[SOLVED] lxc-start fails! --> unsupported debian version '9.1'

[GUENTER]

Hello,

today I install an lxc Container with Debian 9.02 and do an dist-upgrade, now I am not able to start the container anymore because I get the Error Message

#lxc-start -F -n 103  --logfile=lxc.log --logpriority=debug

unsupported debian version '9.1'
lxc-start: conf.c: run_buffer: 405 Script exited with status 25.
lxc-start: start.c: lxc_init: 450 Failed to run lxc.hook.pre-start for container "103".
lxc-start: start.c: __lxc_start: 1321 Failed to initialize container "103".
lxc-start: tools/lxc_start.c: main: 366 The container failed to start.
lxc-start: tools/lxc_start.c: main: 370 Additional information can be obtained by setting the --logfile and --logpriority options.
root@server:/mnt2/usr/local/Xeoma# lxc-start -n 103
lxc-start: tools/lxc_start.c: main: 366 The container failed to start.
lxc-start: tools/lxc_start.c: main: 368 To get more details, run the container in foreground mode.
lxc-start: tools/lxc_start.c: main: 370 Additional information can be obtained by setting the --logfile and --logpriority options

and the log contains:

Spoiler: lxc.log

lxc-start 20170722113609.552 INFO lxc_start_ui - tools/lxc_start.c:main:275 - using rcfile /var/lib/lxc/103/config
lxc-start 20170722113609.552 WARN lxc_confile - confile.c:config_pivotdir:1910 - lxc.pivotdir is ignored. It will soon become an error.
lxc-start 20170722113609.552 WARN lxc_start - start.c:lxc_check_inherited:238 - Inherited fd: 3.
lxc-start 20170722113609.552 INFO lxc_lsm - lsm/lsm.c:lsm_init:48 - LSM security driver AppArmor
lxc-start 20170722113609.553 INFO lxc_seccomp - seccomp.carse_config_v2:402 - processing: .reject_force_umount # comment this to allow umount -f; not recommended.
lxc-start 20170722113609.553 INFO lxc_seccomp - seccomp.carse_config_v2:567 - Adding native rule for reject_force_umount action 0.
lxc-start 20170722113609.553 INFO lxc_seccomp - seccomp.c:do_resolve_add_rule:251 - Setting Seccomp rule to reject force umounts.
lxc-start 20170722113609.553 INFO lxc_seccomp - seccomp.carse_config_v2:570 - Adding compat rule for reject_force_umount action 0.
lxc-start 20170722113609.553 INFO lxc_seccomp - seccomp.c:do_resolve_add_rule:251 - Setting Seccomp rule to reject force umounts.
lxc-start 20170722113609.553 INFO lxc_seccomp - seccomp.carse_config_v2:402 - processing: .[all].
lxc-start 20170722113609.553 INFO lxc_seccomp - seccomp.carse_config_v2:402 - processing: .kexec_load errno 1.
lxc-start 20170722113609.553 INFO lxc_seccomp - seccomp.carse_config_v2:567 - Adding native rule for kexec_load action 327681.
lxc-start 20170722113609.553 INFO lxc_seccomp - seccomp.carse_config_v2:570 - Adding compat rule for kexec_load action 327681.
lxc-start 20170722113609.553 INFO lxc_seccomp - seccomp.carse_config_v2:402 - processing: .open_by_handle_at errno 1.
lxc-start 20170722113609.553 INFO lxc_seccomp - seccomp.carse_config_v2:567 - Adding native rule for open_by_handle_at action 327681.
lxc-start 20170722113609.553 INFO lxc_seccomp - seccomp.carse_config_v2:570 - Adding compat rule for open_by_handle_at action 327681.
lxc-start 20170722113609.553 INFO lxc_seccomp - seccomp.carse_config_v2:402 - processing: .init_module errno 1.
lxc-start 20170722113609.553 INFO lxc_seccomp - seccomp.carse_config_v2:567 - Adding native rule for init_module action 327681.
lxc-start 20170722113609.553 INFO lxc_seccomp - seccomp.carse_config_v2:570 - Adding compat rule for init_module action 327681.
lxc-start 20170722113609.553 INFO lxc_seccomp - seccomp.carse_config_v2:402 - processing: .finit_module errno 1.
lxc-start 20170722113609.553 INFO lxc_seccomp - seccomp.carse_config_v2:567 - Adding native rule for finit_module action 327681.
lxc-start 20170722113609.553 WARN lxc_seccomp - seccomp.c:do_resolve_add_rule:270 - Seccomp: got negative for syscall: -10085: finit_module.
lxc-start 20170722113609.553 WARN lxc_seccomp - seccomp.c:do_resolve_add_rule:271 - This syscall will NOT be blacklisted.
lxc-start 20170722113609.553 INFO lxc_seccomp - seccomp.carse_config_v2:570 - Adding compat rule for finit_module action 327681.
lxc-start 20170722113609.553 WARN lxc_seccomp - seccomp.c:do_resolve_add_rule:270 - Seccomp: got negative for syscall: -10085: finit_module.
lxc-start 20170722113609.553 WARN lxc_seccomp - seccomp.c:do_resolve_add_rule:271 - This syscall will NOT be blacklisted.
lxc-start 20170722113609.553 INFO lxc_seccomp - seccomp.carse_config_v2:402 - processing: .delete_module errno 1.
lxc-start 20170722113609.553 INFO lxc_seccomp - seccomp.carse_config_v2:567 - Adding native rule for delete_module action 327681.
lxc-start 20170722113609.553 INFO lxc_seccomp - seccomp.carse_config_v2:570 - Adding compat rule for delete_module action 327681.
lxc-start 20170722113609.553 INFO lxc_seccomp - seccomp.carse_config_v2:580 - Merging in the compat Seccomp ctx into the main one.
lxc-start 20170722113609.553 INFO lxc_conf - conf.c:run_script_argv:424 - Executing script "/usr/share/lxc/hooks/lxc-pve-prestart-hook" for container "103", config section "lxc".
lxc-start 20170722113610.424 ERROR lxc_conf - conf.c:run_buffer:405 - Script exited with status 25.
lxc-start 20170722113610.425 ERROR lxc_start - start.c:lxc_init:450 - Failed to run lxc.hook.pre-start for container "103".
lxc-start 20170722113610.426 ERROR lxc_start - start.c:__lxc_start:1321 - Failed to initialize container "103".
lxc-start 20170722113610.426 ERROR lxc_start_ui - tools/lxc_start.c:main:366 - The container failed to start.
lxc-start 20170722113610.426 ERROR lxc_start_ui - tools/lxc_start.c:main:370 - Additional information can be obtained by setting the --logfile and --logpriority options.
lxc-start 20170722113658.218 INFO lxc_start_ui - tools/lxc_start.c:main:275 - using rcfile /var/lib/lxc/103/config
lxc-start 20170722113658.219 WARN lxc_confile - confile.c:config_pivotdir:1910 - lxc.pivotdir is ignored. It will soon become an error.
lxc-start 20170722113658.225 WARN lxc_start - start.c:lxc_check_inherited:238 - Inherited fd: 3.
lxc-start 20170722113658.225 INFO lxc_lsm - lsm/lsm.c:lsm_init:48 - LSM security driver AppArmor
lxc-start 20170722113658.226 INFO lxc_seccomp - seccomp.carse_config_v2:402 - processing: .reject_force_umount # comment this to allow umount -f; not recommended.
lxc-start 20170722113658.226 INFO lxc_seccomp - seccomp.carse_config_v2:567 - Adding native rule for reject_force_umount action 0.
lxc-start 20170722113658.226 INFO lxc_seccomp - seccomp.c:do_resolve_add_rule:251 - Setting Seccomp rule to reject force umounts.
lxc-start 20170722113658.226 INFO lxc_seccomp - seccomp.carse_config_v2:570 - Adding compat rule for reject_force_umount action 0.
lxc-start 20170722113658.226 INFO lxc_seccomp - seccomp.c:do_resolve_add_rule:251 - Setting Seccomp rule to reject force umounts.
lxc-start 20170722113658.226 INFO lxc_seccomp - seccomp.carse_config_v2:402 - processing: .[all].
lxc-start 20170722113658.226 INFO lxc_seccomp - seccomp.carse_config_v2:402 - processing: .kexec_load errno 1.
lxc-start 20170722113658.226 INFO lxc_seccomp - seccomp.carse_config_v2:567 - Adding native rule for kexec_load action 327681.
lxc-start 20170722113658.226 INFO lxc_seccomp - seccomp.carse_config_v2:570 - Adding compat rule for kexec_load action 327681.
lxc-start 20170722113658.227 INFO lxc_seccomp - seccomp.carse_config_v2:402 - processing: .open_by_handle_at errno 1.
lxc-start 20170722113658.227 INFO lxc_seccomp - seccomp.carse_config_v2:567 - Adding native rule for open_by_handle_at action 327681.
lxc-start 20170722113658.227 INFO lxc_seccomp - seccomp.carse_config_v2:570 - Adding compat rule for open_by_handle_at action 327681.
lxc-start 20170722113658.227 INFO lxc_seccomp - seccomp.carse_config_v2:402 - processing: .init_module errno 1.
lxc-start 20170722113658.227 INFO lxc_seccomp - seccomp.carse_config_v2:567 - Adding native rule for init_module action 327681.
lxc-start 20170722113658.227 INFO lxc_seccomp - seccomp.carse_config_v2:570 - Adding compat rule for init_module action 327681.
lxc-start 20170722113658.227 INFO lxc_seccomp - seccomp.carse_config_v2:402 - processing: .finit_module errno 1.
lxc-start 20170722113658.227 INFO lxc_seccomp - seccomp.carse_config_v2:567 - Adding native rule for finit_module action 327681.
lxc-start 20170722113658.227 WARN lxc_seccomp - seccomp.c:do_resolve_add_rule:270 - Seccomp: got negative for syscall: -10085: finit_module.
lxc-start 20170722113658.227 WARN lxc_seccomp - seccomp.c:do_resolve_add_rule:271 - This syscall will NOT be blacklisted.
lxc-start 20170722113658.227 INFO lxc_seccomp - seccomp.carse_config_v2:570 - Adding compat rule for finit_module action 327681.
lxc-start 20170722113658.227 WARN lxc_seccomp - seccomp.c:do_resolve_add_rule:270 - Seccomp: got negative for syscall: -10085: finit_module.
lxc-start 20170722113658.227 WARN lxc_seccomp - seccomp.c:do_resolve_add_rule:271 - This syscall will NOT be blacklisted.
lxc-start 20170722113658.227 INFO lxc_seccomp - seccomp.carse_config_v2:402 - processing: .delete_module errno 1.
lxc-start 20170722113658.227 INFO lxc_seccomp - seccomp.carse_config_v2:567 - Adding native rule for delete_module action 327681.
lxc-start 20170722113658.227 INFO lxc_seccomp - seccomp.carse_config_v2:570 - Adding compat rule for delete_module action 327681.
lxc-start 20170722113658.227 INFO lxc_seccomp - seccomp.carse_config_v2:580 - Merging in the compat Seccomp ctx into the main one.
lxc-start 20170722113658.227 INFO lxc_conf - conf.c:run_script_argv:424 - Executing script "/usr/share/lxc/hooks/lxc-pve-prestart-hook" for container "103", config section "lxc".
lxc-start 20170722113658.504 ERROR lxc_conf - conf.c:run_buffer:405 - Script exited with status 25.
lxc-start 20170722113658.504 ERROR lxc_start - start.c:lxc_init:450 - Failed to run lxc.hook.pre-start for container "103".
lxc-start 20170722113658.504 ERROR lxc_start - start.c:__lxc_start:1321 - Failed to initialize container "103".
lxc-start 20170722113658.504 ERROR lxc_start_ui - tools/lxc_start.c:main:366 - The container failed to start.
lxc-start 20170722113658.504 ERROR lxc_start_ui - tools/lxc_start.c:main:370 - Additional information can be obtained by setting the --logfile and --logpriority options.
lxc-start 20170722114935.859 INFO lxc_start_ui - tools/lxc_start.c:main:275 - using rcfile /var/lib/lxc/103/config
lxc-start 20170722114935.860 WARN lxc_confile - confile.c:config_pivotdir:1910 - lxc.pivotdir is ignored. It will soon become an error.
lxc-start 20170722114935.867 WARN lxc_start - start.c:lxc_check_inherited:238 - Inherited fd: 3.
lxc-start 20170722114935.867 INFO lxc_lsm - lsm/lsm.c:lsm_init:48 - LSM security driver AppArmor
lxc-start 20170722114935.868 INFO lxc_seccomp - seccomp.carse_config_v2:402 - processing: .reject_force_umount # comment this to allow umount -f; not recommended.
lxc-start 20170722114935.868 INFO lxc_seccomp - seccomp.carse_config_v2:567 - Adding native rule for reject_force_umount action 0.
lxc-start 20170722114935.868 INFO lxc_seccomp - seccomp.c:do_resolve_add_rule:251 - Setting Seccomp rule to reject force umounts.
lxc-start 20170722114935.868 INFO lxc_seccomp - seccomp.carse_config_v2:570 - Adding compat rule for reject_force_umount action 0.
lxc-start 20170722114935.868 INFO lxc_seccomp - seccomp.c:do_resolve_add_rule:251 - Setting Seccomp rule to reject force umounts.
lxc-start 20170722114935.868 INFO lxc_seccomp - seccomp.carse_config_v2:402 - processing: .[all].
lxc-start 20170722114935.868 INFO lxc_seccomp - seccomp.carse_config_v2:402 - processing: .kexec_load errno 1.
lxc-start 20170722114935.868 INFO lxc_seccomp - seccomp.carse_config_v2:567 - Adding native rule for kexec_load action 327681.

I hope this will be fixed in proxmox ASAP otherwise the usage of lxc in productive environment will not be possible!

Many thanks for your support in advance!

Guenter

 

[ABM IT Monk]

We also got this error. Here is a quick patch until the Proxmox folks provide an update:

--- /usr/share/perl5/PVE/LXC/Setup/Debian.pm.orig    2017-07-22 08:57:59.495838723 -0700
+++ /usr/share/perl5/PVE/LXC/Setup/Debian.pm    2017-07-22 08:53:18.607049610 -0700
@@ -28,7 +28,7 @@
     $version = $1;
 
     die "unsupported debian version '$version'\n"
-    if !($version >= 4 && $version <= 9);
+    if !($version >= 4 && $version <= 9.1);
 
     my $self = { conf => $conf, rootdir => $rootdir, version => $version };

 

[GUENTER]

Hello ABM,

you are the man!

This fixed it and I changed it to 9.9 ;-)

Best regards
Peter

 

[LnxBil]

Better fix would be to convert to integer :-D

 

[Joo Kim]

Thanks so much.

 

[harvie]

OMG. This is worst bug i've ever seen. Please remove this useless check completely. There should be warning or something. But certainly it should not prevent debian container from booting. There's no point. If it will fail to boot it's sufficient to have the warning message. As you can see it's quite possible that it will not fail unless you make it to fail artificialy. This check is nonsense and gets me angry that i had to solve such unnecessary problem.

 

[harvie]

Also the message "unsupported debian version '9.1'" should be imediately visible in pve web interface without having to look it up manualy in logs using ssh and launching containers in foreground mode manualy specifiing the log file.

 

[tom]

this small issue was fixed within one day, so what do you miss exactly?

 

[harvie]

I think i've described it enough. I don't have problem with bug itself, but with this whole way of thinking that allowed this bug to happen at all. I was on vacation (= not upgrading proxmox) and admin of container upgraded debian inside it. Rendering it useless after reboot. This is just stupid.

The "fix" in latest version looks like this:

die "unsupported debian version '$version'\n"
if !($version >= 4 && $version <= 10);

That means if new debian gets released and i will upgrade it without upgrading proxmox it will:

1.) Fail even when there's no real reason to fail
2.) Fail without telling me why it failed = without displaying "unsupported debian version" message. it's relatively complicated to just get this message printed on screen.

I think version mismatch should never prevent LXC from starting. It's just stupid. It might cause some misbehaviour, but i can live with that as long as warning message is displayed on PVE web interface. Everything is better than not starting LXC at all. Unsupported debian version will most likely cause some minor problems like slightly misconfigured network settings in case that debian makes major change in network configuration scripts. They would also have to drop backward compatibility, which is something that debian does only after long time and very very carefully.

In my opinion there's no point nor excuse for preventing otherwie healthy container from booting up. Even in case it's labeled as Debian version 65536. Just boot it. There still can be error message in case something will go wrong (which probably will not).

 

[dcsapak]

I think version mismatch should never prevent LXC from starting. It's just stupid. It might cause some misbehaviour, but i can live with that as long as warning message is displayed on PVE web interface. Everything is better than not starting LXC at all. Unsupported debian version will most likely cause some minor problems like slightly misconfigured network settings in case that debian makes major change in network configuration scripts. They would also have to drop backward compatibility, which is something that debian does only after long time and very very carefully.

while i think the whole situation can be improved upon (e.g. better error output from lxc errors (btw this is not easy because of how lxc errors are displayed/handled) and/or a possibility to override the detection) having wrong configuration can be potentially dangerous (e.g. ignoring vlan settings because of changed syntax), so not starting (by default) is a cautious choice IMHO

 

[omgs]

My two cents about this: I don't think that, and mostly talking about Debian, are any issues between major versions. I say this because as long as a template exists (and there's one for 9.0), upgrading to 9.x shouldn't be an issue. Also, as long as there aren't any news about any kind of incompatibility because a change in a future major version, you can't prevent that eventual upgrade to happen. And if such "warning" arises, part of the work should point to "fix" the issue instead of trying to prevent it (better than later, because at some point in the future you won't be able to prevent upgrading to a stable version).

What can be in the background for worrying so much about "uncontrolled" upgrades? Whatever it is, and while there may be any kind of work in progress, I can think of two ways of workaround: 1) Provide a working template with the "fixes"; 2) Provide info about what the issue is and what to do or not to prevent getting into trouble.

Last, but not least, I don't think that anybody using proxmox and production sites, tries to use the product as a "sandbox". And since lxc is running the containers and there aren't any complaints on that side, proxmox team shouldn't worry so much.

Regards.

 

[harvie]

OMFG it happened again. This time with container that states "squeeze/sid" in /etc/debian_version here i am again doing workarounds in /usr/share/perl5/PVE/LXC/Setup/Debian.pm at 2:30 freaking o'clock AM to get LXC container working. (which worked without problem in pure OpenVZ without proxmox BTW)


# translate testing version names
$version = 6 if $version eq 'squeeze/sid'; #had to add this line
$version = 9.1 if $version eq 'stretch/sid';
$version = 10 if $version eq 'buster/sid';

There are probably more of these versions that are left forgotten. Plese disable these tests completely.
Or at least GIVE REAL ERROR DESCRIPTION. Right now error looks like this:

stopped: command 'systemctl start lxc@214' failed: exit code 1

output:

Job for lxc@214.service failed. See 'systemctl status lxc@214.service' and 'journalctl -xn' for details.
TASK ERROR: command 'systemctl start lxc@214' failed: exit code 1

this is completele nonsense! both systemctl status and journalctl almost never give usefull info.
even using lxc-start to start container in foreground with high loglevel (suggested by google) was useless.

I found what causes my problem only because i checked it randomly because i had this problem in past! It's like worst bug ever. Artificialy created problem which is then hidden behind systemd with no easy way to diagnose.

 

[harvie]

Turns out i migrated ubuntu CT (OpenVZ) to debian CT (Proxmox LXC) using rsync. You have to create container with right os template. It cannot be changed using web, i had to manualy edit "ostype" in config file. There probably should be some warning if you try to boot CT with wrong ostype.

 

[harvie]

And here i go again adding $version = 6 if $version eq 'squeeze/sid'; to /usr/share/perl5/PVE/LXC/Setup/Debian.pm after upgrade to proxmox 5.0. I guess all testing version names are missing for older debian versions...

 

[harvie]

proxmox 5.1 upgrade still same problem

 

[________]

Just came across this after upgrading the distro in one of my containers. Thank you! I saved a lot of time by not having to figure out the cryptic error messages.

By the way are the files in /usr/share/perl5/PVE/LXC/Setup/*.pm overwritten when upgrading the Proxmox host? If so then I hope I remember this thread for that time...

 

[harvie]

By the way are the files in /usr/share/perl5/PVE/LXC/Setup/*.pm overwritten when upgrading the Proxmox host?

Yes, it's owerwritten with each upgrade, since these files are the code of the Proxmox VE itself. It sux a big time, since the autodetection is too paranoid.

 

[FrankB]

After modifying /usr/share/perl5/PVE/LXC/Setup/Debian.pm do I need to restart something? Mine is still erroring with debian 9.

 

[dietmar]

After modifying /usr/share/perl5/PVE/LXC/Setup/Debian.pm do I need to restart something? Mine is still erroring with debian 9.

What version do you run?

# pveversion -v

 

[FrankB]

What version do you run?

# pveversion -v

I ended up doing a dist-upgrade on the box and that fixed this problem as well.