LXC causes kernel panic 18.06.04 when starting containers

I built a custom kernel with SECCOMP enabled. When I try to run a container I get a kernel panic.

--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled

--- Control groups ---
Cgroups: enabled

Cgroup v1 mount points: 
/sys/fs/cgroup

Cgroup v2 mount points: 


Cgroup v1 systemd controller: /usr/bin/lxc-checkconfig: line 169: printf \033[1;31m: not found

Cgroup v1 freezer controller: /usr/bin/lxc-checkconfig: line 176: printf \033[1;31m: not found

Cgroup v1 clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled

--- Misc ---
Veth pair device: enabled, loaded
Macvlan: enabled, loaded
Vlan: enabled, not loaded
Bridges: enabled, not loaded
Advanced netfilter: enabled, loaded
CONFIG_NF_NAT_IPV4: enabled, loaded
CONFIG_NF_NAT_IPV6: enabled, loaded
CONFIG_IP_NF_TARGET_MASQUERADE: enabled, loaded
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled, loaded
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: missingCONFIG_NETFILTER_XT_MATCH_COMMENT: enabled, loaded
FUSE (for use with lxcfs): enabled, loaded

--- Checkpoint/Restore ---
checkpoint restore: enabled
CONFIG_FHANDLE: missing
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: missing
CONFIG_INET_DIAG: missing
CONFIG_PACKET_DIAG: missing
CONFIG_NETLINK_DIAG: missing
File capabilities: enabled

I am using a custom built 18.06.4 which otherwise works fine. I am using it on a brcm2708 (pi zero) with alpine linux template (which had worked fine on previous builds). (even though I selected SECCOMP_FILTER in the config)

zcat /proc/config.gz | grep SECCOMP
CONFIG_SECCOMP=y

There are NO Seccomp_Filter which seems to be ignoring what I put in the kernel config. Any ideas?

Also the kernel messages from the panic:

lxc-start: hello: utils.c: safe_mount: 1707 No such file or directory - Failed to mount /usr/lib/lxc/rootfs/proc/tty onto /usr/lib/lxc/rootfs/proc/sys/net
                                                                                                                                                          lxc-start: hello: sync.c: __sync_wait: 57 An error occurred in another process (expected sequence number 5)
                                                                                     lxc-start: hello: start.c: __lxc_start: 1459 Failed to spawn container "hello".
                                                                                                                                                                    lxc-start: hello: tools/lxc_start.c: main: 371 The container failed to start.
lxc-start: hello: tools/lxc_start.c: main: 375 Additional information can be obtained by setting the --logfile and --logpriority options.
root@OpenWrt:/srv/lxc# [  767.040395] Unable to handle kernel NULL pointer dereference at virtual address 00000003
[  767.054395] Unable to handle kernel NULL pointer dereference at virtual address 00000003
[  767.054408] pgd = d3644000
[  767.054417] [00000003] *pgd=00000000
[  767.054435] Internal error: Oops: 5 [#1] ARM
[  767.054616] Modules linked in: rt2800usb rt2800lib pppoe ppp_async brcmfmac rt2x00usb rt2x00lib pppox ppp_generic nf_tables_inet mac80211 lz4 iptable_nat ipt_MASQUERADE cfg80211 xt_time xt_string xt_state xt_recent xt_quota xt_pkttype xt_owner xt_nat xt_multiport xt_mark xt_mac xt_lscan xt_limit xt_iprange xt_helper xt_hashlimit xt_geoip xt_fuzzy xt_conntrack xt_connmark xt_connlimit xt_connlabel xt_connbytes xt_condition xt_comment xt_bpf xt_addrtype xt_TCPMSS xt_REDIRECT xt_NETMAP xt_LOG xt_LED xt_DNETMAP xt_DELUDE xt_TARPIT ipt_REJECT xt_tcpudp xt_CHAOS wireguard usbhid ums_usbat ums_sddr55 ums_sddr09 ums_karma ums_jumpshot ums_isd200 ums_freecom ums_datafab ums_cypress ums_alauda ts_kmp ts_fsm ts_bm slhc nft_set_rbtree nft_set_hash nft_reject_ipv6 nft_reject_ipv4 nft_reject_inet nft_reject nft_redir_ipv4
[  767.054754]  nft_redir nft_quota nft_numgen nft_nat nft_meta nft_masq_ipv4 nft_masq nft_log nft_limit nft_exthdr nft_ct nft_counter nft_chain_route_ipv6 nft_chain_route_ipv4 nft_chain_nat_ipv4 nf_tables_ipv6 nf_tables_ipv4 nf_tables nf_reject_ipv4 nf_nat_redirect nf_nat_masquerade_ipv4 nf_conntrack_ipv4 nf_nat_ipv4 nf_log_ipv4 nf_defrag_ipv4 nf_conntrack_rtcache nf_conntrack_netlink macvlan lz4_decompress lz4_compress iptable_mangle iptable_filter ip_tables hid_generic crc_ccitt compat_xtables compat brcmutil spi_bcm2835aux spi_bcm2835 fuse snd_bcm2835 hid evdev usb_f_mass_storage libcomposite ledtrig_usbport xt_set ip_set_list_set ip_set_hash_netiface ip_set_hash_netport ip_set_hash_netnet ip_set_hash_net ip_set_hash_netportnet ip_set_hash_mac ip_set_hash_ipportnet ip_set_hash_ipportip ip_set_hash_ipport ip_set_hash_ipmark ip_set_hash_ip ip_set_bitmap_port ip_set_bitmap_ipmac ip_set_bitmap_ip ip_set nfnetlink ip6t_NPT ip6t_MASQUERADE nf_nat_masquerade_ipv6 ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 nf_nat nf_conntrack ip6t_rt ip6t_frag ip6t_hbh ip6t_eui64 ip6t_mh ip6t_ah ip6t_ipv6header ip6t_REJECT nf_reject_ipv6 nf_log_ipv6 nf_log_common ip6table_mangle ip6table_filter ip6_tables x_tables nat46 ip6_udp_tunnel udp_tunnel veth snd_compress snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_rawmidi snd_seq_device snd_hwdep snd soundcore udf crc_itu_t nls_utf8 vfat fat nls_iso8859_1 nls_cp437 udc_core lzo lzo_decompress lzo_compress zram zsmalloc
[  767.054906] CPU: 0 PID: 2568 Comm: luci Tainted: G        W       4.9.184 #0
[  767.054910] Hardware name: BCM2835
[  767.054918] task: d8241300 task.stack: d35cc000
[  767.054928] pc : [<c00d2e70>]    lr : [<c00d2da8>]    psr: 20000193
[  767.054928] sp : d35cd930  ip : 00000000  fp : 00000002
[  767.054934] r10: 00000002  r9 : d7ec8ac0  r8 : c02e1a74
[  767.054941] r7 : c056aabc  r6 : 02088020  r5 : 00000003  r4 : da401e40
[  767.054949] r3 : 00000000  r2 : d7ec8ac0  r1 : 00049300  r0 : da401e40
[  767.054957] Flags: nzCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment none
[  767.054964] Control: 00c5387d  Table: 13644008  DAC: 00000051
[  767.054970] Process luci (pid: 2568, stack limit = 0xd35cc208)
[  767.054977] Stack: (0xd35cd930 to 0xd35ce000)
[  767.054991] d920:                                     d7c0d680 00000000 da6cc800 da6cc800
[  767.055009] d940: dc8b05c0 c02e1a74 d7ec8d80 da6aef80 da6cc800 d7ec8ac0 dc8b05c0 c02e1a54
[  767.055029] d960: 00000002 c02e355c da6cc800 da6aef80 dc8b05c0 da6aef80 d7ec8d80 da6cc800
[  767.055045] d980: dc8b05c0 00000000 00000000 00000023 00000002 c02e4778 da6cc800 dc8b0000
[  767.055062] d9a0: da6cc81c c02dfcd8 00000002 00000002 49505d24 00000040 da6cc800 00000006
[  767.055078] d9c0: 00000000 f301080e c0533bcd 00000008 c0461578 c02e4ab8 da6cc800 00000001
[  767.055095] d9e0: 00000002 da6ccc00 f301080e c02e4c68 da6c0240 00000000 00000038 00000000
[  767.055113] da00: da40b500 d35cda50 c0525255 c02e18a8 da6c0240 c02b829c da6c0240 c0051fc0
[  767.055130] da20: da40b500 d35cda50 da40b500 c0516848 da40b510 da40b500 da409c00 00000001
[  767.055147] da40: d35cc000 00000000 c0542628 c00520c0 00000000 49505d24 da40b500 da40b510
[  767.055166] da60: d35cdb78 c005213c da40b500 c00551cc 00000038 c052ab60 d35cdb78 c0051614
[  767.055183] da80: 00000038 c0051a18 d35cdab0 c0516c74 ffffffff d35cdae4 00000001 c0009424
[  767.055200] daa0: c0027100 60000113 ffffffff c001344c 00400000 c0521940 00000100 00000000
[  767.055216] dac0: 00000000 ffffe000 00000002 c0540540 00000001 d35cc000 00000000 c0542628
[  767.055234] dae0: 00000015 d35cdb00 c0027550 c0027100 60000113 ffffffff 00000051 bf000000
[  767.055250] db00: da406700 da409c00 00000001 00400000 0000000a 0000b673 00014280 c0521940
[  767.055266] db20: da406700 00000000 c052ab60 00000000 da409c00 00000001 d35cc000 00000000
[  767.055285] db40: c0542628 c0027550 00000000 c0051a04 d35cdb78 c0516c74 ffffffff d35cdbac
[  767.055303] db60: c0541cf8 c0009424 c00502e0 60000113 ffffffff c001344c c0571c7c 00000004
[  767.055320] db80: 60000113 60000113 c0541cf8 c0549da0 c0541cf8 00000000 c0541cf8 000052ec
[  767.055337] dba0: 00000000 c0542628 00000000 d35cdbc8 c0269c80 c00502e0 60000113 ffffffff
[  767.055353] dbc0: 00000051 bf000000 00000400 0000005c 0000005c 00000000 00000000 00000001
[  767.055369] dbe0: 60000113 00000000 00000120 00000000 00000007 00000000 c0542638 0000004c
[  767.055385] dc00: c0542646 00000006 00000000 00000001 c051f5ac 00000000 00000000 c00507b8
[  767.055401] dc20: 00000000 00000000 00000000 00000000 c0542646 0000004c ffffffff 00000000
[  767.055418] dc40: 60000113 00000000 c00d2fa8 c0516848 d35cdd98 00000005 d8518000 d8241300
[  767.055435] dc60: 00000005 d8518000 00000000 c0050828 c045dd87 d35cdc94 00000003 c0095fdc
[  767.055452] dc80: d35cdc94 49505d24 00000003 c001e9cc c045dd87 c045dd5f 00000003 c045dd78
[  767.055470] dca0: 00000014 c001adcc da40b500 d35cdcd8 00000038 49505d24 d8518038 c05699e0
[  767.055485] dcc0: 00000000 00000000 00000001 00000005 c0516848 00000003 c051b2f4 d35cdd98
[  767.055503] dce0: d35cc000 d45c8c00 00000000 c00092a0 da40b500 c00551f8 00000038 c052ab60
[  767.055520] dd00: d35cddf8 c0027558 00000000 c0051a04 d35cdd38 c0516c74 ffffffff d35cdd6c
[  767.055539] dd20: d35cddf0 c0009424 da6cc800 dc8b0000 da6cc800 dc8b0000 da6cc81c c02dfcd8
[  767.055557] dd40: d8315ca8 dc8b002c da6cc800 dc8b0000 da6cc81c c02dfcd8 d8315ca8 dc8b002c
[  767.055575] dd60: 13573894 00000003 13573894 d7e98015 d8315ca8 d35cdec0 d35cdec0 49505d24
[  767.055592] dd80: c00d2fa8 20000013 ffffffff d35cddcc c018dd84 c00133a0 da401e40 00049300
[  767.055609] dda0: d365fa88 00000000 da401e40 00000003 c056aabc 024080c0 c018dd84 d365fa88
[  767.055627] ddc0: d45c8c00 00000000 00000000 d35cdde8 c018dd84 c00d2fa8 20000013 ffffffff
[  767.055644] dde0: 00000051 bf000000 d365fa80 da376148 00000000 c0516848 d365fa80 c018dd84
[  767.055662] de00: da376148 d365fa80 d365fa88 49505d24 d365fa80 da376148 00000000 00000003
[  767.055679] de20: c018dd60 c00de478 d35cdec0 00000000 d365fa80 00000003 c000ef48 d35cc000
[  767.055696] de40: 00000000 c00ee8b0 00000000 c0051a04 d35cdf70 00024000 00000000 d35cdeac
[  767.055711] de60: da0fd4c8 00000043 00000000 00000004 00000000 c001344c 00000000 00000002
[  767.055729] de80: da376148 d9d1a610 da370aa0 00000040 38e38e39 49505d24 da6cc800 0000000b
[  767.055746] dea0: c0516848 d35cdf70 00000003 c000ef48 d35cc000 00000005 beabd8fc c00eea74
[  767.055763] dec0: d9d1a610 da370aa0 19f70ca4 00000003 d7e98019 c02e2e30 00000000 da0fcee0
[  767.055780] dee0: da376148 00000103 00000002 00002068 00000000 00000000 00000000 d35cdf00
[  767.055797] df00: d7e98010 00000ff0 005426f8 00000ff0 beabd908 d7e98010 ffffe000 c0217c24
[  767.055814] df20: 00000001 49505d24 c0516848 0000000b d7e98000 00000000 000a4000 00000002
[  767.055831] df40: ffffff9c c00fb104 000a4000 49505d24 ffffff9c 0000000b c0516848 ffffff9c
[  767.055848] df60: d7e98000 c00df684 da40b500 c00551f8 00024000 c0520000 00000004 00000100
[  767.055864] df80: 00000003 49505d24 00000000 00000000 00084000 00000005 c000ef48 d35cc000
[  767.055880] dfa0: 00000005 c000ed40 00000000 00000000 beabd908 000a4000 00000000 00000000
[  767.055896] dfc0: 00000000 00000000 00084000 00000005 beabd700 00000004 00000000 beabd8fc
[  767.055915] dfe0: beabd688 beabd674 b6f305f4 b6f2fa08 60000010 beabd908 00000000 00000000
[  767.055932] Function entered at [<c00d2e70>] from [<c02e1a74>]
[  767.055940] Function entered at [<c02e1a74>] from [<c02e355c>]
[  767.055947] Function entered at [<c02e355c>] from [<c02e4778>]
[  767.055954] Function entered at [<c02e4778>] from [<c02e4ab8>]
[  767.055960] Function entered at [<c02e4ab8>] from [<c02e4c68>]
[  767.055966] Function entered at [<c02e4c68>] from [<c02e18a8>]
[  767.055972] Function entered at [<c02e18a8>] from [<c02b829c>]
[  767.055980] Function entered at [<c02b829c>] from [<c0051fc0>]
[  767.055987] Function entered at [<c0051fc0>] from [<c00520c0>]
[  767.055993] Function entered at [<c00520c0>] from [<c005213c>]
[  767.055999] Function entered at [<c005213c>] from [<c00551cc>]
[  767.056006] Function entered at [<c00551cc>] from [<c0051614>]
[  767.056012] Function entered at [<c0051614>] from [<c0051a18>]
[  767.056019] Function entered at [<c0051a18>] from [<c0009424>]
[  767.056027] Function entered at [<c0009424>] from [<c001344c>]
[  767.056033] Exception stack(0xd35cdab0 to 0xd35cdaf8)
[  767.056044] daa0:                                     00400000 c0521940 00000100 00000000
[  767.056060] dac0: 00000000 ffffe000 00000002 c0540540 00000001 d35cc000 00000000 c0542628
[  767.056074] dae0: 00000015 d35cdb00 c0027550 c0027100 60000113 ffffffff
[  767.056083] Function entered at [<c001344c>] from [<c0027100>]
[  767.056090] Function entered at [<c0027100>] from [<c0027550>]
[  767.056096] Function entered at [<c0027550>] from [<c0051a04>]
[  767.056102] Function entered at [<c0051a04>] from [<c0009424>]
[  767.056108] Function entered at [<c0009424>] from [<c001344c>]
[  767.056114] Exception stack(0xd35cdb78 to 0xd35cdbc0)
[  767.056121] db60:                                                       c0571c7c 00000004
[  767.056138] db80: 60000113 60000113 c0541cf8 c0549da0 c0541cf8 00000000 c0541cf8 000052ec
[  767.056157] dba0: 00000000 c0542628 00000000 d35cdbc8 c0269c80 c00502e0 60000113 ffffffff
[  767.056164] Function entered at [<c001344c>] from [<c00502e0>]
[  767.056171] Function entered at [<c00502e0>] from [<c00507b8>]
[  767.056177] Function entered at [<c00507b8>] from [<c0050828>]
[  767.056183] Function entered at [<c0050828>] from [<c0095fdc>]
[  767.056191] Function entered at [<c0095fdc>] from [<c001e9cc>]
[  767.056198] Function entered at [<c001e9cc>] from [<c001adcc>]
[  767.056205] Function entered at [<c001adcc>] from [<c00092a0>]
[  767.056211] Function entered at [<c00092a0>] from [<c00133a0>]
[  767.056216] Exception stack(0xd35cdd98 to 0xd35cdde0)
[  767.056224] dd80:                                                       da401e40 00049300
[  767.056241] dda0: d365fa88 00000000 da401e40 00000003 c056aabc 024080c0 c018dd84 d365fa88
[  767.056258] ddc0: d45c8c00 00000000 00000000 d35cdde8 c018dd84 c00d2fa8 20000013 ffffffff
[  767.056264] Function entered at [<c00133a0>] from [<c00d2fa8>]
[  767.056270] Function entered at [<c00d2fa8>] from [<c018dd84>]
[  767.056280] Function entered at [<c018dd84>] from [<c00de478>]ea74>]
[  767.056301] Function entered at [<c00eea74>] from [<c00df684>]
[  767.056308] Function entered at [<c00df684>] from [<c000ed40>]
[  767.056324] Code: e1a04005 e1a00004 e8bd81f0 e5943014 (e7950003) 
[  767.056451] Unable to handle kernel NULL pointer dereference at virtual address 00000003
[  767.056458] pgd = d3644000
[  767.056465] [00000003] *pgd=00000000
[  767.056477] Internal error: Oops: 5 [#2] ARM
[  767.056652] Modules linked in: rt2800usb rt2800lib pppoe ppp_async brcmfmac rt2x00usb rt2x00lib pppox ppp_generic nf_tables_inet mac80211 lz4 iptable_nat ipt_MASQUERADE cfg80211 xt_time xt_string xt_state xt_recent xt_quota xt_pkttype xt_owner xt_nat xt_multiport xt_mark xt_mac xt_lscan xt_limit xt_iprange xt_helper xt_hashlimit xt_geoip xt_fuzzy xt_conntrack xt_connmark xt_connlimit xt_connlabel xt_connbytes xt_condition xt_comment xt_bpf xt_addrtype xt_TCPMSS xt_REDIRECT xt_NETMAP xt_LOG xt_LED xt_DNETMAP xt_DELUDE xt_TARPIT ipt_REJECT xt_tcpudp xt_CHAOS wireguard usbhid ums_usbat ums_sddr55 ums_sddr09 ums_karma ums_jumpshot ums_isd200 ums_freecom ums_datafab ums_cypress ums_alauda ts_kmp ts_fsm ts_bm slhc nft_set_rbtree nft_set_hash nft_reject_ipv6 nft_reject_ipv4 nft_reject_inet nft_reject nft_redir_ipv4
[  767.056784]  nft_redir nft_quota nft_numgen nft_nat nft_meta nft_masq_ipv4 nft_masq nft_log nft_limit nft_exthdr nft_ct nft_counter nft_chain_route_ipv6 nft_chain_route_ipv4 nft_chain_nat_ipv4 nf_tables_ipv6 nf_tables_ipv4 nf_tables nf_reject_ipv4 nf_nat_redirect nf_nat_masquerade_ipv4 nf_conntrack_ipv4 nf_nat_ipv4 nf_log_ipv4 nf_defrag_ipv4 nf_conntrack_rtcache nf_conntrack_netlink macvlan lz4_decompress lz4_compress iptable_mangle iptable_filter ip_tables hid_generic crc_ccitt compat_xtables compat brcmutil spi_bcm2835aux spi_bcm2835 fuse snd_bcm2835 hid evdev usb_f_mass_storage libcomposite ledtrig_usbport xt_set ip_set_list_set ip_set_hash_netiface ip_set_hash_netport ip_set_hash_netnet ip_set_hash_net ip_set_hash_netportnet ip_set_hash_mac ip_set_hash_ipportnet ip_set_hash_ipportip ip_set_hash_ipport ip_set_hash_ipmark ip_set_hash_ip ip_set_bitmap_port ip_set_bitmap_ipmac ip_set_bitmap_ip ip_set nfnetlink ip6t_NPT ip6t_MASQUERADE nf_nat_masquerade_ipv6 ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 nf_nat nf_conntrack ip6t_rt ip6t_frag ip6t_hbh ip6t_eui64 ip6t_mh ip6t_ah ip6t_ipv6header ip6t_REJECT nf_reject_ipv6 nf_log_ipv6 nf_log_common ip6table_mangle ip6table_filter ip6_tables x_tables nat46 ip6_udp_tunnel udp_tunnel veth snd_compress snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_rawmidi snd_seq_device snd_hwdep snd soundcore udf crc_itu_t nls_utf8 vfat fat nls_iso8859_1 nls_cp437 udc_core lzo lzo_decompress lzo_compress zram zsmalloc522.013528] Kernel panic - not syncing: Fatal exception

Here is a copy of my 'working' config when I look for seccomp: zcat /proc/config.gz | grep -i seccomp

CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
CONFIG_SECCOMP_FILTER=y
CONFIG_SECCOMP=y

I finally figured it out. It is kind of a stupid 'rpi zero' bcm2708 thing. You have to COMPLETELY DISABLE obabi in the kernel (under kernel features you have to do custom kerne). obabi keeps seccomp_filter from working.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.