces --- Namespaces: enabled Utsname namespace: enabled Ipc namespace: enabled Pid namespace: enabled User namespace: enabled Network namespace: enabled Multiple /dev/pts instances: enabled --- Control groups --- Cgroup: enabled Cgroup clone_children flag: enabled Cgroup device: enabled Cgroup sched: enabled Cgroup cpu account: enabled Cgroup memory controller: enabled Cgroup cpuset: enabled --- Misc --- Veth pair device: enabled Macvlan: enabled Vlan: enabled File capabilities: enabled
libvirt does not use lxc tools so if lxc-checkconfig reports everything is enabled, in general it does not necessarily mean everything that libvirt requires is enabled. Also since this is an upstream bug tracker, it is generally better to file bugs concerning libvirt packages released in a specific Linux distribution in the bug tracking system used by the distribution (which would be a CentOS bug tracking system in this case). Anyway, please follow http://wiki.libvirt.org/page/DebugLogs to get debug logs from libvirtd and try to reproduce the issue. Libvirt detects whether user namespace is supported by actually trying to call clone() with the appropriate flags and we need to see why the call failed.
Created attachment 962427 [details] debug log
I was using lxc-checkconfig as it checks the kernel config to ensure CONFIG_USER_NS et al are enabled. Here is the relevant extract from the log, attached is the full log: 014-11-28 10:57:46.811+0000: 20105: debug : virLXCControllerSetupAllHostdevs:1633 : Setup all hostdevs 2014-11-28 10:57:46.811+0000: 20105: debug : virFileMakePathHelper:2201 : path=/var/run/libvirt/lxc/mycentos7.fuse/ mode=0777 2014-11-28 10:57:46.812+0000: 20105: debug : virLXCControllerSetupConsoles:1985 : Opening tty on private /var/run/libvirt/lxc/mycentos7.devpts/ptmx 2014-11-28 10:57:46.812+0000: 20105: debug : virArchFromHost:174 : Mapped x86_64 to 28 (x86_64) 2014-11-28 10:57:46.812+0000: 20105: debug : lxcContainerAvailable:2002 : clone call returned Invalid argument, container support is not enabled 2014-11-28 10:57:46.812+0000: 20105: error : lxcContainerStart:1946 : Kernel doesn't support user namespace: Link has been severed 2014-11-28 10:57:46.812+0000: 20105: debug : virFileClose:90 : Closed fd 9 2014-11-28 10:57:46.812+0000: 20105: debug : virFileClose:90 : Closed fd 10 2014-11-28 10:57:46.812+0000: 20105: debug : virFileClose:90 : Closed fd 11 2014-11-28 10:57:46.812+0000: 20105: debug : virFileClose:90 : Closed fd 12 Kernel doesn't support user namespace: Link has been severed 2014-11-28 10:57:46.812+0000: 20105: debug : virCommandRunAsync:2282 : About to run ip link del vnet1
A quick test using the following demo: http://lwn.net/Articles/532593/ Gives: # strace -e clone ./demo_userns clone(child_stack=0x701090, flags=CLONE_NEWUSER|SIGCHLD) = -1 EINVAL (Invalid argument) clone: Invalid argument +++ exited with 1 +++ # uname -a Linux dev-box.cylo.io 3.10.0-123.9.3.el7.x86_64 #1 SMP Thu Nov 6 15:06:03 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux # grep _NS= /boot/config-3.10.0-123.9.3.el7.x86_64 CONFIG_UTS_NS=y CONFIG_IPC_NS=y CONFIG_USER_NS=y CONFIG_PID_NS=y CONFIG_NET_NS=y CONFIG_NF_CONNTRACK_NETBIOS_NS=m
It appears to be a kernel issue with CentOS 7 using the stock kernel, 3.17.4-1.el7.elrepo.x86_64 is not showing these issues. I will take the ticket over to CentOS.
If your filesystem is XFS, kernel namespaces are supported only after kernel 3.12 (http://kernelnewbies.org/Linux_3.12#head-f0e125622a83f47d0b80e08e807e0252cefc9805). It would explain why it works when you updated kernel. No idea why lxc-checkconfig is reporting "enabled" through.
I take back what I said. I tried with an ext4 filesystem, CentOS 7.1, and I have this exact same error. With an updated kernel (4.0), I don't have this error any more, but it makes the whole system crash