Hi!
I'm trying to get rid of a hack to make systemd (kind of) work in
Linux containers on libvirt.
The hack can be found in the first mail of [0].
systemd folks told me that systemd needs a name=systemd cgroup [0],
which makes perfectly sense to me.
I found that libvirt does this already, but uid 0 within the container
is not allowed to access it. (Maybe as Kay noted a chmod() is missing)
Now I'm wondering whether this is simply not supported in libvirt (I'm
on 1.2.1) or am I doing something horrible wrong.
This is my domain:
---cut---
<domain type='lxc'>
<name>my2ndcontainer</name>
<memory>524288</memory>
<os>
<type>exe</type>
<init>/bin/bash</init>
</os>
<idmap>
<!-- here be dragons, the mapping is non-linear -->
<uid start='0' target='100000' count='998'/>
<gid start='0' target='100000' count='998'/>
<uid start='65533' target='100998' count='2'/>
<gid start='65533' target='100998' count='2'/>
</idmap>
<devices>
<console type='pty'/>
<filesystem type='mount'>
<source dir='/home/container//my2ndcontainer/rootfs'/>
<target dir='/'/>
</filesystem>
<interface type='bridge'>
<source bridge='br0'/>
<mac address='4a:19:0a:01:01:a4'/>
</interface>
</devices>
</domain>
---cut---
Within my domain:
---cut---
test1:/ # mount
/dev/vda2 on / type ext4 (rw,relatime,data=ordered)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
proc on /proc/sys type proc (ro,relatime)
sysfs on /sys type sysfs (ro,relatime)
libvirt on /proc/meminfo type fuse
(rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
tmpfs on /sys/fs/cgroup type tmpfs
(rw,nosuid,nodev,noexec,relatime,size=64k,mode=755,uid=100000,gid=100000)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup
(rw,nosuid,nodev,noexec,relatime,cpuacct,cpu)
cgroup on /sys/fs/cgroup/cpuset type cgroup
(rw,nosuid,nodev,noexec,relatime,cpuset)
cgroup on /sys/fs/cgroup/memory type cgroup
(rw,nosuid,nodev,noexec,relatime,memory)
cgroup on /sys/fs/cgroup/devices type cgroup
(rw,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/freezer type cgroup
(rw,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/blkio type cgroup
(rw,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/net_cls type cgroup
(rw,nosuid,nodev,noexec,relatime,net_cls)
cgroup on /sys/fs/cgroup/perf_event type cgroup
(rw,nosuid,nodev,noexec,relatime,perf_event)
cgroup on /sys/fs/cgroup/systemd type cgroup
(rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd)
devfs on /dev type tmpfs (rw,nosuid,relatime,size=64k,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,relatime,gid=5,mode=620,ptmxmode=666)
devpts on /dev/ptmx type devpts (rw,nosuid,relatime,gid=5,mode=620,ptmxmode=666)
test1:/ # ls -la /sys/fs/cgroup/systemd
total 0
drwxr-xr-x 2 nobody nogroup 0 Feb 6 09:05 .
drwxr-xr-x 11 root root 260 Feb 6 09:05 ..
-rw-r--r-- 1 nobody nogroup 0 Feb 6 09:05 cgroup.clone_children
--w--w--w- 1 nobody nogroup 0 Feb 6 09:05 cgroup.event_control
-rw-r--r-- 1 nobody nogroup 0 Feb 6 09:05 cgroup.procs
-rw-r--r-- 1 nobody nogroup 0 Feb 6 09:05 notify_on_release
-rw-r--r-- 1 nobody nogroup 0 Feb 6 09:05 tasks
test1:/ # exec /sbin/init
systemd 208 running in system mode. (+PAM +LIBWRAP +AUDIT +SELINUX
-IMA +SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ)
Detected virtualization 'lxc-libvirt'.
Welcome to openSUSE 13.1 (Bottle) (x86_64)!
Set hostname to <my2ndcontainer>.
Failed to install release agent, ignoring: No such file or directory
Failed to create root cgroup hierarchy: Permission denied
Failed to allocate manager object: Permission denied
---cut---
You can see that systemd stops executing because it was unable to
write to /sys/fs/cgroup/systemd.
Is this a configuration issue or does libvirt need some changes?
[0] http://lists.freedesktop.org/archives/systemd-devel/2014-February/016699.html
--
Thanks,
//richard
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list