Re: [libvirt] LXC, user namespaces and systemd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi.
Another week, another experiment ;) I was trying to run systemd user session for non-root user, for example darek (uid=1000), operation failed with error:
systemd[26]: pam_unix(systemd-user:session): session opened for user darek by (uid=0) 
systemd[1]: Started Login Service.
systemd[26]: Failed to create root cgroup hierarchy: Permission denied
systemd[26]: Failed to allocate manager object: Permission denied
systemd[29]: pam_unix(systemd-user:session): session closed for user darek

The Cgroup hierarchy for the machine looks as follows:

├─machine.slice
│ └─machine-lxc\x2dmycontainer.scope
│ ├─17303 /usr/libexec/libvirt_lxc --name mycontainer --console 22 --security=selinux --handshake 25 --background 
│   └─machine.slice
│     └─machine-lxc\x2dmycontainer.scope
│       ├─17306 /usr/lib/systemd/systemd
│       ├─machine.slice
│       │ └─machine-lxc\x2dmycontainer.scope
│       │   └─user.slice
│       │     └─user-0.slice
│       │       └─user@0.service
│       │         └─17400 /usr/lib/systemd/systemd --user
│       ├─system.slice
│       │ ├─systemd-logind.service
│       │ │ └─17373 /usr/lib/systemd/systemd-logind
│       │ ├─dbus.service
│ │ │ └─17372 /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation 
│       │ ├─sshd.service
│       │ │ └─17379 /usr/sbin/sshd -D
│       │ └─systemd-journald.service
│       │   └─17348 /usr/lib/systemd/systemd-journald
│       └─user.slice
│         └─user-0.slice
│           ├─session-c1.scope
│           │ ├─17377 login -- root
│           │ └─17413 -bash
│           └─user@0.service
│             └─17412 (sd-pam)
Then I repeated the test, but I used systemd-nspawn, the operation was successful. systemd[25]: pam_unix(systemd-user:session): session opened for user darek by (uid=0) 

In this case the Cgroup hierarchy is somewhat different, as shown below:

├─machine.slice
│ └─machine-mycontainer.scope
│   ├─17054 /usr/lib/systemd/systemd
│   ├─system.slice
│   │ ├─systemd-logind.service
│   │ │ └─17099 /usr/lib/systemd/systemd-logind
│   │ ├─dbus.service
│ │ │ └─17098 /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation 
│   │ ├─sshd.service
│   │ │ └─17103 /usr/sbin/sshd -D
│   │ └─systemd-journald.service
│   │   └─17069 /usr/lib/systemd/systemd-journald
│   └─user.slice
│     ├─user-0.slice
│     │ ├─session-55.scope
│     │ │ ├─17110 login -- root
│     │ │ └─17160 -bash
│     │ └─user@0.service
│     │   ├─17147 /usr/lib/systemd/systemd --user
│     │   └─17155 (sd-pam)
│     └─user-1000.slice
│       └─user@1000.service
│         ├─17109 /usr/lib/systemd/systemd --user
│         └─17116 (sd-pam)
It looks like the libvirt creates bad Cgroup hierarchy (according to http://libvirt.org/cgroups.html). What do you think? 

Regards.

_______________________________________________
libvirt-users mailing list
libvirt-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvirt-users
[Index of Archives]     [Virt Tools]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux