Hi,
It seems that systemd builds incorrectly cgroup hierarchy when is
running in the container. Systemd duplicates part of the hierarchy
below machine.slice/machine...scope/. It causes finally that non root
user session cannot be created due to lack of permissions.
In nspawn container problem with non root session creation not
appears. The minor difference between containers that we found is only
in cgroup hierarchy.
Cgroup hierarchy for tested case:
1. cgroup hierarchy for non systemd container
sh-4.2# systemd-cgls
+-user.slice
│ L-user-5000.slice
│ +-session-c1.scope
│ │ L-2362 /usr/bin/user-session-launch seat0 5000
│ [email protected]
│ +-2365 /usr/lib/systemd/systemd --user
│ +-2366 (sd-pam)
│ +-starter.service
│ │ L-2711 /usr/bin/starter
│ +-xorg.service
│ │ L-2709 /usr/bin/xorg-launch-helper -ac -r +accessx 0 -nocursor
-sharevts
│ +-msg-service.service
│ │ L-2373 /usr/bin/msg-server
│ L-email.service
│ L-2371 /usr/bin/email-service
+-machine.slice
│ L-machine-lxc\x2dtizen\x2dbash\x2d2.scope
│ +-2672 /usr/libexec/libvirt_lxc --name tizen-bash-2 --console 20 --
security=
│ L-2681 /bin/bash
L-system.slice
+-1 /sbin/init
+-connman.service
│ L-29225 /usr/sbin/connmand -n
2. cgroup hierarchy for running container with system
sh-4.2# systemd-cgls
+-user.slice
│ L-user-5000.slice
│ +-session-c1.scope
│ │ L-2362 /usr/bin/user-session-launch seat0 5000
│ [email protected]
│ +-2365 /usr/lib/systemd/systemd --user
│ +-2366 (sd-pam)
│ +-xorg.service
│ │ L-3185 /usr/bin/xorg-launch-helper -ac -r +accessx 0 -nocursor
-sharevts
│ +-msg-service.service
│ │ L-2373 /usr/bin/msg-server
│ L-email.service
│ L-2371 /usr/bin/email-service
+-machine.slice
│ L-machine-lxc\x2dtizen\x2dbash\x2d2.scope
│ +-2672 /usr/libexec/libvirt_lxc --name tizen-bash-2 --console 20 --
security=
│ L-machine.slice
│ L-machine-lxc\x2dtizen\x2dbash\x2d2.scope
│ L-system.slice
│ +-2681 /usr/lib/systemd/systemd
│ +-systemd-logind.service
│ │ L-3215 /usr/lib/systemd/systemd-logind
│ +-connman.service
│ │ L-3214 /usr/sbin/connmand -n
│ +-dbus.service
│ │ L-3212 /usr/bin/dbus-daemon --system --address=systemd: --
nofork --n
│ +-console-getty.service
│ │ L-3240 /sbin/agetty --noclear -s console 115200 38400 9600
│ +-wpa_supplicant.service
│ │ L-3241 /usr/sbin/wpa_supplicant -u
│ L-systemd-journald.service
│ L-3200 /usr/lib/systemd/systemd-journald
L-system.slice
+-1 /sbin/init
+-connman.service
3. cgroup hierarchy for running container and running user session
h-4.2# systemd-cgls
+-user.slice
│ L-user-5000.slice
│ +-session-c1.scope
│ │ L-2362 /usr/bin/user-session-launch seat0 5000
│ [email protected]
│ +-2365 /usr/lib/systemd/systemd --user
│ +-2366 (sd-pam)
│ +-xorg.service
│ │ L-3468 /usr/bin/xorg-launch-helper -ac -r +accessx 0 -nocursor
-sharevts
│ +-msg-service.service
│ │ L-2373 /usr/bin/msg-server
│ L-email.service
│ L-2371 /usr/bin/email-service
+-machine.slice
│ L-machine-lxc\x2dtizen\x2dbash\x2d2.scope
│ +-2672 /usr/libexec/libvirt_lxc --name tizen-bash-2 --console 20 --
security=
│ L-machine.slice
│ L-machine-lxc\x2dtizen\x2dbash\x2d2.scope
│ +-machine.slice
│ │ L-machine-lxc\x2dtizen\x2dbash\x2d2.scope
│ │ L-user.slice
│ │ L-user-0.slice
│ │ [email protected]
│ │ L-3483 /usr/lib/systemd/systemd --user
│ +-user.slice
│ │ L-user-0.slice
│ │ +-session-c1.scope
│ │ │ +-3240 login -- root
│ │ │ L-3486 -bash
│ │ [email protected]
│ │ L-3484 (sd-pam)
│ L-system.slice
│ +-2681 /usr/lib/systemd/systemd
│ +-systemd-logind.service
│ │ L-3215 /usr/lib/systemd/systemd-logind
│ +-connman.service
│ │ L-3214 /usr/sbin/connmand -n
│ +-dbus.service
│ │ L-3212 /usr/bin/dbus-daemon --system --address=systemd: --
nofork --n
│ +-wpa_supplicant.service
│ │ L-3241 /usr/sbin/wpa_supplicant -u
│ L-systemd-journald.service
│ L-3200 /usr/lib/systemd/systemd-journald
L-system.slice
+-1 /sbin/init
+-connman.service
Best regards
Jacek Pielaszkiewicz
Samsung R&D Institute Poland
Samsung Electronics
Email: [email protected]
_______________________________________________
systemd-devel mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
