Tumbleweed 0408 systemd 246.13 LXC 又滚挂了

fengliqiang · 2021年04月12日 09:13

工作机 zypper dup 更新了一下, lxd 又出状况了,所有 centos7 的容器全部卡死在 init 上, strace 看到卡在 epoll_wait, 有没有人遇到? lxd 版本 4.12-2.1, 源上 4.11-1.2 已经没了,不知道咋滚回去

LiuSen · 2021年04月12日 12:48

在开机时，可以在 grub 的菜单中选择启动之前的快照。

可以考虑到 tg 群中求助，那边的反应会更及时一些。

fengliqiang · 2021年04月16日 03:42

我用的 xfs 分区,所以… 没快照功能.

Tumbleweed 又更新了, lxd 升到了 4.13
所有的 centos7 和 ubuntu16.04 容器都不能启动,卡在 init 上.

marguerite · 2021年04月16日 05:03

@fengliqiang

发 log 啊

fengliqiang · 2021年04月16日 06:41

ubuntu16 的 log 都是这样的:

linux-aka6:/var/log/lxd # cat test-golang/console.log
Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted
[!!!] Failed to mount API filesystems, freezing.
Freezing execution.
Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted
[!!!] Failed to mount API filesystems, freezing.
Freezing execution.

centos7 的 log 都长这样:

linux-aka6:/var/log/lxd # cat testcentos/console.log
Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted
systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN)
Detected virtualization lxc.
Detected architecture x86-64.

Welcome to CentOS Linux 7 (Core)!

Initializing machine ID from random generator.
Failed to read AF_UNIX datagram queue length, ignoring: No such file or directory
Cannot determine cgroup we are running in: No such file or directory
Failed to allocate manager object: No such file or directory
[!!!] Failed to allocate manager object, freezing.

fengliqiang · 2021年04月16日 06:45

两个容器 init 进程的 cgroup 是这样的:

ubuntu:

linux-aka6:~ # cat /proc/8763/cgroup 
0::/lxc.payload.test-golang

centos7:

linux-aka6:~ # cat /proc/7683/cgroup 
0::/lxc.payload.testcentos

fengliqiang · 2021年04月16日 06:57

配置文件:

linux-aka6:/var/log/lxd # ll test-golang/
总用量 8
-rw------- 1 root root  376  4 月 16 11:36 console.log
-rw-r--r-- 1 root root    0  4 月 16 11:36 forkexec.log
-rw-r--r-- 1 root root    0  4 月 16 11:36 forkstart.log
-rw-r----- 1 root root 2063  4 月 16 11:36 lxc.conf
-rw-r----- 1 root root    0  4 月 16 11:36 lxc.log
-rw-r----- 1 root root    0  4 月 16 11:07 lxc.log.old
linux-aka6:/var/log/lxd # cat test-golang/lxc.conf 
lxc.log.file = /var/log/lxd/test-golang/lxc.log
lxc.log.level = warn
lxc.console.buffer.size = auto
lxc.console.size = auto
lxc.console.logfile = /var/log/lxd/test-golang/console.log
lxc.mount.auto = proc:rw sys:rw cgroup:rw:force
lxc.autodev = 1
lxc.pty.max = 1024
lxc.mount.entry = /dev/fuse dev/fuse none bind,create=file,optional 0 0
lxc.mount.entry = /dev/net/tun dev/net/tun none bind,create=file,optional 0 0
lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none rbind,create=dir,optional 0 0
lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none rbind,create=dir,optional 0 0
lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none rbind,create=dir,optional 0 0
lxc.mount.entry = /sys/kernel/config sys/kernel/config none rbind,create=dir,optional 0 0
lxc.mount.entry = /sys/kernel/debug sys/kernel/debug none rbind,create=dir,optional 0 0
lxc.mount.entry = /sys/kernel/security sys/kernel/security none rbind,create=dir,optional 0 0
lxc.mount.entry = /sys/kernel/tracing sys/kernel/tracing none rbind,create=dir,optional 0 0
lxc.mount.entry = /dev/mqueue dev/mqueue none rbind,create=dir,optional 0 0
lxc.include = /usr/share/lxc/config/common.conf.d/
lxc.arch = linux64
lxc.hook.version = 1
lxc.hook.pre-start = /proc/2918/exe callhook /var/lib/lxd "default" "test-golang" start
lxc.hook.stop = /usr/bin/lxd callhook /var/lib/lxd "default" "test-golang" stopns
lxc.hook.post-stop = /usr/bin/lxd callhook /var/lib/lxd "default" "test-golang" stop
lxc.tty.max = 0
lxc.uts.name = test-golang
lxc.mount.entry = /var/lib/lxd/devlxd dev/lxd none bind,create=dir 0 0
lxc.apparmor.profile = lxd-test-golang_</var/lib/lxd>//&:lxd-test-golang_<var-lib-lxd>:
lxc.seccomp.profile = /var/lib/lxd/security/seccomp/test-golang
lxc.idmap = u 0 400000000 500000001
lxc.idmap = g 0 400000000 500000001
lxc.mount.auto = shmounts:/var/lib/lxd/shmounts/test-golang:/dev/.lxd-mounts
lxc.net.0.type = phys
lxc.net.0.name = eth0
lxc.net.0.flags = up
lxc.net.0.link = veth3a9373d4
lxc.rootfs.path = dir:/var/lib/lxd/containers/test-golang/rootfs
linux-aka6:/var/log/lxd # 
linux-aka6:/var/log/lxd # 
linux-aka6:/var/log/lxd # 
linux-aka6:/var/log/lxd # 
linux-aka6:/var/log/lxd # ll testcentos/
总用量 8
-rw------- 1 root root  728  4 月 16 11:13 console.log
-rw-r--r-- 1 root root    0  4 月 16 11:13 forkexec.log
-rw-r--r-- 1 root root    0  4 月 16 11:13 forkstart.log
-rw-r----- 1 root root 2052  4 月 16 11:13 lxc.conf
-rw-r----- 1 root root    0  4 月 16 11:13 lxc.log
-rw-r----- 1 root root    0  4 月 16 11:13 lxc.log.old
linux-aka6:/var/log/lxd # cat testcentos/lxc.conf 
lxc.log.file = /var/log/lxd/testcentos/lxc.log
lxc.log.level = warn
lxc.console.buffer.size = auto
lxc.console.size = auto
lxc.console.logfile = /var/log/lxd/testcentos/console.log
lxc.mount.auto = proc:rw sys:rw cgroup:rw:force
lxc.autodev = 1
lxc.pty.max = 1024
lxc.mount.entry = /dev/fuse dev/fuse none bind,create=file,optional 0 0
lxc.mount.entry = /dev/net/tun dev/net/tun none bind,create=file,optional 0 0
lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none rbind,create=dir,optional 0 0
lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none rbind,create=dir,optional 0 0
lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none rbind,create=dir,optional 0 0
lxc.mount.entry = /sys/kernel/config sys/kernel/config none rbind,create=dir,optional 0 0
lxc.mount.entry = /sys/kernel/debug sys/kernel/debug none rbind,create=dir,optional 0 0
lxc.mount.entry = /sys/kernel/security sys/kernel/security none rbind,create=dir,optional 0 0
lxc.mount.entry = /sys/kernel/tracing sys/kernel/tracing none rbind,create=dir,optional 0 0
lxc.mount.entry = /dev/mqueue dev/mqueue none rbind,create=dir,optional 0 0
lxc.include = /usr/share/lxc/config/common.conf.d/
lxc.arch = linux64
lxc.hook.version = 1
lxc.hook.pre-start = /proc/2918/exe callhook /var/lib/lxd "default" "testcentos" start
lxc.hook.stop = /usr/bin/lxd callhook /var/lib/lxd "default" "testcentos" stopns
lxc.hook.post-stop = /usr/bin/lxd callhook /var/lib/lxd "default" "testcentos" stop
lxc.tty.max = 0
lxc.uts.name = testcentos
lxc.mount.entry = /var/lib/lxd/devlxd dev/lxd none bind,create=dir 0 0
lxc.apparmor.profile = lxd-testcentos_</var/lib/lxd>//&:lxd-testcentos_<var-lib-lxd>:
lxc.seccomp.profile = /var/lib/lxd/security/seccomp/testcentos
lxc.idmap = u 0 400000000 500000001
lxc.idmap = g 0 400000000 500000001
lxc.mount.auto = shmounts:/var/lib/lxd/shmounts/testcentos:/dev/.lxd-mounts
lxc.net.0.type = phys
lxc.net.0.name = eth0
lxc.net.0.flags = up
lxc.net.0.link = veth7f35db7b
lxc.rootfs.path = dir:/var/lib/lxd/containers/testcentos/rootfs

fengliqiang · 2021年04月19日 15:50

问题定位了.

我找到一个 3 月 21 号的镜像 (openSUSE-Tumbleweed-DVD-x86_64-Snapshot20210321-Media.iso), lxc 一切正常.
然后逐个升级, 发现更新 systemd 后故障复现.

解决方案:

$ sudo rpm -Uvh --force systemd-246.11-1.1.x86_64.rpm  systemd-container-246.11-1.1.x86_64.rpm  systemd-lang-246.11-1.1.noarch.rpm  systemd-sysvinit-246.11-1.1.x86_64.rpm  udev-246.11-1.1.x86_64.rpm

最终方案:

还是用版主给的方案更靠谱:

sudo sed -i 's|GRUB_CMDLINE_LINUX=""|GRUB_CMDLINE_LINUX="systemd.unified_cgroup_hierarchy=0"|g' /etc/default/grub
sudo cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.bak
sudo grub2-mkconfig -o /boot/grub2/grub.cfg

zzndb · 2021年04月20日 03:21

好耶！救活了 LXD 里的 docker……

贴一下我的步骤，由于 TW 是在 0408 把 systemd 从 246.11 升级到了 246.13 所以可以添加之前快照对应 history oss（随便找了 nju 的镜像），并使用它对包降级……

sudo zypper ar https://mirrors.nju.edu.cn/opensuse/history/20210406/tumbleweed/repo/oss/ nju_0406_oss
sudo zypper ref nju_0406_oss
sudo zypper in -f --from nju_0406_oss systemd udev
sudo zypper mr -d nju_0406_oss

照着提示选择降级操作解决依赖问题，禁用这个源，然后重启。

marguerite · 2021年04月20日 05:15

Default to the “unified” cgroup hierarchy. At this point, most users of cgroup (such as docker, libvirt, kubernetes) should be ready for this change. It’s still possible to switch back to the old “hybrid” hierarchy by passing “systemd.unified_cgroup_hierarchy=0” option to the kernel command line.

systemd 的这个 change 导致的，降级使用也不太好，不一定什么时候就误操作升上去了

marguerite · 2021年04月20日 05:17

不像上面那么搞可以像这样搞 lxc

github.com/lxc/lxc

lxc does not work with systemd unified cgroup hierarchy

opened 02:47PM - 17 Mar 20 UTC

closed 03:02PM - 17 Mar 20 UTC

sebelk

The template below is mostly useful for bug reports and support questions. Feel… free to remove anything which doesn't apply to you and add more information where it makes sense. # Required information * Distribution: Fedora 31 * Distribution version: 3.0.4 * The output of * `lxc-start --version` `3.0.4` * `lxc-checkconfig` ~~~ Kernel configuration not found at /proc/config.gz; searching... Kernel configuration found at /boot/config-5.4.18-200.fc31.x86_64 --- Namespaces --- Namespaces: enabled Utsname namespace: enabled Ipc namespace: enabled Pid namespace: enabled User namespace: enabled Warning: newuidmap is not setuid-root Warning: newgidmap is not setuid-root Network namespace: enabled --- Control groups --- Cgroups: enabled Cgroup v1 mount points: Cgroup v2 mount points: /sys/fs/cgroup Cgroup v1 systemd controller: missing Cgroup v1 freezer controller: missing Cgroup namespace: required Cgroup device: enabled Cgroup sched: enabled Cgroup cpu account: enabled Cgroup memory controller: enabled Cgroup cpuset: enabled --- Misc --- Veth pair device: enabled, loaded Macvlan: enabled, not loaded Vlan: enabled, not loaded Bridges: enabled, loaded Advanced netfilter: enabled, not loaded CONFIG_NF_NAT_IPV4: missing CONFIG_NF_NAT_IPV6: missing CONFIG_IP_NF_TARGET_MASQUERADE: enabled, not loaded CONFIG_IP6_NF_TARGET_MASQUERADE: enabled, not loaded CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled, loaded CONFIG_NETFILTER_XT_MATCH_COMMENT: enabled, not loaded FUSE (for use with lxcfs): enabled, loaded --- Checkpoint/Restore --- checkpoint restore: enabled CONFIG_FHANDLE: enabled CONFIG_EVENTFD: enabled CONFIG_EPOLL: enabled CONFIG_UNIX_DIAG: enabled CONFIG_INET_DIAG: enabled CONFIG_PACKET_DIAG: enabled CONFIG_NETLINK_DIAG: enabled File capabilities: Note : Before booting a new kernel, you can check its configuration usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig ~~~ * `uname -a` `Linux dublin.ireland.home 5.4.18-200.fc31.x86_64 #1 SMP Fri Feb 7 14:50:05 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux` * `cat /proc/self/cgroup` `0::/user.slice/user-1000.slice/session-4.scope` * `cat /proc/1/mounts` ``` sysfs /sys sysfs rw,nosuid,nodev,noexec,relatime 0 0 proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0 devtmpfs /dev devtmpfs rw,nosuid,size=8115572k,nr_inodes=2028893,mode=755 0 0 securityfs /sys/kernel/security securityfs rw,nosuid,nodev,noexec,relatime 0 0 tmpfs /dev/shm tmpfs rw,nosuid,nodev 0 0 devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0 tmpfs /run tmpfs rw,nosuid,nodev,mode=755 0 0 cgroup2 /sys/fs/cgroup cgroup2 rw,nosuid,nodev,noexec,relatime,nsdelegate 0 0 pstore /sys/fs/pstore pstore rw,nosuid,nodev,noexec,relatime 0 0 efivarfs /sys/firmware/efi/efivars efivarfs rw,nosuid,nodev,noexec,relatime 0 0 none /sys/fs/bpf bpf rw,nosuid,nodev,noexec,relatime,mode=700 0 0 configfs /sys/kernel/config configfs rw,nosuid,nodev,noexec,relatime 0 0 /dev/mapper/fedora-root / ext4 rw,relatime 0 0 systemd-1 /proc/sys/fs/binfmt_misc autofs rw,relatime,fd=29,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=18870 0 0 hugetlbfs /dev/hugepages hugetlbfs rw,relatime,pagesize=2M 0 0 mqueue /dev/mqueue mqueue rw,nosuid,nodev,noexec,relatime 0 0 debugfs /sys/kernel/debug debugfs rw,nosuid,nodev,noexec,relatime 0 0 tmpfs /tmp tmpfs rw,nosuid,nodev 0 0 binfmt_misc /proc/sys/fs/binfmt_misc binfmt_misc rw,nosuid,nodev,noexec,relatime 0 0 fusectl /sys/fs/fuse/connections fusectl rw,nosuid,nodev,noexec,relatime 0 0 /dev/sda3 /mnt/win10 fuseblk rw,relatime,user_id=0,group_id=0,allow_other,blksize=4096 0 0 /dev/mapper/fedora-home /home ext4 rw,relatime 0 0 /dev/sda5 /boot ext4 rw,relatime 0 0 /dev/sda1 /boot/efi vfat rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=winnt,errors=remount-ro 0 0 sunrpc /var/lib/nfs/rpc_pipefs rpc_pipefs rw,relatime 0 0 tracefs /sys/kernel/debug/tracing tracefs rw,nosuid,nodev,noexec,relatime 0 0 tmpfs /run/user/1001 tmpfs rw,nosuid,nodev,relatime,size=1627048k,mode=700,uid=1001,gid=1002 0 0 tmpfs /run/user/1000 tmpfs rw,nosuid,nodev,relatime,size=1627048k,mode=700,uid=1000,gid=1000 0 0 /dev/mapper/fedora-root /var/lib/docker/containers ext4 rw,relatime 0 0 ``` # Issue description lxc does not start with cgroupsv2 A brief description of what failed or what could be improved. # Steps to reproduce Simply start a container: `lxc-start -n centos8` # Information to attach - [x] any relevant kernel output (`dmesg`) ``` [mar mar 17 10:04:14 2020] SELinux: Disabled at runtime. [mar mar 17 10:04:14 2020] systemd[1]: systemd v243.7-1.fc31 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=unified) ``` - [x] container log (The <log> file from running `lxc-start -n <c> -l <log> -o DEBUG`) ``` lxc-start centos8 20200317140446.931 ERROR cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1275 - Permission denied - Failed to create directory "/sys/fs/cgroup/user.slice/user-1000.slice/session-4.scope/lxc.monitor/" lxc-start centos8 20200317140446.931 ERROR cgfsng - cgroups/cgfsng.c:monitor_create_path_for_hierarchy:1296 - Failed to create cgroup "/sys/fs/cgroup/user.slice/user-1000.slice/session-4.scope/lxc.monitor/centos8" lxc-start centos8 20200317140446.931 ERROR cgfsng - cgroups/cgfsng.c:cgfsng_monitor_create:1385 - Failed to create cgroup "/sys/fs/cgroup/user.slice/user-1000.slice/session-4.scope/lxc.monitor/centos8" lxc-start centos8 20200317140446.931 ERROR cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1275 - Permission denied - Failed to create directory "/sys/fs/cgroup/user.slice/user-1000.slice/session-4.scope/lxc.monitor/" lxc-start centos8 20200317140446.931 ERROR cgfsng - cgroups/cgfsng.c:monitor_create_path_for_hierarchy:1296 - Failed to create cgroup "/sys/fs/cgroup/user.slice/user-1000.slice/session-4.scope/lxc.monitor/centos8-1" lxc-start centos8 20200317140446.931 ERROR cgfsng - cgroups/cgfsng.c:cgfsng_monitor_create:1385 - Failed to create cgroup "/sys/fs/cgroup/user.slice/user-1000.slice/session-4.scope/lxc.monitor/centos8-1" lxc-start centos8 20200317140446.931 ERROR cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1275 - Permission denied - Failed to create directory "/sys/fs/cgroup/user.slice/user-1000.slice/session-4.scope/lxc.monitor/" lxc-start centos8 20200317140446.931 ERROR cgfsng - cgroups/cgfsng.c:monitor_create_path_for_hierarchy:1296 - Failed to create cgroup "/sys/fs/cgroup/user.slice/user-1000.slice/session-4.scope/lxc.monitor/centos8-2" lxc-start centos8 20200317140446.931 ERROR cgfsng - cgroups/cgfsng.c:cgfsng_monitor_create:1385 - Failed to create cgroup "/sys/fs/cgroup/user.slice/user-1000.slice/session-4.scope/lxc.monitor/centos8-2" lxc-start centos8 20200317140446.931 ERROR cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1275 - Permission denied - Failed to create directory "/sys/fs/cgroup/user.slice/user-1000.slice/session-4.scope/lxc.monitor/" (...) lxc-start centos8 20200317140446.955 ERROR cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1275 - Permission denied - Failed to create directory "/sys/fs/cgroup/user.slice/user-1000.slice/session-4.scope/lxc.monitor/" lxc-start centos8 20200317140446.955 ERROR cgfsng - cgroups/cgfsng.c:monitor_create_path_for_hierarchy:1296 - Failed to create cgroup "/sys/fs/cgroup/user.slice/user-1000.slice/session-4.scope/lxc.monitor/centos8-999" lxc-start centos8 20200317140446.955 ERROR cgfsng - cgroups/cgfsng.c:cgfsng_monitor_create:1385 - Failed to create cgroup "/sys/fs/cgroup/user.slice/user-1000.slice/session-4.scope/lxc.monitor/centos8-999" lxc-start centos8 20200317140446.955 ERROR start - start.c:__lxc_start:1986 - Failed to create monitor cgroup lxc-start centos8 20200317140446.955 ERROR lxccontainer - lxccontainer.c:wait_on_daemonized_start:850 - Received container state "STOPPING" instead of "RUNNING" lxc-start centos8 20200317140446.955 ERROR lxc_start - tools/lxc_start.c:main:329 - The container failed to start lxc-start centos8 20200317140446.955 ERROR lxc_start - tools/lxc_start.c:main:332 - To get more details, run the container in foreground mode lxc-start centos8 20200317140446.955 ERROR lxc_start - tools/lxc_start.c:main:334 - Additional information can be obtained by setting the --logfile and --logpriority options lxc-start centos8 20200317140446.960 ERROR utils - utils.c:mkdir_p:245 - Permission denied - Failed to create directory "/sys/fs/cgroup/user.slice/user-1000.slice/session-4.scope/lxc.pivot" lxc-start centos8 20200317140446.960 WARN cgfsng - cgroups/cgfsng.c:cgfsng_monitor_destroy:1164 - Permission denied - Failed to create cgroup "/sys/fs/cgroup/user.slice/user-1000.slice/session-4.scope/lxc.pivot" ``` - [x] the containers configuration file ``` lxc.include = /usr/share/lxc/config/common.conf lxc.include = /usr/share/lxc/config/userns.conf lxc.arch = x86_64 lxc.idmap = u 0 100000 65536 lxc.idmap = g 0 100000 65536 lxc.net.0.type = veth lxc.net.0.link = lxcbr0 lxc.net.0.flags = up lxc.net.0.hwaddr = 00:16:3e:21:8d:0f lxc.rootfs.path = dir:/home/sergio/.local/share/lxc/centos8/rootfs lxc.uts.name = centos8 ``` If I add the kernel parameter `systemd.unified_cgroup_hierarchy=0` and then run systemd-run --user --scope -p "Delegate=yes" lxc-start -n centos8` works, but I wonder if there is a plan to lxc be cgroupsv2 fully compatible

Actually, for vanilla LXC 3.0.4, addition of

lxc.cgroup.devices.allow =
lxc.cgroup.devices.deny =
lxc.init.cmd = /lib/systemd/systemd systemd.unified_cgroup_hierarchy=1

to a container config is sufficient to allow usual start-up of a Linux distro with a recent version of systemd in an LXC container running on a Linux host booted with systemd.unified_cgroup_hierarchy=1.

system · 2021年04月20日 06:53

本主题在最后一个回复创建后60分钟后自动锁定。不再允许添加新回复。