vagrant-lxc nested in lxc

[tknerr]

Yesterday I found out about http://circleci.com and that they support running docker containers as part of their build. Within a few hours I got a test-kitchen suite with the kitchen-docker driver up and running:

• build success: https://circleci.com/gh/tknerr/sample-toplevel-cookbook/26
• source (circleci branch): https://github.com/tknerr/sample-toplevel-cookbook/tree/circleci

So I thought if docker runs then LXC should work too!

However, I'm a bit stuck with getting vagrant-lxc up and running up there. Here's what I got so far:

• build error: https://circleci.com/gh/tknerr/sample-toplevel-cookbook/24
• source (circleci-lxc branch): https://github.com/tknerr/sample-toplevel-cookbook/tree/circleci-lxc

This is the relevant part from the logs I guess:

...
       DEBUG driver: Creating container...
        INFO subprocess: Starting process: ["/usr/bin/sudo", "/usr/local/bin/vagrant-lxc-wrapper", "lxc-create", "-B", "best", "--template", "vagrant-tmp-kitchen-sample-toplevel-cookbook-1421181672.596891", "--name", "kitchen-sample-toplevel-cookbook-1421181672.596891", "--", "--tarball", "/home/ubuntu/.vagrant.d/boxes/fgrehm-VAGRANTSLASH-precise64-lxc/0/lxc/rootfs.tar.gz", "--config", "/home/ubuntu/.vagrant.d/boxes/fgrehm-VAGRANTSLASH-precise64-lxc/0/lxc/lxc-config"]
       DEBUG subprocess: Selecting on IO
       DEBUG subprocess: stderr: tar: dev/ram15: Cannot mknod: Operation not permitted
       tar: dev/smpte0: Cannot mknod: Operation not permitted
       tar: dev/tty: Cannot mknod: Operation not permitted
       tar: dev/zero: Cannot mknod: Operation not permitted
       tar: dev/smpte3: Cannot mknod: Operation not permitted
       tar: dev/kmem: Cannot mknod: Operation not permitted
       tar: dev/smpte2: Cannot mknod: Operation not permitted
       tar: dev/loop4: Cannot mknod: Operation not permitted
       tar: dev/mixer1: Cannot mknod: Operation not permitted
       tar: dev/mpu401data: Cannot mknod: Operation not permitted
       tar: dev/ram16: Cannot mknod: Operation not permitted
       tar: dev/audio3: Cannot mknod: Operation not permitted
       tar: dev/urandom: Cannot mknod: Operation not permitted
       tar: dev/loop6: Cannot mknod: Operation not permitted
       tar: dev/loop2: Cannot mknod: Operation not permitted
       DEBUG subprocess: stderr: tar: dev/mpu401stat: Cannot mknod: Operation not permitted
       tar: dev/dsp2: Cannot mknod: Operation not permitted
       tar: dev/mixer3: Cannot mknod: Operation not permitted
       tar: dev/tty0: Cannot mknod: Operation not permitted
       tar: dev/ram7: Cannot mknod: Operation not permitted
       tar: dev/tty5: Cannot mknod: Operation not permitted
       tar: dev/loop7: Cannot mknod: Operation not permitted
       tar: dev/ptmx: Cannot mknod: Operation not permitted
       tar: dev/ram10: Cannot mknod: Operation not permitted
       tar: dev/midi1: Cannot mknod: Operation not permitted
       tar: dev/sequencer: Cannot mknod: Operation not permitted
       tar: dev/smpte1: Cannot mknod: Operation not permitted
       tar: dev/audio1: Cannot mknod: Operation not permitted
       tar: dev/audioctl: Cannot mknod: Operation not permitted
       tar: dev/loop3: Cannot mknod: Operation not permitted
       tar: dev/midi3: Cannot mknod: Operation not permitted
       tar: dev/full: Cannot mknod: Operation not permitted
       tar: dev/mem: Cannot mknod: Operation not permitted
       tar: dev/dsp1: Cannot mknod: Operation not permitted
       tar: dev/random: Cannot mknod: Operation not permitted
       tar: dev/audio2: Cannot mknod: Operation not permitted
       tar: dev/dsp3: Cannot mknod: Operation not permitted
       tar: dev/ram4: Cannot mknod: Operation not permitted
       tar: dev/ram8: Cannot mknod: Operation not permitted
       tar: dev/ram5: Cannot mknod: Operation not permitted
       tar: dev/ram13: Cannot mknod: Operation not permitted
       tar: dev/null: Cannot mknod: Operation not permitted
       tar: dev/dsp: Cannot mknod: Operation not permitted
       tar: dev/midi01: Cannot mknod: Operation not permitted
       tar: dev/ram11: Cannot mknod: Operation not permitted
       tar: dev/midi2: Cannot mknod: Operation not permitted
       tar: dev/ram2: Cannot mknod: Operation not permitted
       tar: dev/tty9: Cannot mknod: Operation not permitted
       tar: dev/sndstat: Cannot mknod: Operation not permitted
       tar: dev/ram12: Cannot mknod: Operation not permitted
       tar: dev/loop5: Cannot mknod: Operation not permitted
       tar: dev/mixer2: Cannot mknod: Operation not permitted
       tar: dev/mixer: Cannot mknod: Operation not permitted
       tar: dev/loop1: Cannot mknod: Operation not permitted
       tar: dev/port: Cannot mknod: Operation not permitted
       tar: dev/rmidi1: Cannot mknod: Operation not permitted
       tar: dev/rmidi0: Cannot mknod: Operation not permitted
       tar: dev/midi02: Cannot mknod: Operation not permitted
       tar: dev/ram9: Cannot mknod: Operation not permitted
       tar: dev/loop0: Cannot mknod: Operation not permitted
       tar: dev/rmidi3: Cannot mknod: Operation not permitted
       tar: dev/midi00: Cannot mknod: Operation not permitted
       tar: dev/agpgart: Cannot mknod: Operation not permitted
       DEBUG subprocess: stderr: tar: dev/ram14: Cannot mknod: Operation not permitted
       tar: dev/audio: Cannot mknod: Operation not permitted
       tar: dev/tty8: Cannot mknod: Operation not permitted
       tar: dev/midi03: Cannot mknod: Operation not permitted
       tar: dev/ram1: Cannot mknod: Operation not permitted
       tar: dev/midi0: Cannot mknod: Operation not permitted
       tar: dev/tty7: Cannot mknod: Operation not permitted
       tar: dev/tty6: Cannot mknod: Operation not permitted
       tar: dev/ram6: Cannot mknod: Operation not permitted
       tar: dev/ram0: Cannot mknod: Operation not permitted
       tar: dev/ram3: Cannot mknod: Operation not permitted
       tar: dev/rmidi2: Cannot mknod: Operation not permitted
       DEBUG subprocess: stderr: tar: var/lib/sudo: implausibly old time stamp 1970-01-01 00:00:00
       DEBUG subprocess: stderr: tar: Exiting with failure status due to previous errors
       DEBUG subprocess: stderr: lxc_container: container creation template for kitchen-sample-toplevel-cookbook-1421181672.596891 failed
       DEBUG subprocess: stderr: lxc_container: Is the rootfs mounted with -o user_subvol_rm_allowed?
       lxc_container: Error destroying rootfs for kitchen-sample-toplevel-cookbook-1421181672.596891
       lxc_container: Error creating container kitchen-sample-toplevel-cookbook-1421181672.596891
       DEBUG subprocess: stdout: Unpacking the rootfs
       DEBUG subprocess: Waiting for process to exit. Remaining to timeout: 31995
       DEBUG subprocess: Exit status: 0
        INFO driver: Removing LXC template
        INFO subprocess: Starting process: ["/usr/bin/sudo", "/usr/local/bin/vagrant-lxc-wrapper", "rm", "/usr/share/lxc/templates/lxc-vagrant-tmp-kitchen-sample-toplevel-cookbook-1421181672.596891"]
       DEBUG subprocess: Selecting on IO
       DEBUG subprocess: stdout: 
       DEBUG subprocess: Waiting for process to exit. Remaining to timeout: 32000
       DEBUG subprocess: Exit status: 0
...

I'm not really fond of LXC, but I ssh'ed into the box (yes you can do that on circleci) and mimicked some of the commands that vagrant-lxc does.

This is what I got:

ubuntu@box109:~$ sudo cp /home/ubuntu/.vagrant.d/gems/gems/vagrant-lxc-1.0.1/scripts/lxc-template /usr/share/lxc/templates/lxc-vagrant-foo

ubuntu@box109:~$ ls -la /usr/share/lxc/templates/lxc-*
-rwxr-xr-x 1 root root 10789 Sep 30 17:13 /usr/share/lxc/templates/lxc-alpine
-rwxr-xr-x 1 root root 13533 Sep 30 17:13 /usr/share/lxc/templates/lxc-altlinux
-rwxr-xr-x 1 root root 10253 Sep 30 17:13 /usr/share/lxc/templates/lxc-archlinux
-rwxr-xr-x 1 root root  9446 Sep 30 17:13 /usr/share/lxc/templates/lxc-busybox
-rwxr-xr-x 1 root root 28932 Sep 30 17:13 /usr/share/lxc/templates/lxc-centos
-rwxr-xr-x 1 root root 10150 Sep 30 17:13 /usr/share/lxc/templates/lxc-cirros
-rwxr-xr-x 1 root root 12158 Sep 30 17:13 /usr/share/lxc/templates/lxc-debian
-rwxr-xr-x 1 root root 17427 Sep 30 17:13 /usr/share/lxc/templates/lxc-download
-rwxr-xr-x 1 root root 47200 Sep 30 17:13 /usr/share/lxc/templates/lxc-fedora
-rwxr-xr-x 1 root root 27808 Sep 30 17:13 /usr/share/lxc/templates/lxc-gentoo
-rwxr-xr-x 1 root root 13961 Sep 30 17:13 /usr/share/lxc/templates/lxc-openmandriva
-rwxr-xr-x 1 root root 13705 Sep 30 17:13 /usr/share/lxc/templates/lxc-opensuse
-rwxr-xr-x 1 root root 35445 Sep 30 17:13 /usr/share/lxc/templates/lxc-oracle
-rwxr-xr-x 1 root root 11837 Sep 30 17:13 /usr/share/lxc/templates/lxc-plamo
-rwxr-xr-x 1 root root  6851 Sep 30 17:13 /usr/share/lxc/templates/lxc-sshd
-rwxr-xr-x 1 root root 24273 Sep 30 17:13 /usr/share/lxc/templates/lxc-ubuntu
-rwxr-xr-x 1 root root 12401 Sep 30 17:13 /usr/share/lxc/templates/lxc-ubuntu-cloud
-rwxr-xr-x 1 root root  5341 Jan 13 20:50 /usr/share/lxc/templates/lxc-vagrant-foo

ubuntu@box109:~$ sudo lxc-create -B best --template vagrant-foo --name foo -- --tarball /home/ubuntu/.vagrant.d/boxes/fgrehm-VAGRANTSLASH-precise64-lxc/0/lxc/rootfs.tar.gz --config /home/ubuntu/.vagrant.d/boxes/fgrehm-VAGRANTSLASH-precise64-lxc/0/lxc/lxc-config
Unpacking the rootfs
tar: dev/ram15: Cannot mknod: Operation not permitted
tar: dev/smpte0: Cannot mknod: Operation not permitted
tar: dev/tty: Cannot mknod: Operation not permitted
tar: dev/zero: Cannot mknod: Operation not permitted
tar: dev/smpte3: Cannot mknod: Operation not permitted
tar: dev/kmem: Cannot mknod: Operation not permitted
tar: dev/smpte2: Cannot mknod: Operation not permitted
tar: dev/loop4: Cannot mknod: Operation not permitted
tar: dev/mixer1: Cannot mknod: Operation not permitted
tar: dev/mpu401data: Cannot mknod: Operation not permitted
tar: dev/ram16: Cannot mknod: Operation not permitted
tar: dev/audio3: Cannot mknod: Operation not permitted
tar: dev/urandom: Cannot mknod: Operation not permitted
tar: dev/loop6: Cannot mknod: Operation not permitted
tar: dev/loop2: Cannot mknod: Operation not permitted
tar: dev/mpu401stat: Cannot mknod: Operation not permitted
tar: dev/dsp2: Cannot mknod: Operation not permitted
tar: dev/mixer3: Cannot mknod: Operation not permitted
tar: dev/tty0: Cannot mknod: Operation not permitted
tar: dev/ram7: Cannot mknod: Operation not permitted
tar: dev/tty5: Cannot mknod: Operation not permitted
tar: dev/loop7: Cannot mknod: Operation not permitted
tar: dev/ptmx: Cannot mknod: Operation not permitted
tar: dev/ram10: Cannot mknod: Operation not permitted
tar: dev/midi1: Cannot mknod: Operation not permitted
tar: dev/sequencer: Cannot mknod: Operation not permitted
tar: dev/smpte1: Cannot mknod: Operation not permitted
tar: dev/audio1: Cannot mknod: Operation not permitted
tar: dev/audioctl: Cannot mknod: Operation not permitted
tar: dev/loop3: Cannot mknod: Operation not permitted
tar: dev/midi3: Cannot mknod: Operation not permitted
tar: dev/full: Cannot mknod: Operation not permitted
tar: dev/mem: Cannot mknod: Operation not permitted
tar: dev/dsp1: Cannot mknod: Operation not permitted
tar: dev/random: Cannot mknod: Operation not permitted
tar: dev/audio2: Cannot mknod: Operation not permitted
tar: dev/dsp3: Cannot mknod: Operation not permitted
tar: dev/ram4: Cannot mknod: Operation not permitted
tar: dev/ram8: Cannot mknod: Operation not permitted
tar: dev/ram5: Cannot mknod: Operation not permitted
tar: dev/ram13: Cannot mknod: Operation not permitted
tar: dev/null: Cannot mknod: Operation not permitted
tar: dev/dsp: Cannot mknod: Operation not permitted
tar: dev/midi01: Cannot mknod: Operation not permitted
tar: dev/ram11: Cannot mknod: Operation not permitted
tar: dev/midi2: Cannot mknod: Operation not permitted
tar: dev/ram2: Cannot mknod: Operation not permitted
tar: dev/tty9: Cannot mknod: Operation not permitted
tar: dev/sndstat: Cannot mknod: Operation not permitted
tar: dev/ram12: Cannot mknod: Operation not permitted
tar: dev/loop5: Cannot mknod: Operation not permitted
tar: dev/mixer2: Cannot mknod: Operation not permitted
tar: dev/mixer: Cannot mknod: Operation not permitted
tar: dev/loop1: Cannot mknod: Operation not permitted
tar: dev/port: Cannot mknod: Operation not permitted
tar: dev/rmidi1: Cannot mknod: Operation not permitted
tar: dev/rmidi0: Cannot mknod: Operation not permitted
tar: dev/midi02: Cannot mknod: Operation not permitted
tar: dev/ram9: Cannot mknod: Operation not permitted
tar: dev/loop0: Cannot mknod: Operation not permitted
tar: dev/rmidi3: Cannot mknod: Operation not permitted
tar: dev/midi00: Cannot mknod: Operation not permitted
tar: dev/agpgart: Cannot mknod: Operation not permitted
tar: dev/ram14: Cannot mknod: Operation not permitted
tar: dev/audio: Cannot mknod: Operation not permitted
tar: dev/tty8: Cannot mknod: Operation not permitted
tar: dev/midi03: Cannot mknod: Operation not permitted
tar: dev/ram1: Cannot mknod: Operation not permitted
tar: dev/midi0: Cannot mknod: Operation not permitted
tar: dev/tty7: Cannot mknod: Operation not permitted
tar: dev/tty6: Cannot mknod: Operation not permitted
tar: dev/ram6: Cannot mknod: Operation not permitted
tar: dev/ram0: Cannot mknod: Operation not permitted
tar: dev/ram3: Cannot mknod: Operation not permitted
tar: dev/rmidi2: Cannot mknod: Operation not permitted
tar: var/lib/sudo: implausibly old time stamp 1970-01-01 00:00:00
tar: Exiting with failure status due to previous errors
lxc_container: container creation template for foo failed
lxc_container: Is the rootfs mounted with -o user_subvol_rm_allowed?
lxc_container: Error destroying rootfs for foo
lxc_container: Error creating container foo

ubuntu@box109:~$ sudo lxc-create -B btrfs --template vagrant-foo --name foo -- --tarball /home/ubuntu/.vagrant.d/boxes/fgrehm-VAGRANTSLASH-precise64-lxc/0/lxc/rootfs.tar.gz --config /home/ubuntu/.vagrant.d/boxes/fgrehm-VAGRANTSLASH-precise64-lxc/0/lxc/lxc-config
Container already exists

ubuntu@box109:~$ sudo lxc-ls
foo                                                 kitchen-sample-toplevel-cookbook-1421181672.596891

ubuntu@box109:~$ sudo lxc-info --name foo
Name:           foo
State:          STOPPED

ubuntu@box109:~$ sudo lxc-start --name foo
init: Unable to mount /dev filesystem: Operation not permitted
init: Unable to create device: /dev/ptmx
init: Unable to mount /dev/pts filesystem: Invalid argument
init: Unable to create device: /dev/null
init: Unable to create device: /dev/tty
lxc-start: The container failed to start.
lxc-start: Additional information can be obtained by setting the --logfile and --logpriority options.

ubuntu@box109:~$ sudo lxc-destroy --name foo
lxc_container: Is the rootfs mounted with -o user_subvol_rm_allowed?
lxc_container: Error destroying rootfs for foo
Destroying foo failed

Do you see any chance of getting this working on circleci?

It would be much more than awesome if that worked!

[fgrehm]

Sanity check: Does CircleCI uses docker under the hood to run builds?

[tknerr]

@fgrehm yes I believe it is a docker in docker scenario. What does that mean for us then?
(darn I need to get more involved with docker definitely...)

[fgrehm]

I actually remember running lxc inside docker at some point but I cant remember what I've done. You might get an insight from https://github.com/jpetazzo/dind

[tknerr]

Thanks, will have a look!

It's docker-in-docker definitely, here's the reference:
http://blog.circleci.com/continuous-delivery-with-docker-containers/

[tknerr]

Quick heads up: got (a really fast btw) response from @notnoopci from CircleCI:

Hi Torben,

Interesting. We would love to get vagrant-lxc supported indeed! LXC containers should be supported by default out of the box actually - but I suspect that vagrant-lxc uses some options that are disabled within CircleCI (e.g. using mknod operations). We will investigate more - glad your project is oss :).

Below you can see an example of invoking lxc.

ubuntu@box161:~$ sudo lxc-create -t ubuntu-cloud -n n1
ubuntu-cloudimg-query is /usr/bin/ubuntu-cloudimg-query
wget is /usr/bin/wget
--2015-01-18 14:58:34--  https://cloud-images.ubuntu.com/server/releases/precise/release-20140927/ubuntu-12.04-server-cloudimg-amd64-root.tar.gz
Resolving cloud-images.ubuntu.com (cloud-images.ubuntu.com)... 91.189.88.141, 2001:67c:1360:8001:ffff:ffff:ffff:fffe
Connecting to cloud-images.ubuntu.com (cloud-images.ubuntu.com)|91.189.88.141|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://cloud-images.ubuntu.com/releases/precise/release-20140927/ubuntu-12.04-server-cloudimg-amd64-root.tar.gz [following]
--2015-01-18 14:58:35--  https://cloud-images.ubuntu.com/releases/precise/release-20140927/ubuntu-12.04-server-cloudimg-amd64-root.tar.gz
Reusing existing connection to cloud-images.ubuntu.com:443.
HTTP request sent, awaiting response... 200 OK
Length: 239228683 (228M) [application/x-gzip]
Saving to: `ubuntu-12.04-server-cloudimg-amd64-root.tar.gz'

100%[====================================================================================================================================================================================================================================>] 239,228,683 17.0M/s   in 16s

2015-01-18 14:58:51 (14.4 MB/s) - `ubuntu-12.04-server-cloudimg-amd64-root.tar.gz' saved [239228683/239228683]

Extracting container rootfs
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
    LANGUAGE = (unset),
    LC_ALL = (unset),
    LC_CTYPE = "en_US.UTF-8",
    LANG = "en_US.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
locale: Cannot set LC_CTYPE to default locale: No such file or directory
locale: Cannot set LC_MESSAGES to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory

Current default time zone: 'Etc/UTC'
Local time is now:      Sun Jan 18 14:59:00 UTC 2015.
Universal Time is now:  Sun Jan 18 14:59:00 UTC 2015.

Container n1 created.
ubuntu@box161:~$ sudo lxc-start -n n1 -- hostname
n1

@fgrehm have not digged any further into vagrant-lxc though. The mknod looks suspicious, but I have no idea on how to get around it.

[notnoopci]

Cool - I'll take a closer look when I get a chance this week. But let me jot some thoughts to provide some context first:

CircleCI builds use lxc containers actually and we rely on nested lxc support (i.e. lxc-in-lxc) for docker support. LXC should work also "out-of-the-box".

We also run on unprivileged lxc containers, where root-in-container != root-on-host, and we apply further apparmor restrictions to make the system secure, and restricting mknod operations. That may clash with privileged container starting, if it mounts /dev device files (e.g. /dev/null) with mknod. The suggested solution is to use bind-mounts when running in unprivileged-containers instead.

In ordinary circumstances, lxc detects it's running on unprivileged container and does the right thing by using bind-mounts. If vagrant-lxc uses a custom lxc config files (or it imports a privileged-container config file), the lxc mount settings will need to be tweaked to use bind-mount. In our containers, the configurations we applied to Docker default to make it work were:

# User namespaces take care of these
lxc.cgroup.devices.deny =
lxc.cgroup.devices.allow =
lxc.devttydir =

# Use bind-mounts instead of mknods
lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0

# Extra fstab entries as mountall can't mount those by itself
lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0

There are some additional minor complexities, if you are downloading a container tarball that contains some device files (e.g. tarball contains /dev/null) and some security extended attributes; but I can expand on that another time :).

I will dig a bit further during the week. Would love to have vagrant-lxc support :).

[tknerr]

@notnoopci thanks for the explanation!

I guess it's coming from /home/ubuntu/.vagrant.d/boxes/fgrehm-VAGRANTSLASH-precise64-lxc/0/lxc/lxc-config that is part of the basebox:

ubuntu@box45:~$ cat /home/ubuntu/.vagrant.d/boxes/fgrehm-VAGRANTSLASH-precise64-lxc/0/lxc/lxc-config
# Default pivot location
lxc.pivotdir = lxc_putold

# Default mount entries
lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
lxc.mount.entry = sysfs sys sysfs defaults 0 0

# Default console settings
lxc.devttydir = lxc
lxc.tty = 4
lxc.pts = 1024

# Default capabilities
lxc.cap.drop = sys_module mac_admin mac_override sys_time

# When using LXC with apparmor, the container will be confined by default.
# If you wish for it to instead run unconfined, copy the following line
# (uncommented) to the container's configuration file.
#lxc.aa_profile = unconfined

# To support container nesting on an Ubuntu host while retaining most of
# apparmor's added security, use the following two lines instead.
#lxc.aa_profile = lxc-container-default-with-nesting
#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups

# Uncomment the following line to autodetect squid-deb-proxy configuration on the
# host and forward it to the guest at start time.
#lxc.hook.pre-start = /usr/share/lxc/hooks/squid-deb-proxy-client

# If you wish to allow mounting block filesystems, then use the following
# line instead, and make sure to grant access to the block device and/or loop
# devices below in lxc.cgroup.devices.allow.
#lxc.aa_profile = lxc-container-default-with-mounting

# Default cgroup limits
lxc.cgroup.devices.deny = a
## Allow any mknod (but not using the node)
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m
## /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
## consoles
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 5:1 rwm
## /dev/{,u}random
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 1:9 rwm
## /dev/pts/*
lxc.cgroup.devices.allow = c 5:2 rwm
lxc.cgroup.devices.allow = c 136:* rwm
## rtc
lxc.cgroup.devices.allow = c 254:0 rm
## fuse
lxc.cgroup.devices.allow = c 10:229 rwm
## tun
lxc.cgroup.devices.allow = c 10:200 rwm
## full
lxc.cgroup.devices.allow = c 1:7 rwm
## hpet
lxc.cgroup.devices.allow = c 10:228 rwm
## kvm
lxc.cgroup.devices.allow = c 10:232 rwm
## To use loop devices, copy the following line to the container's
## configuration file (uncommented).
#lxc.cgroup.devices.allow = b 7:* rwm

[tknerr]

Just tried to get a bit further with this, so I edited /home/ubuntu/.vagrant.d/boxes/fgrehm-VAGRANTSLASH-precise64-lxc/0/lxc/lxc-config in various ways, including:

• setting up bind mounts as described above
• removing all the lxc.cgroup.devices.allow entries
• tried the different (commented) settings of lxc.aa_profile
• ...in various combinations of the above

What I did was:

1. copy the template once: sudo cp /home/ubuntu/.vagrant.d/gems/gems/vagrant-lxc-1.0.1/scripts/lxc-template /usr/share/lxc/templates/lxc-vagrant-foo
2. rinse and repeat
   1. edit the lxc config file: /home/ubuntu/.vagrant.d/boxes/fgrehm-VAGRANTSLASH-precise64-lxc/0/lxc/lxc-config
   2. try creating the container: sudo lxc-create -B best --template vagrant-foo --name foo -- --tarball /home/ubuntu/.vagrant.d/boxes/fgrehm-VAGRANTSLASH-precise64-lxc/0/lxc/rootfs.tar.gz --config /home/ubuntu/.vagrant.d/boxes/fgrehm-VAGRANTSLASH-precise64-lxc/0/lxc/lxc-config
   3. check output

However, no matter what how I edited the /home/ubuntu/.vagrant.d/boxes/fgrehm-VAGRANTSLASH-precise64-lxc/0/lxc/lxc-config file, I always got the same output as mentioned earlier:

<snip>
...
tar: dev/ram6: Cannot mknod: Operation not permitted
tar: dev/ram0: Cannot mknod: Operation not permitted
tar: dev/ram3: Cannot mknod: Operation not permitted
tar: dev/rmidi2: Cannot mknod: Operation not permitted
tar: var/lib/sudo: implausibly old time stamp 1970-01-01 00:00:00
tar: Exiting with failure status due to previous errors
lxc_container: container creation template for foo26 failed
lxc_container: Is the rootfs mounted with -o user_subvol_rm_allowed?
lxc_container: Error destroying rootfs for foo26
lxc_container: Error creating container foo26

I even put some total nonsense into the config file but still got the same output. Looks like I'm editing the wrong file?

Any more ideas @fgrehm @notnoopci ?

[tknerr]

@fgrehm @notnoopci any chance you might have a short timeslot to take a look at this? I'm really stuck with my limited lxc knowledge at the moment... :-/

[fgrehm]

@tknerr Would you be able to set up a VirtualBox Vagrant VM that reproduces the problem? That might make things easier to debug ;-)

[tknerr]

@fgrehm not sure if I can reproduce the CircelCi environment :-/ I have an ubuntu virtualbox VM where vagrant-lxc works flawlessly. However, it does not work in the dockerized environment of a CircleCI build container, as mentioned above.

@notnoopci do you have a vagrant / virtualbox environment to simulate the dockerized environment of a CircleCi build container at hand that we could use for debugging?

The way I debugged it on CirlceCI was enabling SSH access which gives you ssh access and keeps the container running for 30 minutes. It would require you to set up a CircelCI account, but once you have that you could just

• fork https://github.com/tknerr/sample-toplevel-cookbook/ (circleci-lxc branch is the one)
• allow CircleCi to build the project (circleci-lxc branch) and enable SSH access
• log in via SSH, then:
  • export VAGRANT_DEFAULT_PROVIDER=lxc
  • export KITCHEN_YAML=.kitchen.yml
  • export VAGRANT_LOG=debug
  • bundle exec rake integration

This would run the high-level integration tests, and you should see the errors stated above.

From there on I went more low-level with the plain lxc commands but this is where I got stuck due to lack of experience with lxc...

[rcoup]

Okay. I have this working! 😀

Ubuntu Trusty running on CircleCI (Ubuntu Precise) via vagrant-lxc

All scripts/files are available at https://gist.github.com/rcoup/36c75555683ac9db2309

Changes to lxc-config:

• Remove the active AppArmor profile
• Get rid of all the cgroup.devices.allow stuff in the default config
• Add config from @notnoopci above
• Add extra mounts from Trusty based containers fail to start on Precise host after HWE update lxc/lxc#344 (comment) otherwise upstart hangs part way through waiting for the network to come up.

Changes to lxc-template

The point here was to avoid tar trying to make device nodes (mknod doesn't work in the Circle environment). There might be a better way (maybe at box creation time?), these happened to be the only device nodes in my rootfs.

- (cd ${LXC_ROOTFS} && tar xfz ${LXC_TARBALL} --strip-components=${LXC_STRIP_COMPONENTS})
+ (cd ${LXC_ROOTFS} && tar xfz ${LXC_TARBALL} --strip-components=${LXC_STRIP_COMPONENTS} \
+   --exclude=./rootfs/dev --exclude=./rootfs/var/spool/postfix/dev)

Building a box

I use the vagrant-lxc-package.sh script, since vagrant package seemed to ignore the extra-files options. Essentially the script just replaces lxc-config & lxc-template with my modified files.

Next

Would be nice to make this easier, so there's no need to replace the template & config file - any ideas @fgrehm? My lxc-fu and vagrant-fu isn't particularly strong.

[fgrehm]

Awesome! Unfortunately as of now I won't be able to move forward with that 😞

If you or anyone else is able to put up a PR and is able to get some people to test the changes I'd be more than happy to provide commit access to the project in order to keep the fire burning!

[rcoup]

@fgrehm fair enough. I'll need to dig into vagrant & vagrant-lxc and see if I can figure out a good approach. Doesn't seem like just changing the default templates is a great idea, would be better to feature-detect or use Vagrantfile to specify the various options (I know lxc.customize is there)

[tknerr]

Awesome stuff @rcoup!

You are both way more experts in LXC than I am, so I can't offer much help in that space, but I would definitely be in for testing this stuff.

Concerning the basesbox: also not much experience with packaging my own, but some auto detection would be ideal (i.e. not a separate basebox for CircleCI)

[rcoup]

@tknerr in terms of boxes, currently what you need to do is:

• Create a Vagrantfile that uses the box you want under vagrant-lxc (eg. fgrehm/trusty64-lxc)
• run it locally under vagrant-lxc
• run vagrant-lxc-package.sh to create a new box from it.
• push that to a private account on Atlas/VagrantCloud, and use that as the basebox in your "real" Vagrantfile.

[FelicianoTech]

For the record, CircleCI builds run in pure LXC containers not Docker.

[fgrehm]

Hey, sorry for the silence here but this project is looking for maintainers 😅

As per #499, I've added the ignored label and will close this issue. Thanks for the interest in the project and LMK if you want to step up and take ownership of this project on that other issue 👋