Some little direction with what i think are cgroup/appamour issues with LXC

[James Crook]

Long story short, our demo box (LXC is privilaged) is failing to start some services with
Failed to reset devices.list: Operation not permitted

This has started since we did updates to the hosts, but as it's a demo container it wasn't caught till now.

I'm looking for a bit of help with figuring out how much permissions i need to give it, through appamour (rather than lxc.apparmor.profile: unconfined) and cgroups (rather than lxc.cgroup.devices.allow: a)

I'm suspecting cgroup as i think there were changes in the kernel to cgroup v2 (i'm a little bit behind on my podcasts)

Just want pointing in the right direction for tools i can or commands i can run to figure out what the container is asking for.

 

[fabian]

do you actually experience any issues? those log lines are normal and usually benign..

 

[James Crook]

do you actually experience any issues? those log lines are normal and usually benign..

Thats what i kept reading, but the services we need in the container fail to start with that error.

 

[fabian]

please post the full journal of such a start attempt..

 

[James Crook]

Attached.

 

[fabian]

the reason why the services don't start is definitely something else, you have to debug the individual services themselves (e.g., check what command(s) get started, try to start them manually with more verbosity and look for errors).

e.g. I see a service crashing on startup:

 43 Jul 24 10:37:29 intralan3cx systemd[1]: Starting 3CX Event Notification Manager...
[..]
117 Jul 24 10:37:29 intralan3cx systemd[1]: 3CXEventNotificationManager.service: Main process exited, code=killed, status=11/SEGV
118 Jul 24 10:37:29 intralan3cx systemd[1]: Failed to start 3CX Event Notification Manager.
119 Jul 24 10:37:29 intralan3cx systemd[1]: 3CXEventNotificationManager.service: Unit entered failed state.
120 Jul 24 10:37:29 intralan3cx systemd[1]: 3CXEventNotificationManager.service: Failed with result 'signal'.

and another one timing out on startup:

[..]
174 Jul 24 10:39:32 intralan3cx systemd[1]: 3CXPhoneSystemMC01.service: Start operation timed out. Terminating.
175 Jul 24 10:39:32 intralan3cx systemd[1]: Failed to start 3CX PhoneSystem 01 Management Console.
176 Jul 24 10:39:32 intralan3cx systemd[1]: 3CXPhoneSystemMC01.service: Unit entered failed state.
177 Jul 24 10:39:32 intralan3cx systemd[1]: 3CXPhoneSystemMC01.service: Failed with result 'timeout'.

 

[James Crook]

the reason why the services don't start is definitely something else, you have to debug the individual services themselves (e.g., check what command(s) get started, try to start them manually with more verbosity and look for errors).

e.g. I see a service crashing on startup:

43 Jul 24 10:37:29 intralan3cx systemd[1]: Starting 3CX Event Notification Manager...
[..]
117 Jul 24 10:37:29 intralan3cx systemd[1]: 3CXEventNotificationManager.service: Main process exited, code=killed, status=11/SEGV
118 Jul 24 10:37:29 intralan3cx systemd[1]: Failed to start 3CX Event Notification Manager.
119 Jul 24 10:37:29 intralan3cx systemd[1]: 3CXEventNotificationManager.service: Unit entered failed state.
120 Jul 24 10:37:29 intralan3cx systemd[1]: 3CXEventNotificationManager.service: Failed with result 'signal'.

and another one timing out on startup:

[..]
174 Jul 24 10:39:32 intralan3cx systemd[1]: 3CXPhoneSystemMC01.service: Start operation timed out. Terminating.
175 Jul 24 10:39:32 intralan3cx systemd[1]: Failed to start 3CX PhoneSystem 01 Management Console.
176 Jul 24 10:39:32 intralan3cx systemd[1]: 3CXPhoneSystemMC01.service: Unit entered failed state.
177 Jul 24 10:39:32 intralan3cx systemd[1]: 3CXPhoneSystemMC01.service: Failed with result 'timeout'.

I was afraid of that, as i suspect they are closed source programs.

Many thanks for this, i'll change angle.