[libvirt] systemd, LXC and user namespaces

Daniel P. Berrange berrange at redhat.com
Thu Feb 6 11:29:45 UTC 2014


On Thu, Feb 06, 2014 at 10:36:09AM +0100, Richard Weinberger wrote:
> Hi!
> 
> I'm trying to get rid of a hack to make systemd (kind of) work in
> Linux containers on libvirt.
> The hack can be found in the first mail of [0].
> systemd folks told me that systemd needs a name=systemd cgroup [0],
> which makes perfectly sense to me.
> 
> I found that libvirt does this already, but uid 0 within the container
> is not allowed to access it. (Maybe as Kay noted a chmod() is missing)
> Now I'm wondering whether this is simply not supported in libvirt (I'm
> on 1.2.1) or am I doing something horrible wrong.

The configuration looks fine, provided that you have ensured
that your files in /home/container/my2ndcontainer/rootfs have
been chown'd to match the target UID/GID values you've setup
Libvirt doesn't do chowning of any filesystems you provide,
only things it creates.

> This is my domain:
> ---cut---
> <domain type='lxc'>
>         <name>my2ndcontainer</name>
>         <memory>524288</memory>
>         <os>
>                 <type>exe</type>
>                 <init>/bin/bash</init>
>         </os>
>         <idmap>
>                 <!-- here be dragons, the mapping is non-linear -->
>                 <uid start='0' target='100000' count='998'/>
>                 <gid start='0' target='100000' count='998'/>
>                 <uid start='65533' target='100998' count='2'/>
>                 <gid start='65533' target='100998' count='2'/>
>         </idmap>
>         <devices>
>                 <console type='pty'/>
>                 <filesystem type='mount'>
>                         <source dir='/home/container//my2ndcontainer/rootfs'/>
>                         <target dir='/'/>
>                 </filesystem>
>                 <interface type='bridge'>
>                         <source bridge='br0'/>
>                         <mac address='4a:19:0a:01:01:a4'/>
>                 </interface>
>         </devices>
> </domain>
> ---cut---
> 
> Within my domain:

> test1:/ # ls -la /sys/fs/cgroup/systemd
> total 0
> drwxr-xr-x  2 nobody nogroup   0 Feb  6 09:05 .
> drwxr-xr-x 11 root   root    260 Feb  6 09:05 ..
> -rw-r--r--  1 nobody nogroup   0 Feb  6 09:05 cgroup.clone_children
> --w--w--w-  1 nobody nogroup   0 Feb  6 09:05 cgroup.event_control
> -rw-r--r--  1 nobody nogroup   0 Feb  6 09:05 cgroup.procs
> -rw-r--r--  1 nobody nogroup   0 Feb  6 09:05 notify_on_release
> -rw-r--r--  1 nobody nogroup   0 Feb  6 09:05 tasks

Ok, so this seems to confirm the guess I had in my response to your
mail on systemd-devel.  Libvirt appears to have forgotten to chown
the cgroups directory to provide access to systemd. Hence the system
is remapping it to the overflow uid/gid

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|




More information about the libvir-list mailing list