Ubuntu LXC container needs "lxc.cap.drop = sys_admin" after 3.12 -> 3.13.0_rc2 upgrade (#12281) · Issues · alpine / aports

Ubuntu LXC container needs "lxc.cap.drop = sys_admin" after 3.12 -> 3.13.0_rc2 upgrade

The upgrade from 3.12 to 3.13.0_rc2 triggered 2 problems when it came to starting LXC containers. The first affected both of my containers (Alpine, Ubuntu), but it has been already solved, see #12278 (closed).

This second one only affected the Ubuntu instance. Affected, as I've already found a workaround, but I'm not sure if it's the right way to go ahead.

At startup I got the following error message:

# lxc-start -l debug CONTAINER -F 
lxc-start: CONTAINER: conf.c: lxc_mount_auto_mounts: 728 Cross-device link - Failed to mount "/sys/fs/cgroup"
                                                                                                           lxc-start: CONTAINER: conf.c: lxc_setup: 3366 Failed to setup remaining automatic mounts
      lxc-start: CONTAINER: start.c: do_start: 1218 Failed to setup container "CONTAINER"
                                                                                     lxc-start: CONTAINER: sync.c: __sync_wait: 36 An error occurred in another process (expected sequence number 5)
       lxc-start: CONTAINER: start.c: __lxc_start: 1999 Failed to spawn container "CONTAINER"
                                                                                         lxc-start: CONTAINER: tools/lxc_start.c: main: 308 The container failed to start
lxc-start: CONTAINER: tools/lxc_start.c: main: 313 Additional information can be obtained by setting the --logfile and --logpriority options

A bit of searching turned up 978065 in the Debian bug tracker, which seems related.

Indeed, adding lxc.cap.drop = sys_admin to /srv/lxc/CONTAINER/config provides a workaround the container can start. Though at stopping I get another error message which I haven't yet seen with 3.12:

         Starting Power-Off...
lxc-start: CONTAINER: utils.c: lxc_rm_rf: 1806 No such file or directory - Failed to open dir "/sys/fs/cgroup/openrc//lxc.payload.CONTAINER"

This second one only affected the Ubuntu instance. Affected, as I've already found a workaround, but I'm not sure if it's the right way to go ahead.

At startup I got the following error message:
```
# lxc-start -l debug CONTAINER -F 
lxc-start: CONTAINER: conf.c: lxc_mount_auto_mounts: 728 Cross-device link - Failed to mount "/sys/fs/cgroup"
                                                                                                           lxc-start: CONTAINER: conf.c: lxc_setup: 3366 Failed to setup remaining automatic mounts
      lxc-start: CONTAINER: start.c: do_start: 1218 Failed to setup container "CONTAINER"
                                                                                     lxc-start: CONTAINER: sync.c: __sync_wait: 36 An error occurred in another process (expected sequence number 5)
       lxc-start: CONTAINER: start.c: __lxc_start: 1999 Failed to spawn container "CONTAINER"
                                                                                         lxc-start: CONTAINER: tools/lxc_start.c: main: 308 The container failed to start
lxc-start: CONTAINER: tools/lxc_start.c: main: 313 Additional information can be obtained by setting the --logfile and --logpriority options
```

A bit of searching turned up [978065](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978065) in the Debian bug tracker, which seems related.

Indeed, adding `lxc.cap.drop = sys_admin` to `/srv/lxc/CONTAINER/config` provides a workaround the container can start. Though at stopping I get another error message which I haven't yet seen with 3.12:

```
         Starting Power-Off...
lxc-start: CONTAINER: utils.c: lxc_rm_rf: 1806 No such file or directory - Failed to open dir "/sys/fs/cgroup/openrc//lxc.payload.CONTAINER"
```

To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information