On 01/02/2018 08:47 PM, [email protected] wrote:
Hi all,
Using plain lxc, not lxd, I got my Buster/Sid machine to start a
Buster container. However, it seems that systemd cannot start any
services. journalctl -xe reveals "failed to change ownership of
session keyring". If it matters I tried redis-server and boinc-client
systemd services and both produced this result, but work fine on a
physical install.
Limited research shows solutions involving seccomp to blacklist
syscall keyctl, which I tried, and produced the same result.
I did create a thread yesterday, which I resolved today simply by
installing the newest version of lxc available to me 2.0.9-5. I think
the problems I was seeing were related to apparmor, which I am afraid
is causing these issues too.
Any help would be appreciated.
Paul
_______________________________________________
lxc-users mailing list
[email protected]
http://lists.linuxcontainers.org/listinfo/lxc-users
I was able to search around and find an existing issue.
https://github.com/systemd/systemd/pull/6876
The keyctl syscalls are not setup to handle namespaces which is a
requirement of unprivileged containers. I eventually figured out the
right seccomp syntax to disable keyctl syscalls:
|2 blacklistkeyctl_chown errno 38 keyctl errno 38|
What I don't understand is how was this not a problem before, and why
isn't this in the default lxc config files for debian. And if this is
worth reporting to the debian packaging team.
I still have a problem starting the boinc service related to keyctl, but
the problem is resolved if I modify the systemd unit file to not switch
to the boinc user and remain as root instead.
_______________________________________________
lxc-users mailing list
[email protected]
http://lists.linuxcontainers.org/listinfo/lxc-users
