vagga icon indicating copy to clipboard operation
vagga copied to clipboard

Published 20 hours ago verified publisher icon tailhook

fork error on centos 7.2

Open satra opened this issue 9 years ago • 10 comments

we now have centos 7.2 with an updated shadowutils installed, but running into a forking error.

vagga git hash: gf875e05

uname: Linux node053 3.10.0-229.el7.x86_64 #1 SMP Fri Mar 6 11:36:42 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

strace output: https://www.dropbox.com/s/qc5ztndrk9gho02/strace2.log?dl=0

satra avatar Jan 10 '16 15:01 satra

@tailhook - any thoughts here?

satra avatar Jan 14 '16 01:01 satra

Well, no good ideas so far. Try look at kernel config and see if options CONFIG_USER_NS, CONFIG_SYSVIPC, CONFIG_IPC_NS, CONFIG_NET_NS, CONFIG_PID_NS and CONFIG_UTS are set to =y

tailhook avatar Jan 14 '16 09:01 tailhook

all options are set.

CONFIG_NAMESPACES=y
CONFIG_UTS_NS=y
CONFIG_IPC_NS=y
CONFIG_USER_NS=y
CONFIG_PID_NS=y
CONFIG_NET_NS=y
CONFIG_SYSVIPC=y

if it helps i can't seem to get lxc-create (from lxc 1.1.5) to work either on this system, but the error is different.

satra avatar Jan 14 '16 14:01 satra

@satra intresting, what error do you get from LXC?

tailhook avatar Jan 14 '16 14:01 tailhook 

$ lxc-create -t download -n p1 -- -d ubuntu -r trusty -a amd64
unshare: Invalid argument
read pipe: No such file or directory
lxc-create: lxccontainer.c: do_create_container_dir: 879 Failed to chown container dir
lxc-create: lxc_create.c: main: 274 Error creating container p1

satra avatar Jan 14 '16 14:01 satra

Well, unshare: Invalid argument is exactly the same error. Everything later is just symptoms rather than failure reason.

tailhook avatar Jan 14 '16 15:01 tailhook

@satra have you tried to run either of these with sudo? Don't you run it in chroot? Do you have some MAC activated? (from strace it looks like you don't have selinux, maybe app armor or anything in centos).

Anyway, it looks like the kernel issue. Maybe CentOS have some patches in the kernel? I'm not sure where to look at.

tailhook avatar Jan 14 '16 15:01 tailhook

i don't have sudo privileges on the node. i can check if that helps.

regarding MAC's we do have cgroups enabled.

i'll try to run it in a vanilla centos vm/chroot to see if it works.

satra avatar Jan 14 '16 15:01 satra

Well, user namespaces doesn't work in chroot. (I believe it should return "Permission Denied" rather than "Invalid argument" but I'm not sure).

Cgroups should probably have no meaning.

i don't have sudo privileges on the node. i can check if that helps.

I'm not sure, if that would be helpful. But if user namespaces work for root, this means either kernel has patched to work for root only (it is in some distributions), or we reached another undocumented limitation of namespaces. The chroot one is one such limitation that were discovered experimentally. There are plenty of others, though. It may also be useful to see CapXXX lines from /proc/self/status.

tailhook avatar Jan 14 '16 15:01 tailhook

Well, it looks like in RHEL 7 with kernel 3.10 (which Centos inherits AFAIK), doesn't allow unprivileged users to use user namespaces because they explicitly disabled the functionality: https://bugzilla.redhat.com/show_bug.cgi?id=917708

tailhook avatar Jan 14 '16 16:01 tailhook