I created a per-user container "t1", and confirm that it does start
under upstart/cgmanger and doesn't under systemd. I now have a
preliminary patch for putting the user slices into all cgroup
controllers, plus some hand-crafted "chown ubuntu" for all the
user-1000.slice cgroup directories so that they become writable (this
part still needs to be added to the patch). I understand that this
should now be sufficient:
ubuntu@ulxc$ cat /proc/$$/cgroup
10:devices:/user.slice/user-1000.slice
9:memory:/user.slice/user-1000.slice
8:cpuset:/
7:hugetlb:/user.slice/user-1000.slice
6:blkio:/user.slice/user-1000.slice
5:cpu,cpuacct:/user.slice/user-1000.slice
4:freezer:/user.slice/user-1000.slice
3:perf_event:/user.slice/user-1000.slice
2:net_cls,net_prio:/user.slice/user-1000.slice
1:name=systemd:/user.slice/user-1000.slice/session-1.scope
ubuntu@ulxc:~$ ls -ld /sys/fs/cgroup/*/user.slice/user-1000.slice/
drwxr-xr-x 2 ubuntu root 0 Nov 26 10:41
/sys/fs/cgroup/blkio/user.slice/user-1000.slice/
drwxr-xr-x 2 ubuntu root 0 Nov 26 10:41
/sys/fs/cgroup/cpuacct/user.slice/user-1000.slice/
drwxr-xr-x 2 ubuntu root 0 Nov 26 10:41
/sys/fs/cgroup/cpu,cpuacct/user.slice/user-1000.slice/
drwxr-xr-x 2 ubuntu root 0 Nov 26 10:41
/sys/fs/cgroup/cpuset/user.slice/user-1000.slice/
drwxr-xr-x 2 ubuntu root 0 Nov 26 10:41
/sys/fs/cgroup/cpu/user.slice/user-1000.slice/
drwxr-xr-x 2 ubuntu root 0 Nov 26 10:41
/sys/fs/cgroup/devices/user.slice/user-1000.slice/
drwxr-xr-x 2 ubuntu root 0 Nov 26 10:41
/sys/fs/cgroup/freezer/user.slice/user-1000.slice/
drwxr-xr-x 2 ubuntu root 0 Nov 26 10:41
/sys/fs/cgroup/hugetlb/user.slice/user-1000.slice/
drwxr-xr-x 2 ubuntu root 0 Nov 26 10:41
/sys/fs/cgroup/memory/user.slice/user-1000.slice/
drwxr-xr-x 2 ubuntu root 0 Nov 26 10:41
/sys/fs/cgroup/net_cls,net_prio/user.slice/user-1000.slice/
drwxr-xr-x 2 ubuntu root 0 Nov 26 10:41
/sys/fs/cgroup/net_cls/user.slice/user-1000.slice/
drwxr-xr-x 2 ubuntu root 0 Nov 26 10:41
/sys/fs/cgroup/net_prio/user.slice/user-1000.slice/
drwxr-xr-x 2 ubuntu root 0 Nov 26 10:41
/sys/fs/cgroup/perf_event/user.slice/user-1000.slice/
drwxr-xr-x 4 root root 0 Nov 26 10:33
/sys/fs/cgroup/systemd/user.slice/user-1000.slice/
I'm not sure why my login shell isn't in "cpuset", I'll debug that
still. But I chown'ed /sys/fs/cgroup/cpuset/ to "ubuntu" as well.
But still lxc-start fails:
$ lxc-start -n t1 -F
lxc-start: cgfs.c: lxc_cgroupfs_create: 849 Could not set clone_children to 1
for cpuset hierarchy in parent cgroup.
lxc-start: cgfs.c: cgroup_rmdir: 207 Permission denied - cgroup_rmdir: failed
to delete /sys/fs/cgroup/devices/user.slice/user-1000.slice
lxc-start: cgfs.c: cgroup_rmdir: 207 Permission denied - cgroup_rmdir: failed
to delete /sys/fs/cgroup/memory/user.slice/user-1000.slice
lxc-start: cgfs.c: cgroup_rmdir: 207 Permission denied - cgroup_rmdir: failed
to delete /sys/fs/cgroup/cpuset//user.slice/user-1000.slice
lxc-start: cgfs.c: cgroup_rmdir: 207 Permission denied - cgroup_rmdir: failed
to delete /sys/fs/cgroup/cpuset//user.slice
lxc-start: cgfs.c: cgroup_rmdir: 207 Read-only file system - cgroup_rmdir:
failed to delete /sys/fs/cgroup/cpuset/
lxc-start: cgfs.c: cgroup_rmdir: 207 Permission denied - cgroup_rmdir: failed
to delete /sys/fs/cgroup/hugetlb/user.slice/user-1000.slice
lxc-start: cgfs.c: cgroup_rmdir: 207 Permission denied - cgroup_rmdir: failed
to delete /sys/fs/cgroup/blkio/user.slice/user-1000.slice
lxc-start: cgfs.c: cgroup_rmdir: 207 Permission denied - cgroup_rmdir: failed
to delete /sys/fs/cgroup/cpu,cpuacct/user.slice/user-1000.slice
lxc-start: cgfs.c: cgroup_rmdir: 207 Permission denied - cgroup_rmdir: failed
to delete /sys/fs/cgroup/freezer/user.slice/user-1000.slice
lxc-start: cgfs.c: cgroup_rmdir: 207 Permission denied - cgroup_rmdir: failed
to delete /sys/fs/cgroup/perf_event/user.slice/user-1000.slice
lxc-start: cgfs.c: cgroup_rmdir: 207 Permission denied - cgroup_rmdir: failed
to delete /sys/fs/cgroup/net_cls,net_prio/user.slice/user-1000.slice
lxc-start: start.c: lxc_spawn: 864 failed creating cgroups
Questions:
- Why is it trying to *remove* the existing cgroups? It sounds wrong to
fuzz around with those, I thought it would merely want and need to
create new cgroups below those? And the ubuntu user can definitively do
that:
ubuntu@ulxc:~$ mkdir
/sys/fs/cgroup/cpu,cpuacct/user.slice/user-1000.slice/mygroup
ubuntu@ulxc:~$ ls -ld
/sys/fs/cgroup/cpu,cpuacct/user.slice/user-1000.slice/mygroup
drwxrwxr-x 2 ubuntu ubuntu 0 Nov 26 10:50
/sys/fs/cgroup/cpu,cpuacct/user.slice/user-1000.slice/mygroup
--logpriority debug --logfile /tmp/d doesn't really give much
information either. stracing lxc-start only shows rmdir() whose errors
are shown above, it doesn't have any mkdir() or similar call which would
show an attempt to create new cgroups?
** Also affects: lxc (Ubuntu)
Importance: Undecided
Status: New
** No longer affects: lxc (Ubuntu)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1346734
Title:
Unprivileged LXC containers don't work under systemd
Status in “systemd” package in Ubuntu:
Triaged
Bug description:
With systemd 208, unprivileged containers stop working when running
under systemd (working fine under upstart with cgmanager). Quoting
Stephane Graber:
In this setup, things don't work nearly as well. On login I'm only
placed into the name=systemd cgroup and not in any of the others, which
means that unprivileged LXC isn't usable.
Martin suggested setting JoinControllers in /etc/systemd/system.conf but
upon closer inspection, this isn't at all what we want. This setting is
used to tell systemd what controllers to co-mount, by default this is
set to cpu,cpuset (which caused the earlier cgmanager breakage).
Even though this option isn't helpful for what we want (i.e. setting the
list of cgroup controllers the first PID of a user session should be
added to), we should nonetheless set it to an empty string which should
instruct systemd not to co-mount any controller, therefore giving us a
more reliable behavior (identical to what we have in the upstart world
and unlikely to confuse lxc and other stuff doing direct cgroup access).
Additionally, we need to find an equivalent to our good old
"Controllers" logind.conf option, or re-introduce it or just patch
logind so that it will always join all the controllers (similar to what
the shim does).
== Actions ==
* Update systemd.conf to set JoinControllers to an empty value.
* Make it so new user sessions are joined to all the available
controllers by doing one of the following:
- Find the magic undocumented config variable
- Re-introduce the "Controllers" option in logind.conf
- Patch logind to have it always join all available controllers
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1346734/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
