[libvirt-users] [libvirt] LXC, user namespaces and systemd

Dariusz Michaluk d.michaluk at samsung.com
Mon Mar 3 14:52:01 UTC 2014 

Hi.

Another week, another experiment ;) I was trying to run systemd user 
session for non-root user, for example darek (uid=1000), operation 
failed with error:

systemd[26]: pam_unix(systemd-user:session): session opened for user 
darek by (uid=0)
systemd[1]: Started Login Service.
systemd[26]: Failed to create root cgroup hierarchy: Permission denied
systemd[26]: Failed to allocate manager object: Permission denied
systemd[29]: pam_unix(systemd-user:session): session closed for user darek

The Cgroup hierarchy for the machine looks as follows:

├─machine.slice
│ └─machine-lxc\x2dmycontainer.scope
│   ├─17303 /usr/libexec/libvirt_lxc --name mycontainer --console 22 
--security=selinux --handshake 25 --background
│   └─machine.slice
│     └─machine-lxc\x2dmycontainer.scope
│       ├─17306 /usr/lib/systemd/systemd
│       ├─machine.slice
│       │ └─machine-lxc\x2dmycontainer.scope
│       │   └─user.slice
│       │     └─user-0.slice
│       │       └─user at 0.service
│       │         └─17400 /usr/lib/systemd/systemd --user
│       ├─system.slice
│       │ ├─systemd-logind.service
│       │ │ └─17373 /usr/lib/systemd/systemd-logind
│       │ ├─dbus.service
│       │ │ └─17372 /bin/dbus-daemon --system --address=systemd: 
--nofork --nopidfile --systemd-activation
│       │ ├─sshd.service
│       │ │ └─17379 /usr/sbin/sshd -D
│       │ └─systemd-journald.service
│       │   └─17348 /usr/lib/systemd/systemd-journald
│       └─user.slice
│         └─user-0.slice
│           ├─session-c1.scope
│           │ ├─17377 login -- root
│           │ └─17413 -bash
│           └─user at 0.service
│             └─17412 (sd-pam)

Then I repeated the test, but I used systemd-nspawn, the operation was 
successful.
systemd[25]: pam_unix(systemd-user:session): session opened for user 
darek by (uid=0)

In this case the Cgroup hierarchy is somewhat different, as shown below:

├─machine.slice
│ └─machine-mycontainer.scope
│   ├─17054 /usr/lib/systemd/systemd
│   ├─system.slice
│   │ ├─systemd-logind.service
│   │ │ └─17099 /usr/lib/systemd/systemd-logind
│   │ ├─dbus.service
│   │ │ └─17098 /bin/dbus-daemon --system --address=systemd: --nofork 
--nopidfile --systemd-activation
│   │ ├─sshd.service
│   │ │ └─17103 /usr/sbin/sshd -D
│   │ └─systemd-journald.service
│   │   └─17069 /usr/lib/systemd/systemd-journald
│   └─user.slice
│     ├─user-0.slice
│     │ ├─session-55.scope
│     │ │ ├─17110 login -- root
│     │ │ └─17160 -bash
│     │ └─user at 0.service
│     │   ├─17147 /usr/lib/systemd/systemd --user
│     │   └─17155 (sd-pam)
│     └─user-1000.slice
│       └─user at 1000.service
│         ├─17109 /usr/lib/systemd/systemd --user
│         └─17116 (sd-pam)

It looks like the libvirt creates bad Cgroup hierarchy (according to 
http://libvirt.org/cgroups.html). What do you think?

Regards.

More information about the libvirt-users mailing list