[libvirt] systemd, LXC and user namespaces

Richard Weinberger richard.weinberger at gmail.com
Thu Feb 6 09:36:09 UTC 2014


Hi!

I'm trying to get rid of a hack to make systemd (kind of) work in
Linux containers on libvirt.
The hack can be found in the first mail of [0].
systemd folks told me that systemd needs a name=systemd cgroup [0],
which makes perfectly sense to me.

I found that libvirt does this already, but uid 0 within the container
is not allowed to access it. (Maybe as Kay noted a chmod() is missing)
Now I'm wondering whether this is simply not supported in libvirt (I'm
on 1.2.1) or am I doing something horrible wrong.

This is my domain:
---cut---
<domain type='lxc'>
        <name>my2ndcontainer</name>
        <memory>524288</memory>
        <os>
                <type>exe</type>
                <init>/bin/bash</init>
        </os>
        <idmap>
                <!-- here be dragons, the mapping is non-linear -->
                <uid start='0' target='100000' count='998'/>
                <gid start='0' target='100000' count='998'/>
                <uid start='65533' target='100998' count='2'/>
                <gid start='65533' target='100998' count='2'/>
        </idmap>
        <devices>
                <console type='pty'/>
                <filesystem type='mount'>
                        <source dir='/home/container//my2ndcontainer/rootfs'/>
                        <target dir='/'/>
                </filesystem>
                <interface type='bridge'>
                        <source bridge='br0'/>
                        <mac address='4a:19:0a:01:01:a4'/>
                </interface>
        </devices>
</domain>
---cut---

Within my domain:

---cut---
test1:/ # mount
/dev/vda2 on / type ext4 (rw,relatime,data=ordered)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
proc on /proc/sys type proc (ro,relatime)
sysfs on /sys type sysfs (ro,relatime)
libvirt on /proc/meminfo type fuse
(rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
tmpfs on /sys/fs/cgroup type tmpfs
(rw,nosuid,nodev,noexec,relatime,size=64k,mode=755,uid=100000,gid=100000)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup
(rw,nosuid,nodev,noexec,relatime,cpuacct,cpu)
cgroup on /sys/fs/cgroup/cpuset type cgroup
(rw,nosuid,nodev,noexec,relatime,cpuset)
cgroup on /sys/fs/cgroup/memory type cgroup
(rw,nosuid,nodev,noexec,relatime,memory)
cgroup on /sys/fs/cgroup/devices type cgroup
(rw,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/freezer type cgroup
(rw,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/blkio type cgroup
(rw,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/net_cls type cgroup
(rw,nosuid,nodev,noexec,relatime,net_cls)
cgroup on /sys/fs/cgroup/perf_event type cgroup
(rw,nosuid,nodev,noexec,relatime,perf_event)
cgroup on /sys/fs/cgroup/systemd type cgroup
(rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd)
devfs on /dev type tmpfs (rw,nosuid,relatime,size=64k,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,relatime,gid=5,mode=620,ptmxmode=666)
devpts on /dev/ptmx type devpts (rw,nosuid,relatime,gid=5,mode=620,ptmxmode=666)
test1:/ # ls -la /sys/fs/cgroup/systemd
total 0
drwxr-xr-x  2 nobody nogroup   0 Feb  6 09:05 .
drwxr-xr-x 11 root   root    260 Feb  6 09:05 ..
-rw-r--r--  1 nobody nogroup   0 Feb  6 09:05 cgroup.clone_children
--w--w--w-  1 nobody nogroup   0 Feb  6 09:05 cgroup.event_control
-rw-r--r--  1 nobody nogroup   0 Feb  6 09:05 cgroup.procs
-rw-r--r--  1 nobody nogroup   0 Feb  6 09:05 notify_on_release
-rw-r--r--  1 nobody nogroup   0 Feb  6 09:05 tasks
test1:/ # exec /sbin/init
systemd 208 running in system mode. (+PAM +LIBWRAP +AUDIT +SELINUX
-IMA +SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ)
Detected virtualization 'lxc-libvirt'.

Welcome to openSUSE 13.1 (Bottle) (x86_64)!

Set hostname to <my2ndcontainer>.
Failed to install release agent, ignoring: No such file or directory
Failed to create root cgroup hierarchy: Permission denied
Failed to allocate manager object: Permission denied
---cut---

You can see that systemd stops executing because it was unable to
write to /sys/fs/cgroup/systemd.

Is this a configuration issue or does libvirt need some changes?

[0] http://lists.freedesktop.org/archives/systemd-devel/2014-February/016699.html

-- 
Thanks,
//richard




More information about the libvir-list mailing list