Newer kernels have a security patch described here: https://lore.kernel.org/patchwork/patch/1415008/ lxc/lxd needs to be fixed to handle CAP_SETFCAP correctly. Reproducible: Always
Yeap, had this as well after updating to 5.12, but wasn't sure if I missing a specific kernel config as my kernel is trimmed down to minimum ;) was waiting for a new release of gentoo-kernel-bin to test this, but I did see the upstream issue about it. It's apparently been fixed in lxc, https://github.com/lxc/lxc/commit/86c780115a6ad14673f0b6b057219020b0523014 https://github.com/lxc/lxc/commit/ce86ae557a30fbdc505af611b2c215a22abac025 and lxc-4.0.10 should be released shortly. I can however make a snapshot release to test if it works already, and push it later today.
On another thought, it's caused by --enable-seccomp in lxc. I remember enabling this because I couldn't compile either lxc or lxd with it disabled, but now I wonder if that was related to something else. May want to investigate this option again to make it USE-flaggable.
I don't think --enable-seccomp is related to this bug. I had tried two machines, one with kernel config SECCOMP enabled, the other disabled. No difference;-)
(In reply to Ernst Herzberg from comment #3) > I don't think --enable-seccomp is related to this bug. I had tried two > machines, one with kernel config SECCOMP enabled, the other disabled. No > difference;-) Yep, and I actually meant caps :P but didn't show any difference. So applying https://github.com/lxc/lxc/commit/91ad9b94bcd964adfbaa8d84d8f39304d39835d0.patch does make containers start on 5.12, but now for one reason or another I don't have network inside containers. Might be openrc-related too. I don't have more time today for this, but you can apply this patch by placing it in /etc/portage/patches/app-emulation/lxc-4.0.9/91ad9b94bcd964adfbaa8d84d8f39304d39835d0.patch
With this patch lauch of container works again. Tested with lxc-4.0.9 and kernel 5.11.19.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fb00aa98de17dba7ffb4ef5fed6608af8a6968d8 commit fb00aa98de17dba7ffb4ef5fed6608af8a6968d8 Author: Joonas Niilola <juippis@gentoo.org> AuthorDate: 2021-05-09 09:27:30 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2021-05-10 05:01:28 +0000 app-emulation/lxc: handle kernels with CAP_SETFCAP Closes: https://bugs.gentoo.org/789012 Signed-off-by: Joonas Niilola <juippis@gentoo.org> ...lxc-4.0.9-handle-kernels-with-CAP_SETFCAP.patch | 93 ++++++++++++++++++++++ .../lxc/{lxc-4.0.9.ebuild => lxc-4.0.9-r1.ebuild} | 1 + 2 files changed, 94 insertions(+)
