lxc-create fails to create container

rdancy

Hello,

I ran the following command to create my container:

lxc-create -t download -n unpriv-cont-user

Upon completion it did NOT display the following text:

Distribution:
ubuntu
Release:
xenial
Architecture:
amd64
Downloading the image index
Downloading the rootfs
Downloading the metadata
The image cache is now ready

Unpacking the rootfs

You just created an Ubuntu xenial amd64 (20200308_07:42) container.
To enable SSH, run: apt install openssh-server
No default root or user password are set by LXC.

Nonetheless I tried to start and received the following message:

lxc-start -n unpriv-cont-user -d
lxc-start: unpriv-cont-user; lxccontainer.c: do_lxcapi_start: 876 failed checking for incomplete container creation
lxc-start: unpriv-cont-user; tools/lxc_start.c: main; 330 the container failed to start
lxc-start: unpriv-cont-user; tools/lxc_start.c; main; 333 To get more details run the container in foreground mode
lxc-start: unpriv-cont-user; tools/lxc_start.c main; 330 additional information can be obtained by setting the --logfile and --logpriority options

Any items?

Thanks in advance

RD

chrispokorni

Hi RD,

While I try to reproduce this, would you mind providing configuration specs of your environment? Such as OS, native or a guest image, local hypervisor, cloud instance/provider, guest instance specs (CPU, mem, disk) and host specs if applicable (hardware, OS, hypervisor).

Regards,
-Chris

KevinCSmallwood

I got the same thing, but found that if I specify more details by doing something like this:

sudo lxc-create -t download -n unpriv-cont-user -- -d ubuntu -r xenial -a amd64

it worked fine. Not certain where it is supposed to get information like the distribution, release, and architecture from, but by explicitly putting it into the command line, it worked for me. (My environment is a GCE running Ubuntu 18.04 LTS as specified in Lab 1.1.)

chrispokorni

Hi @KevinCSmallwood,

Thanks for your input. The expected user inputs for distribution, release, and architecture are selected from the output of the lxc-create -t download -n unpriv-cont-user command.
Once the user decided what distribution, release, and architecture to use from the output, then the lxc-create ... command may be executed with those flags, and skip the listing command which is presented in the lab.

@rdancy keep in mind that the values for the Distribution:, Release:, and Architecture: are expected user inputs.

If you read carefully the exercise, it is explained right before the lxc-create ... command:

We will use the ​ download​ template which will present us a list of all available images designed to work without privileges. Once the image index is displayed, the tool will expect three separate entries from the user at the CLI: ​ distribution​ , ​ release​ and architecture​ . For this example ​ ubuntu​ , ​ xenial​ and ​ amd64​ have been entered respectively at the prompts...

Regards,
-Chris

janagan

I had the same issue, I got it because, I did not input the distribution, release, architecture and then cancelled the process using ctrl +c.
my assumption is somewhere, the image was halfway downloaded some where in the directory so start stop create and when the destroy commands did not work. But strangely lxc-ls showed container. I was able resolve it by using @KevinCSmallwood 's command, destroying it and finally creating as in labs.

rdancy

Sorry for the late response, OS is ubuntu 18.04 native. I didn't input the distribution release and architecture. I saw @KevinCSmallwood 's post and I tried to specify more details like he did

sudo lxc-create -t download -n unpriv-cont-user -- -d ubuntu -r xenial -a amd64

After that, it worked!

Thanks @KevinCSmallwood and everyone else!

suarna

I have faced the same issue...following the ERROR information from the log file i have noticed a permissions problem. I have solved it creating two ACL rules against the directories ~/.local and ~/.local/share ,granting x permissions to the subordinate user id,in my case the uid is 100000,the command is setfacl -m u:100000:x ~/.local

suarna

Re-reading the post I have noticed that the problem was not the same,in my case the problem arises when i was trying to start the container not during the creation process

chrispokorni

Hi @suarna,

Thank you for posting the solution to the issue you encountered running thru this exercise.
It is expected that on various environments the behavior to be slightly different.
Provisioning the lab environment as suggested at the beginning of the course, would produce expected results, consistent with the outputs presented in the lab excise.

Regards,
-Chris

andrecloudengineer

Hi @ Chris,

I am using Ubuntu 18.04 as requested and I encountered similar error too.

Distribution:
ubuntu
Release:
xenial
Architecture:
amd64
Downloading the image index
Downloading the rootfs

Everything above was fine but after that I got the following error.
ERRO: Invalid signature for /tmp/tmp.dcf4XuwCAL/rootfs.tar.xz.asc
lxc-create: unpriv-cont-user: lxccontainer.c: create_run_template: 1617 failed to create container from template
lxc-create: unpriv-cont-user: tools/lxc_create.c: main: 327 Failed to create container unpriv-cont-user

I would be grateful if you or anyone could please advice what step/s I should take.

Thank you.
Andrew

andrecloudengineer

I also tired @KevinCSmallwood suggestion seen below and I got the same error.

sudo lxc-create -t download -n unpriv-cont-user -- -d ubuntu -r xenial -a amd64.

Regards,
Andrew

andrecloudengineer

Hi Chris,
I have exhaust everything. I reboot and apt-get update, upgrade the system and tried again.

Now I am getting the following error

Using image from local cache
Unpacking the rootfs
xz: (stdin): compressed data is corrupt
tar: Unexpected EOF in archive
tar: Unexpected EOF in archive
tar: Error is not recoverable: exiting now
lxc-create: unpriv-cont-user: lxccontainer.c: create_run_template: 1617 failed to create container from template
lxc-create: unpriv-cont-user: tools/lxc_create.c: main: 327 Failed to create container unpriv-cont-user

Can you please help.

Best regards,
Andrew

chrispokorni

Hi @andrecloudengineer,

Thank you for your detailed feedback.

Based on feedback from other users in the forum, it seems that not all Ubuntu 18.04 LTS distribution releases are created equal. I was able to reproduce the lab exercise several times on a GCE instance setup with Ubuntu 18.04 LTS. However, not all users were as successful, especially when attempting the lab on their own physical dedicated Ubuntu system, or on local guest VMs. I am experiencing the same issue as most users when running the lab on my physical Ubuntu 18 LTS system. What I was able to isolate so far is that there may be conflicts between how lxc operates and the permissions of the user running the lxc-create tool.

I will try a workaround and report back, hopefully with a solution.

Regards,
-Chris

chrispokorni

Hi @andrecloudengineer,

I was able to reproduce the error and also come up with a solution, at least with something that worked in my case. I used @suarna 's solution and ran setfacl recursively and then I was able to start the lxc container:

setfacl -R -m u:165536:x ~/.local

... where I am logged in with the student user on my system, with UID 165536.

Regards,
-Chris

andrecloudengineer

Hi @chrispokorni, good morning (UK) and thank you for looking into this.

I tried setfacl -R -m u:165536:x ~/.local however, still got the follow error below.

Unpacking the rootfs
xz: (stdin): compressed data is corrupt
tar: Unexpected EOF in archive
tar: Unexpected EOF in archive
tar: Error is not recoverable: exiting now
lxc-create: unpriv-cont-user: lxccontainer.c: create_run_template: 1617 failed to create container from template
lxc-create: unpriv-cont-user: tools/lxc_create.c: main: 327 Failed to create container unpriv-cont-user

How can I resolve xz (stin) data corrupt and tar error.

Thank you and I look forward to your reply.

Best regards,
Andrew

chrispokorni

Hi Andrew,

With your system complaining that the data is corrupt, the lxc-destroy command would cleanup all the downloaded packages and you could start from scratch with the lxc-create command (either as presented in the lab, or the version shared by Kevin above).

Regards,
-Chris

andrecloudengineer

Hi Chris,
Good morning and thanks for getting back to me on this.
when I tried lxc-destroy command, I get the following:
259 container is not defined.
lxc-create as shared by @KevinCSmallwood and I get the following errors:
Unpacking the rootfs
xz: (stdin): compressed data is corrupt
tar: Unexpected EOF in archive
tar: Unexpected EOF in archive
tar: Error is not recoverable: exiting now
lxc-create: unpriv-cont-user: lxccontainer.c: create_run_template: 1617 failed to create container from template
lxc-create: unpriv-cont-user: tools/lxc_create.c: main: 327 Failed to create container unpriv-cont-user

Although I have moved from this lab, I still find it frustrating.

Kind regards,
Andrew

chrispokorni

Hi @andrecloudengineer,

I understand your frustration, as I feel the same way when something that seems so simple does not work as expected.

Can you provide the outputs of:

cat /etc/subuid
cat /etc/subgid
cat /etc/lxc/lxc-usernet
cat ~/.config/lxc/default.conf

and finally the user ID you are using to run the exercise.

EDIT: and please provide the environment you are running your labs: VM type/hypervisor/cloud provider, OS, for how long you have been using this particular instance.

Regards,
-Chris

toastboy

I have the same problem. New GCP e2-micro instance with 18.04 LTS made today according to the "Lab 1.1 - Google Compute Engine Environment Setup" instructions:

toastboy70@instance-lfs253:~$ cat /etc/os-release 
NAME="Ubuntu"
VERSION="18.04.5 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.5 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic

toastboy70@instance-lfs253:~$ cat /etc/subuid
lxd:100000:65536
root:100000:65536
ubuntu:165536:65536
toastboy70:231072:65536
toastboy70@instance-lfs253:~$ cat /etc/subgid
lxd:100000:65536
root:100000:65536
ubuntu:165536:65536
toastboy70:231072:65536
toastboy70@instance-lfs253:~$ cat /etc/lxc/lxc-usernet
# USERNAME TYPE BRIDGE COUNT
toastboy veth lxcbr0 10
toastboy70@instance-lfs253:~$ cat ~/.config/lxc/default.conf
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up
lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx
lxc.idmap = u 0 231072 65536
lxc.idmap = g 0 231072 65536
toastboy70@instance-lfs253:~$ id -u
1001
toastboy70@instance-lfs253:~$ id
uid=1001(toastboy70) gid=1002(toastboy70) groups=1002(toastboy70),4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(lxd),114(netdev),1000(ubuntu),1001(google-sudoers)

toastboy70@instance-lfs253:~$ lxc-start -n unpriv-cont-user -F
lxc-start: unpriv-cont-user: network.c: lxc_create_network_unpriv_exec: 2178 lxc-user-nic failed to configure requ\
ested network: cmd/lxc_user_nic.c: 1296: main: Quota reached
lxc-start: unpriv-cont-user: start.c: lxc_spawn: 1765 Failed to create the configured network
lxc-start: unpriv-cont-user: start.c: __lxc_start: 1939 Failed to spawn container "unpriv-cont-user"
lxc-start: unpriv-cont-user: tools/lxc_start.c: main: 330 The container failed to start
lxc-start: unpriv-cont-user: tools/lxc_start.c: main: 336 Additional information can be obtained by setting the --logfile and --logpriority options

chrispokorni

Hi @toastboy,

Have you tried adding the ACL, as suggested in an earlier comment?

Regards,
-Chris

toastboy

@chrispokorni Yes:

toastboy70@instance-lfs253 ~ $ ls -al .local/
total 12
drwxr-xr-x+  3 toastboy70 toastboy70 4096 Sep 26 16:42 .
drwxr-xr-x  10 toastboy70 toastboy70 4096 Oct  3 06:45 ..
drwxr-xr-x+  3 toastboy70 toastboy70 4096 Sep 26 16:42 share

chrispokorni

Hi @toastboy,

Although in Lab 1.1 we create a g1-small instance, I ran through the exercise on an e2-micro instance such as yours, and I had the same issue when starting the lxc container with both -d and -F options, before rebooting the instance. Once I rebooted the machine I was able to create and start the lxc container.

Could you attempt a reboot before creating the lxc container?

Regards,
-Chris

mikerossiter

Thanks for this thread. It really helped! I think the distro, release and arch need adding to the lab example to show exactly what happens otherwise the results don't make sense. And emphasising that they can be altered instead.

I have a separate issue though! When I finally got the container to work, my "lxc-ls -f" command said that my container was UNPRIVILEGED = false (!). I followed it word for word. I wondered where I was going wrong??? (Was it because I ran it as 'sudo' as student???)

chrispokorni

Hi @mikerossiter,

The lab exercise does say the following:

Once the image index is displayed, the tool will expect three separate entries from the user at the CLI: ​ distribution​, ​ release​ and architecture​ . For this example ​ ubuntu​ , ​ xenial​ and ​ amd64​ have been entered respectively at the prompts:

This should hint what the user is expected to do when presented with the distro, release and arch prompts. Also the image index header is pretty clear in column labeling, helping users pick the right entries in the case of an alternate image.

A "word for word" would imply that the commands were ran as the student user. That is no longer the case when sudo was introduced. I would assume that is the reason for the difference in output. What happens when you attempt the exercise word for word, as in without sudo?

Regards,
-Chris

saumya043

hello ,
i tried to run lxc-create but its giving a message
'error creating container unpriv-cont-user '
i have attached screen shot of my screen with following o/p

chrispokorni

Hi @saumya043,

It seems your lxc-create command does not initiate the download of the image index. Do you have any firewalls in place? What guest OS are you using, and what is your infrastructure (cloud, local VM) hardware profile, and on what hypervisor?
What outputs are generated by the following two commands?

cat /etc/subuid
cat /etc/subgid

Regards,
-Chris

saumya043

i got the solution of above problem
in ~/.config/lxc/default.conf file i have changed two lines as
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0

proliant

Got similar issues in the Lab 3.2, able to fix them:

$ cat /etc/os-release | grep VERSION=
VERSION="18.04.5 LTS (Bionic Beaver)"

$ lxc-create -t download -n unpriv-cont-user -- --keyserver keyserver.ubuntu.com

(root) setfacl -R -m u:1000000:x /home/penguin/.local

(root) lxc-create -t download -n priv-cont -- --keyserver keyserver.ubuntu.com

haral

I have the same problem discussed in this thread...

haral@ubuntu:~$ cat /etc/subuid
haral:100000:65536
haral@ubuntu:~$ cat /etc/subgid
haral:100000:65536
haral@ubuntu:~$ cat /etc/lxc/lxc-usernet

USERNAME TYPE BRIDGE COUNT

haral veth lxcbr0 10
haral@ubuntu:~$ cat ~/.config/lxc/default.conf
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up
lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx
lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536
haral@ubuntu:~$ id
uid=1000(haral) gid=1000(haral) groups=1000(haral),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),126(sambashare)
haral@ubuntu:~$ lxc-create -t download -n unpriv-cont-user
lxc-create: unpriv-cont-user: tools/lxc_create.c: main: 327 Failed to create container unpriv-cont-user
haral@ubuntu:~$ sudo lxc-create -t download -n unpriv-cont-user -- -d ubuntu -r xenial -a amd64
Setting up the GPG keyring
ERROR: Unable to fetch GPG key from keyserver
lxc-create: unpriv-cont-user: lxccontainer.c: create_run_template: 1617 Failed to create container from template
lxc-create: unpriv-cont-user: tools/lxc_create.c: main: 327 Failed to create container unpriv-cont-user

chrispokorni

Hi @haral,

Have you tried running the command with the --keyserver ... option as suggested above?

Regards,
-Chris

haral

The container is created after I run the command with --keyserver option, but the lxc commands have to be run with "sudo"...