Re: Is there a way to find out if Delegate=yes?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Oct 27, 2022 at 1:40 PM Arseny Maslennikov <ar@xxxxxxxxx> wrote:
> It had successfully reached this mailing list by 2022-Oct-25, so that
> means you're not subscribed to the list. Strangely enough,
> the mail receiver rejects emails from non-subscribers, so you wouldn't
> be able to reach out to the list at all.

I'm subscribed, and received your second email. Probably some sort of
a glitch. I just decided to notify you, just in case.

> I'll try to explain what I can. I suppose there's someone in the world
> who has really hit the problems described below and is in a better
> position to comment, or provide links to available resources where the
> experience is documented for the perusal of the community.

Thanks for your replies, things are a bit clearer at the moment. And
yeah, I'll probably ask the lxc guys as well. But let me add here what
I've learned so far. In case someone has anything to add.

Locally it works w/o systemd-run, although there's one warning when
running lxc-start (apparently non-fatal):

lxc-start c 20221030073216.345 WARN     start -
../src/lxc/start.c:lxc_spawn:1832 - Operation not permitted - Failed
to allocate new network namespace id

On the server w/o systemd-run (these are probably also non-fatal):

lxc-start c 20221030114914.612 WARN     apparmor -
lsm/apparmor.c:lsm_apparmor_ops_init:1275 - Per-container AppArmor
profiles are disabled because the mac_admin capability is missing
lxc-start c 20221030114914.626 WARN     start - start.c:lxc_spawn:1835
- Operation not permitted - Failed to allocate new network namespace
id

But in the container's console I see:

Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted
[[0;1;31m!!!!!![0m] Failed to mount API filesystems.
Exiting PID 1...

>From what you said it looks like Delegate=yes is not about
permissions, but about not stepping on someone else's toes. Yet on the
server from the console output it looks like it's about permissions.
However that might be a result of stepping on someone else's toes. I'm
not sure.

There's also a related issue. I tried to launch a container locally
from another user (useradd + su), and it failed:

lxc-start c 20221030074222.316 ERROR    cgfsng -
../src/lxc/cgroups/cgfsng.c:unpriv_systemd_create_scope:1232 - Failed
to connect to user bus: No medium found
lxc-start c 20221030074222.326 WARN     start -
../src/lxc/start.c:lxc_spawn:1832 - Operation not permitted - Failed
to allocate new network namespace id

The console output:

Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted
[^[[0;1;31m!!!!!!^[[0m] Failed to mount API filesystems.
Exiting PID 1...

Which somewhat reminds me of what I saw on the server. But when I
tried it with systemd-run (under this other user), systemd-run failed:

Failed to connect to bus: No medium found

A more detailed logs can be found here:

https://gist.github.com/x-yuri/a6d31154df07405de97217ba75c1ff0f

Regards,
Yuri



[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux