<div dir="ltr">Speaking of this, I've been using the (similar) hooks from here to get systemd working inside containers:<div><br></div><div><a href="https://lists.linuxcontainers.org/pipermail/lxc-users/2014-May/007069.html">https://lists.linuxcontainers.org/pipermail/lxc-users/2014-May/007069.html</a><br>
</div><div><br></div><div>is there any more official / recommended way of doing this yet? Otherwise lxc-start hangs at: 'Failed to mount cgroup at /sys/fs/cgroup/systemd: Permission denied'</div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Jul 17, 2014 at 6:30 PM, Stéphane Graber <span dir="ltr"><<a href="mailto:stgraber@ubuntu.com" target="_blank">stgraber@ubuntu.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">On Thu, Jul 17, 2014 at 10:21:31PM +0000, Serge Hallyn wrote:<br>
> Quoting Stéphane Graber (<a href="mailto:stgraber@ubuntu.com">stgraber@ubuntu.com</a>):<br>
> > On Thu, Jul 17, 2014 at 02:08:59PM +0000, Serge Hallyn wrote:<br>
> > > That mount hook predates the lxc.mount.auto = cgroup option. So mention<br>
> > > that instead.<br>
> > ><br>
> > > Perhaps we should simply drop the mountcgroup hook from the tree, but<br>
> > > I'm not doing that in this patch.<br>
> > ><br>
> > > (This addresses <a href="https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1342960" target="_blank">https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1342960</a>)<br>
> > ><br>
> > > Signed-off-by: Serge Hallyn <<a href="mailto:serge.hallyn@ubuntu.com">serge.hallyn@ubuntu.com</a>><br>
> ><br>
> > Acked-by: Stéphane Graber <<a href="mailto:stgraber@ubuntu.com">stgraber@ubuntu.com</a>><br>
> ><br>
> > And unless someone strongly feels otherwise, I'd +1 the removal of the<br>
> > hook from the tree too.<br>
><br>
> Ok, let's do it then:<br>
><br>
><br>
> Subject: [PATCH 1/1] remove mountcgroup hook entirely<br>
><br>
> Also fix the comment in lxc-cirros template (which I overlooked last time).<br>
><br>
> Signed-off-by: Serge Hallyn <<a href="mailto:serge.hallyn@ubuntu.com">serge.hallyn@ubuntu.com</a>><br>
<br>
</div>Acked-by: Stéphane Graber <<a href="mailto:stgraber@ubuntu.com">stgraber@ubuntu.com</a>><br>
<div class="HOEnZb"><div class="h5"><br>
> ---<br>
> hooks/Makefile.am | 1 -<br>
> hooks/mountcgroups | 69 -------------------------------------------------<br>
> templates/<a href="http://lxc-cirros.in" target="_blank">lxc-cirros.in</a> | 2 +-<br>
> 3 files changed, 1 insertion(+), 71 deletions(-)<br>
> delete mode 100755 hooks/mountcgroups<br>
><br>
> diff --git a/hooks/Makefile.am b/hooks/Makefile.am<br>
> index 64bb26b..be55601 100644<br>
> --- a/hooks/Makefile.am<br>
> +++ b/hooks/Makefile.am<br>
> @@ -2,7 +2,6 @@ hooksdir=@LXCHOOKDIR@<br>
><br>
> hooks_SCRIPTS = \<br>
> clonehostname \<br>
> - mountcgroups \<br>
> mountecryptfsroot \<br>
> ubuntu-cloud-prep \<br>
> squid-deb-proxy-client<br>
> diff --git a/hooks/mountcgroups b/hooks/mountcgroups<br>
> deleted file mode 100755<br>
> index 073929c..0000000<br>
> --- a/hooks/mountcgroups<br>
> +++ /dev/null<br>
> @@ -1,69 +0,0 @@<br>
> -#!/bin/bash<br>
> -<br>
> -# (C) Copyright Canonical 2011,2012<br>
> -<br>
> -# This library is free software; you can redistribute it and/or<br>
> -# modify it under the terms of the GNU Lesser General Public<br>
> -# License as published by the Free Software Foundation; either<br>
> -# version 2.1 of the License, or (at your option) any later version.<br>
> -<br>
> -# This library is distributed in the hope that it will be useful,<br>
> -# but WITHOUT ANY WARRANTY; without even the implied warranty of<br>
> -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU<br>
> -# Lesser General Public License for more details.<br>
> -<br>
> -# You should have received a copy of the GNU Lesser General Public<br>
> -# License along with this library; if not, write to the Free Software<br>
> -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA<br>
> -<br>
> -#<br>
> -# This is an example hook to mount all mounted cgroups in the<br>
> -# container. Only the container's own cgroup (not parents) will be<br>
> -# accessible to the container. You can enable this by adding<br>
> -# lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups<br>
> -# to your container's configuration file.<br>
> -<br>
> -set -e<br>
> -<br>
> -c=$1<br>
> -configfile=$LXC_CONFIG_FILE<br>
> -d=/sys/fs/cgroup<br>
> -d2=$LXC_ROOTFS_MOUNT/${d}<br>
> -# name lxc hook lxcpath<br>
> -lxcpath=$4<br>
> -if [ ! -d "$d" ]; then<br>
> - exit 0<br>
> -fi<br>
> -<br>
> -mount -n -t tmpfs tmpfs ${d2}<br>
> -<br>
> -do_devices_setup() {<br>
> - local devdir="$1"<br>
> - local c="$2"<br>
> - local line<br>
> - local w # which (allow or deny)<br>
> - local v # value<br>
> - # lxc.include provides common configuration options<br>
> - local commonconfigfile=$(egrep "^lxc.include[ \t]*=" ${configfile} | awk -F= '{ print $2 }')<br>
> - cat ${configfile} ${commonconfigfile} | egrep "^lxc.cgroup.devices.(allow|deny)[ \t]*=" | while read line; do<br>
> - w=`echo $line | awk -F. '{ print $4 }' | awk '{ print $1 }'`<br>
> - v=`echo $line | awk -F= '{ print $2 }'`<br>
> - echo "$v" >> "$devdir"/devices.$w<br>
> - done<br>
> -}<br>
> -<br>
> -# XXX TODO - we'll need to account for other cgroup groups beside 'lxc',<br>
> -# i.e. 'build' or 'users/joe'.<br>
> -for dir in `/bin/ls $d`; do<br>
> - if [ "$dir" = "devices" ]; then<br>
> - devicesdir="${d}/${dir}/lxc/${c}"<br>
> - mkdir -p "$devicesdir"<br>
> - # set the devices cgroup perms now - we can't change from blacklist to<br>
> - # whitelist, or add perms, once we have children.<br>
> - do_devices_setup "$devicesdir" "${c}"<br>
> - fi<br>
> - mkdir -p "${d}/${dir}/lxc/${c}/${c}.real"<br>
> - echo 1 > "${d}/${dir}/lxc/${c}/${c}.real/tasks"<br>
> - mkdir -p ${d2}/${dir}<br>
> - mount -n --bind "${d}/${dir}/lxc/${c}/${c}.real" "${d2}/${dir}"<br>
> -done<br>
> diff --git a/templates/<a href="http://lxc-cirros.in" target="_blank">lxc-cirros.in</a> b/templates/<a href="http://lxc-cirros.in" target="_blank">lxc-cirros.in</a><br>
> index 986b2b1..24b9210 100644<br>
> --- a/templates/<a href="http://lxc-cirros.in" target="_blank">lxc-cirros.in</a><br>
> +++ b/templates/<a href="http://lxc-cirros.in" target="_blank">lxc-cirros.in</a><br>
> @@ -121,7 +121,7 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time<br>
> #lxc.aa_profile = unconfined<br>
> # To support container nesting on an Ubuntu host, uncomment next two lines:<br>
> #lxc.aa_profile = lxc-container-default-with-nesting<br>
> -#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups<br>
> +#lxc.mount.auto = cgroup<br>
><br>
> lxc.cgroup.devices.deny = a<br>
> # Allow any mknod (but not using the node)<br>
> --<br>
> 1.9.1<br>
><br>
> _______________________________________________<br>
> lxc-devel mailing list<br>
> <a href="mailto:lxc-devel@lists.linuxcontainers.org">lxc-devel@lists.linuxcontainers.org</a><br>
> <a href="http://lists.linuxcontainers.org/listinfo/lxc-devel" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-devel</a><br>
<br>
</div></div><div class="HOEnZb"><div class="h5">--<br>
Stéphane Graber<br>
Ubuntu developer<br>
<a href="http://www.ubuntu.com" target="_blank">http://www.ubuntu.com</a><br>
</div></div><br>_______________________________________________<br>
lxc-devel mailing list<br>
<a href="mailto:lxc-devel@lists.linuxcontainers.org">lxc-devel@lists.linuxcontainers.org</a><br>
<a href="http://lists.linuxcontainers.org/listinfo/lxc-devel" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-devel</a><br>
<br></blockquote></div><br></div>