[libvirt] systemd, LXC and user namespaces
Daniel P. Berrange
berrange at redhat.com
Thu Feb 6 11:29:45 UTC 2014
On Thu, Feb 06, 2014 at 10:36:09AM +0100, Richard Weinberger wrote:
> Hi!
>
> I'm trying to get rid of a hack to make systemd (kind of) work in
> Linux containers on libvirt.
> The hack can be found in the first mail of [0].
> systemd folks told me that systemd needs a name=systemd cgroup [0],
> which makes perfectly sense to me.
>
> I found that libvirt does this already, but uid 0 within the container
> is not allowed to access it. (Maybe as Kay noted a chmod() is missing)
> Now I'm wondering whether this is simply not supported in libvirt (I'm
> on 1.2.1) or am I doing something horrible wrong.
The configuration looks fine, provided that you have ensured
that your files in /home/container/my2ndcontainer/rootfs have
been chown'd to match the target UID/GID values you've setup
Libvirt doesn't do chowning of any filesystems you provide,
only things it creates.
> This is my domain:
> ---cut---
> <domain type='lxc'>
> <name>my2ndcontainer</name>
> <memory>524288</memory>
> <os>
> <type>exe</type>
> <init>/bin/bash</init>
> </os>
> <idmap>
> <!-- here be dragons, the mapping is non-linear -->
> <uid start='0' target='100000' count='998'/>
> <gid start='0' target='100000' count='998'/>
> <uid start='65533' target='100998' count='2'/>
> <gid start='65533' target='100998' count='2'/>
> </idmap>
> <devices>
> <console type='pty'/>
> <filesystem type='mount'>
> <source dir='/home/container//my2ndcontainer/rootfs'/>
> <target dir='/'/>
> </filesystem>
> <interface type='bridge'>
> <source bridge='br0'/>
> <mac address='4a:19:0a:01:01:a4'/>
> </interface>
> </devices>
> </domain>
> ---cut---
>
> Within my domain:
> test1:/ # ls -la /sys/fs/cgroup/systemd
> total 0
> drwxr-xr-x 2 nobody nogroup 0 Feb 6 09:05 .
> drwxr-xr-x 11 root root 260 Feb 6 09:05 ..
> -rw-r--r-- 1 nobody nogroup 0 Feb 6 09:05 cgroup.clone_children
> --w--w--w- 1 nobody nogroup 0 Feb 6 09:05 cgroup.event_control
> -rw-r--r-- 1 nobody nogroup 0 Feb 6 09:05 cgroup.procs
> -rw-r--r-- 1 nobody nogroup 0 Feb 6 09:05 notify_on_release
> -rw-r--r-- 1 nobody nogroup 0 Feb 6 09:05 tasks
Ok, so this seems to confirm the guess I had in my response to your
mail on systemd-devel. Libvirt appears to have forgotten to chown
the cgroups directory to provide access to systemd. Hence the system
is remapping it to the overflow uid/gid
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list