Package: lxc Version: 1:6.0.5-2 Severity: important Hi,
I'm reporting the issue against sid but I first experienced the issue in trixie. I have a bunch of LXC which I'm currently converting to unprivileged ones using the idmap options. I need to have some bind mounts insides the container, and I tried to use the idmap=container option to those entries. When adding this option, the container fails to start and the log (attached) show the following lines: lxc-start test 20260225171244.630 ERROR conf - ../src/lxc/conf.c:__lxc_idmapped_mounts_child:2704 - Invalid argument - Only bind mounts can currently be idmapped lxc-start test 20260225171244.630 ERROR conf - ../src/lxc/conf.c:lxc_idmapped_mounts_child:2888 - Invalid argument - Failed to setup idmapped mount entries lxc-start test 20260225171244.630 ERROR conf - ../src/lxc/conf.c:lxc_setup:3916 - Invalid argument - Failed to attached detached idmapped mounts lxc-start test 20260225171244.630 ERROR start - ../src/lxc/start.c:do_start:1273 - Failed to setup container "test" This error looks spurious because the relevant from the (attached) configuration is: lxc.mount.entry = /var/log/ var/log/ bind bind,rw,nosuid,nodev,noexec,idmap=container Looking at the source code (https://sources.debian.org/src/lxc/1%3A6.0.5-2/src/lxc/conf.c#L2704) it should only happen when the `mnttype` is none which I don't think is/should be the case here (the line explicitely sets it to 'bind'). Either I'm doing something wrong (what?) or it looks like a bug here. Regards, -- Yves-Alexis -- System Information: Debian Release: forky/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (450, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.18.12+deb14-amd64 (SMP w/14 CPU threads; PREEMPT) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages lxc depends on: ii debconf [debconf-2.0] 1.5.92 ii dnsmasq-base [dnsmasq-base] 2.92-2 ii iproute2 6.19.0-1 ii iptables 1.8.12-1 ii libapparmor1 4.1.6-2 ii libc6 2.42-13 ii libcap2 1:2.75-10+b5 ii libdbus-1-3 1.16.2-4 ii libgcc-s1 15.2.0-14 ii liblxc-common 1:6.0.5-2 ii liblxc1t64 1:6.0.5-2 ii libseccomp2 2.6.0-2+b1 ii libselinux1 3.9-4+b1 ii nftables 1.1.6-1 Versions of packages lxc recommends: ii apparmor 4.1.6-2 ii debootstrap 1.0.142 ii dirmngr 2.4.8-5 pn distrobuilder <none> ii gnupg 2.4.8-5 pn libpam-cgfs <none> pn lxcfs <none> ii openssl 3.5.5-1 ii rsync 3.4.1+ds1-7 ii uidmap 1:4.19.3-1 ii wget 1.25.0-2 Versions of packages lxc suggests: pn btrfs-progs <none> pn criu <none> ii lvm2 2.03.31-2+b1 pn python3-lxc <none> -- debconf information: lxc/auto_update_config:
lxc.uts.name = test lxc.autodev = 1 lxc.mount.auto = proc:mixed lxc.mount.auto = sys:mixed lxc.mount.auto = cgroup:mixed # Unprivileged lxc.idmap = u 0 1600000 65535 lxc.idmap = g 0 1600000 65536 # fstab lxc.rootfs.path = /srv/rootfs lxc.rootfs.options=idmap=container lxc.mount.entry = /var/log/ var/log/ bind bind,rw,nosuid,nodev,noexec,idmap=container
lxc-start test 20260225171244.599 INFO confile - ../src/lxc/confile.c:set_config_idmaps:2273 - Read uid map: type u nsid 0 hostid 1600000 range 65535 lxc-start test 20260225171244.599 INFO confile - ../src/lxc/confile.c:set_config_idmaps:2273 - Read uid map: type g nsid 0 hostid 1600000 range 65536 lxc-start test 20260225171244.599 INFO lxccontainer - ../src/lxc/lxccontainer.c:do_lxcapi_start:954 - Set process title to [lxc monitor] /var/lib/lxc test lxc-start test 20260225171244.600 DEBUG lxccontainer - ../src/lxc/lxccontainer.c:wait_on_daemonized_start:813 - First child 112151 exited lxc-start test 20260225171244.600 INFO lsm - ../src/lxc/lsm/lsm.c:lsm_init_static:38 - Initialized LSM security driver AppArmor lxc-start test 20260225171244.600 INFO cgfsng - ../src/lxc/cgroups/cgfsng.c:unpriv_systemd_create_scope:1508 - Running privileged, not using a systemd unit lxc-start test 20260225171244.600 INFO start - ../src/lxc/start.c:lxc_init:882 - Container "test" is initialized lxc-start test 20260225171244.600 INFO cgfsng - ../src/lxc/cgroups/cgfsng.c:cgfsng_monitor_create:1682 - The monitor process uses "lxc.monitor.test" as cgroup lxc-start test 20260225171244.621 DEBUG storage - ../src/lxc/storage/storage.c:storage_query:231 - Detected rootfs type "dir" lxc-start test 20260225171244.621 DEBUG storage - ../src/lxc/storage/storage.c:storage_query:231 - Detected rootfs type "dir" lxc-start test 20260225171244.622 INFO cgfsng - ../src/lxc/cgroups/cgfsng.c:cgfsng_payload_create:1790 - The container process uses "lxc.payload.test" as inner and "lxc.payload.test" as limit cgroup lxc-start test 20260225171244.622 INFO start - ../src/lxc/start.c:lxc_spawn:1774 - Cloned CLONE_NEWUSER lxc-start test 20260225171244.622 INFO start - ../src/lxc/start.c:lxc_spawn:1774 - Cloned CLONE_NEWNS lxc-start test 20260225171244.622 INFO start - ../src/lxc/start.c:lxc_spawn:1774 - Cloned CLONE_NEWPID lxc-start test 20260225171244.622 INFO start - ../src/lxc/start.c:lxc_spawn:1774 - Cloned CLONE_NEWUTS lxc-start test 20260225171244.622 INFO start - ../src/lxc/start.c:lxc_spawn:1774 - Cloned CLONE_NEWIPC lxc-start test 20260225171244.622 INFO start - ../src/lxc/start.c:lxc_spawn:1774 - Cloned CLONE_NEWCGROUP lxc-start test 20260225171244.622 DEBUG start - ../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved user namespace via fd 20 and stashed path as user:/proc/112152/fd/20 lxc-start test 20260225171244.622 DEBUG start - ../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved mnt namespace via fd 21 and stashed path as mnt:/proc/112152/fd/21 lxc-start test 20260225171244.622 DEBUG start - ../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved pid namespace via fd 22 and stashed path as pid:/proc/112152/fd/22 lxc-start test 20260225171244.622 DEBUG start - ../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved uts namespace via fd 23 and stashed path as uts:/proc/112152/fd/23 lxc-start test 20260225171244.622 DEBUG start - ../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved ipc namespace via fd 24 and stashed path as ipc:/proc/112152/fd/24 lxc-start test 20260225171244.622 DEBUG start - ../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved cgroup namespace via fd 25 and stashed path as cgroup:/proc/112152/fd/25 lxc-start test 20260225171244.622 DEBUG idmap_utils - ../src/lxc/idmap_utils.c:idmaptool_on_path_and_privileged:93 - The binary "/usr/bin/newuidmap" does have the setuid bit set lxc-start test 20260225171244.622 DEBUG idmap_utils - ../src/lxc/idmap_utils.c:idmaptool_on_path_and_privileged:93 - The binary "/usr/bin/newgidmap" does have the setuid bit set lxc-start test 20260225171244.622 DEBUG idmap_utils - ../src/lxc/idmap_utils.c:lxc_map_ids:178 - Functional newuidmap and newgidmap binary found lxc-start test 20260225171244.627 DEBUG idmap_utils - ../src/lxc/idmap_utils.c:idmaptool_on_path_and_privileged:93 - The binary "/usr/bin/newuidmap" does have the setuid bit set lxc-start test 20260225171244.627 DEBUG idmap_utils - ../src/lxc/idmap_utils.c:idmaptool_on_path_and_privileged:93 - The binary "/usr/bin/newgidmap" does have the setuid bit set lxc-start test 20260225171244.627 INFO idmap_utils - ../src/lxc/idmap_utils.c:lxc_map_ids:176 - Caller maps host root. Writing mapping directly lxc-start test 20260225171244.627 NOTICE utils - ../src/lxc/utils.c:lxc_drop_groups:1481 - Dropped supplimentary groups lxc-start test 20260225171244.628 INFO start - ../src/lxc/start.c:do_start:1105 - Unshared CLONE_NEWNET lxc-start test 20260225171244.628 NOTICE utils - ../src/lxc/utils.c:lxc_drop_groups:1481 - Dropped supplimentary groups lxc-start test 20260225171244.628 NOTICE utils - ../src/lxc/utils.c:lxc_switch_uid_gid:1457 - Switched to gid 0 lxc-start test 20260225171244.628 NOTICE utils - ../src/lxc/utils.c:lxc_switch_uid_gid:1466 - Switched to uid 0 lxc-start test 20260225171244.629 DEBUG start - ../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved net namespace via fd 7 and stashed path as net:/proc/112152/fd/7 lxc-start test 20260225171244.629 DEBUG storage - ../src/lxc/storage/storage.c:storage_query:231 - Detected rootfs type "dir" lxc-start test 20260225171244.629 DEBUG conf - ../src/lxc/conf.c:lxc_mount_rootfs:1223 - Mounted rootfs "/srv/rootfs" onto "/usr/lib/x86_64-linux-gnu/lxc/rootfs" with options "idmap=container" lxc-start test 20260225171244.629 INFO conf - ../src/lxc/conf.c:setup_utsname:671 - Set hostname to "cloud" lxc-start test 20260225171244.629 INFO conf - ../src/lxc/conf.c:mount_autodev:1006 - Preparing "/dev" lxc-start test 20260225171244.629 INFO conf - ../src/lxc/conf.c:mount_autodev:1067 - Prepared "/dev" lxc-start test 20260225171244.629 DEBUG conf - ../src/lxc/conf.c:lxc_mount_auto_mounts:531 - Invalid argument - Tried to ensure procfs is unmounted lxc-start test 20260225171244.629 DEBUG conf - ../src/lxc/conf.c:lxc_mount_auto_mounts:554 - Invalid argument - Tried to ensure sysfs is unmounted lxc-start test 20260225171244.630 ERROR conf - ../src/lxc/conf.c:__lxc_idmapped_mounts_child:2704 - Invalid argument - Only bind mounts can currently be idmapped lxc-start test 20260225171244.630 ERROR conf - ../src/lxc/conf.c:lxc_idmapped_mounts_child:2888 - Invalid argument - Failed to setup idmapped mount entries lxc-start test 20260225171244.630 ERROR conf - ../src/lxc/conf.c:lxc_setup:3916 - Invalid argument - Failed to attached detached idmapped mounts lxc-start test 20260225171244.630 ERROR start - ../src/lxc/start.c:do_start:1273 - Failed to setup container "test" lxc-start test 20260225171244.630 ERROR sync - ../src/lxc/sync.c:sync_wait:34 - An error occurred in another process (expected sequence number 4) lxc-start test 20260225171244.630 DEBUG network - ../src/lxc/network.c:lxc_delete_network:4221 - Deleted network devices lxc-start test 20260225171244.630 ERROR lxccontainer - ../src/lxc/lxccontainer.c:wait_on_daemonized_start:832 - Received container state "ABORTING" instead of "RUNNING" lxc-start test 20260225171244.630 ERROR lxc_start - ../src/lxc/tools/lxc_start.c:lxc_start_main:307 - The container failed to start lxc-start test 20260225171244.630 ERROR lxc_start - ../src/lxc/tools/lxc_start.c:lxc_start_main:310 - To get more details, run the container in foreground mode lxc-start test 20260225171244.630 ERROR lxc_start - ../src/lxc/tools/lxc_start.c:lxc_start_main:312 - Additional information can be obtained by setting the --logfile and --logpriority options lxc-start test 20260225171244.630 ERROR start - ../src/lxc/start.c:__lxc_start:2119 - Failed to spawn container "test" lxc-start test 20260225171244.630 WARN start - ../src/lxc/start.c:lxc_abort:1037 - No such process - Failed to send SIGKILL via pidfd 19 for process 112153
