On Sun, 2024-03-10 at 22:56 -0700, Mike Wright wrote:
On 3/10/24 15:40, Patrick O'Callaghan wrote:
On Sun, 2024-03-10 at 11:13 -0700, Mike Wright wrote:
The last two lines are key. Add these flags: -F -o logfile. The default loglevel is ERROR. If you want more detail include -l LEVEL.
e.g. lxc-start -n containerName -F -o containerName.log -l WARN
This is what I get:
$ lxc-start -n test -F -o test.log -l WARN
<snip/> > $ cat test.log > lxc-start test 20240310223702.913 ERROR cgfsng - > cgroups/cgfsng.c:__cgfsng_delegate_controllers:2921 - Device or > resource busy - Could not enable "+cpu +io +memory +pids" > controllers in the unified cgroup 9 > lxc-start test 20240310223702.934 ERROR cgfsng - > cgroups/cgfsng.c:__cgfsng_delegate_controllers:2921 - Device or > resource busy - Could not enable "+cpu +io +memory +pids" > controllers in the unified cgroup 9
I use this:
lxc.apparmor.profile=unconfined
which runs the container as root. That setting doesn't stop you from adding profiles.
AFAIK 'apparmor' is a Ubuntu-ism. Both my system and the system in the container are Fedora 39.
If I disable that line I get a cgfsng WARN and the container won't start. ( My containers are used for local services so I'm pretty lax about running them as root. They are also heavily firewalled behind a router (also a container which starts the firewall then puts an IP on the WAN and sets the default route. Until the router container comes up my host has no network connectivity at all) )
Also, you're remapping IDs. What happens if you comment those out?
I thought that was part of the whole point of using separate namespaces.
My thought here is to get it running as root first then begin the process of securing it as you see fit.
I don't have this in my configs but I found this:
lxc.cgroup.devices.allow=a
I'll try that.
poc