On 3/10/24 15:40, Patrick O'Callaghan wrote:
On Sun, 2024-03-10 at 11:13 -0700, Mike Wright wrote:
The last two lines are key. Add these flags: -F -o logfile. The default loglevel is ERROR. If you want more detail include -l LEVEL.
e.g. lxc-start -n containerName -F -o containerName.log -l WARN
This is what I get:
$ lxc-start -n test -F -o test.log -l WARN
<snip/>
$ cat test.log lxc-start test 20240310223702.913 ERROR cgfsng - cgroups/cgfsng.c:__cgfsng_delegate_controllers:2921 - Device or resource busy - Could not enable "+cpu +io +memory +pids" controllers in the unified cgroup 9 lxc-start test 20240310223702.934 ERROR cgfsng - cgroups/cgfsng.c:__cgfsng_delegate_controllers:2921 - Device or resource busy - Could not enable "+cpu +io +memory +pids" controllers in the unified cgroup 9
I use this:
lxc.apparmor.profile=unconfined
which runs the container as root. That setting doesn't stop you from adding profiles.
If I disable that line I get a cgfsng WARN and the container won't start. ( My containers are used for local services so I'm pretty lax about running them as root. They are also heavily firewalled behind a router (also a container which starts the firewall then puts an IP on the WAN and sets the default route. Until the router container comes up my host has no network connectivity at all) )
Also, you're remapping IDs. What happens if you comment those out?
My thought here is to get it running as root first then begin the process of securing it as you see fit.
I don't have this in my configs but I found this:
lxc.cgroup.devices.allow=a