On Thu, Oct 27, 2022 at 1:40 PM Arseny Maslennikov <ar@xxxxxxxxx> wrote: > It had successfully reached this mailing list by 2022-Oct-25, so that > means you're not subscribed to the list. Strangely enough, > the mail receiver rejects emails from non-subscribers, so you wouldn't > be able to reach out to the list at all. I'm subscribed, and received your second email. Probably some sort of a glitch. I just decided to notify you, just in case. > I'll try to explain what I can. I suppose there's someone in the world > who has really hit the problems described below and is in a better > position to comment, or provide links to available resources where the > experience is documented for the perusal of the community. Thanks for your replies, things are a bit clearer at the moment. And yeah, I'll probably ask the lxc guys as well. But let me add here what I've learned so far. In case someone has anything to add. Locally it works w/o systemd-run, although there's one warning when running lxc-start (apparently non-fatal): lxc-start c 20221030073216.345 WARN start - ../src/lxc/start.c:lxc_spawn:1832 - Operation not permitted - Failed to allocate new network namespace id On the server w/o systemd-run (these are probably also non-fatal): lxc-start c 20221030114914.612 WARN apparmor - lsm/apparmor.c:lsm_apparmor_ops_init:1275 - Per-container AppArmor profiles are disabled because the mac_admin capability is missing lxc-start c 20221030114914.626 WARN start - start.c:lxc_spawn:1835 - Operation not permitted - Failed to allocate new network namespace id But in the container's console I see: Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted [[0;1;31m!!!!!![0m] Failed to mount API filesystems. Exiting PID 1... >From what you said it looks like Delegate=yes is not about permissions, but about not stepping on someone else's toes. Yet on the server from the console output it looks like it's about permissions. However that might be a result of stepping on someone else's toes. I'm not sure. There's also a related issue. I tried to launch a container locally from another user (useradd + su), and it failed: lxc-start c 20221030074222.316 ERROR cgfsng - ../src/lxc/cgroups/cgfsng.c:unpriv_systemd_create_scope:1232 - Failed to connect to user bus: No medium found lxc-start c 20221030074222.326 WARN start - ../src/lxc/start.c:lxc_spawn:1832 - Operation not permitted - Failed to allocate new network namespace id The console output: Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted [^[[0;1;31m!!!!!!^[[0m] Failed to mount API filesystems. Exiting PID 1... Which somewhat reminds me of what I saw on the server. But when I tried it with systemd-run (under this other user), systemd-run failed: Failed to connect to bus: No medium found A more detailed logs can be found here: https://gist.github.com/x-yuri/a6d31154df07405de97217ba75c1ff0f Regards, Yuri
Re: Is there a way to find out if Delegate=yes?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: Is there a way to find out if Delegate=yes?
- From: Yuri Kanivetsky <yuri.kanivetsky@xxxxxxxxx>
- Date: Sun, 30 Oct 2022 14:18:30 +0200
- Cc: Systemd <systemd-devel@xxxxxxxxxxxxxxxxxxxxx>
- In-reply-to: <Y1pgJrJOQj5ZasS+@cello>
- References: <CAMhVC3Zvk_qJm34HdbN11OKz8bf=z+BLMAix9CxvA_o1B-4W0A@mail.gmail.com> <CAMhVC3bu7zeZNpY7SuNO19crokvhYVBfmsY_pTHy1riyVPjpGQ@mail.gmail.com> <Y1pgJrJOQj5ZasS+@cello>
- References:
- Is there a way to find out if Delegate=yes?
- From: Yuri Kanivetsky
- Re: Is there a way to find out if Delegate=yes?
- From: Yuri Kanivetsky
- Re: Is there a way to find out if Delegate=yes?
- From: Arseny Maslennikov
- Is there a way to find out if Delegate=yes?
- Prev by Date: Attaching an overlayfs to an existing nspawn container
- Next by Date: Warning "Supervising process..." due to SIGCHLD from grand-parent
- Previous by thread: Re: Is there a way to find out if Delegate=yes?
- Next by thread: systemd prerelease 252-rc3
- Index(es):
 |