<div dir="ltr"><div><div><div>Thanks for you answers Fajar. The technology is still in it's infancy, so I'm not surprised with the need to abuse sudo in this manner, and am willing to work around it.<br><br></div>But i'm not sure I completely follow what you are saying. I get the error that you are mentioning from systemd, where it is already running in a session. But i can also start the service after boot manually and not get that error, and it will create the cgroup, but as usual, i cannot as normal user move a process to that cgroup, it get an invalid request error.<br><br> And I can follow your steps 1-3 already.<br><br></div>My questions are on step 4. My output looks nothing like yours and I do not understand why you're moving the current tty into the / cgroup which is where it already resides?<br><br></div>My output looks like this:<br><br>root@ZitZ:/home/paul# bash -c 'cgm movepidabs all / $$ && sudo -u paul -i cat /proc/self/cgroup'<br>9:perf_event:/<br>8:memory:/<br>7:cpuset:/<br>6:devices:/<br>5:blkio:/<br>4:cpu,cpuacct:/<br>3:freezer:/<br>2:net_cls,net_prio:/<br>1:name=systemd:/<br><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Oct 10, 2015 at 2:14 AM, Fajar A. Nugraha <span dir="ltr"><<a href="mailto:list@fajar.net" target="_blank">list@fajar.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">This one was a pain in the a$$<br>
<br>
Apparently newer systemd is picky, saying "Cannot create session:<br>
Already running in a session" if it already runs in a session (e.g.<br>
root's session). Latest systemd have "machinectl shell"<br>
(<a href="https://github.com/systemd/systemd/pull/1022" rel="noreferrer" target="_blank">https://github.com/systemd/systemd/pull/1022</a>) which should eliminate<br>
the need to abuse sudo. However it's not in ubuntu/debian yet, so a<br>
workaround is needed.<br>
<br>
Here's what I did on Ubuntu Wily:<br>
<span class=""><br>
(1) on top of /etc/sudoers:<br>
Defaults use_pty<br>
<br>
</span><span class="">(2) at the bottom of /etc/pam.d/sudo<br>
session optional pam_loginuid.so<br>
session optional pam_systemd.so<br>
<br>
</span>(3) Make SURE libpam-systemd is installed (e,g "dpkg -l")<br>
<br>
(4) Test<br>
# bash -c 'cgm movepidabs all / $$ && sudo -u user -i cat /proc/self/cgroup'<br>
<br>
Note the single quote, and "cgm movepidabs" command. That's the<br>
workaround. It should print something like<br>
<br>
10:hugetlb:/user.slice/user-1000.slice/session-47.scope<br>
...<br>
1:name=systemd:/user.slice/user-1000.slice/session-47.scope<br>
<br>
The main thing is "user.slice/user-UID.slice". If you don't see your<br>
"normal", non-0 uid there, recheck steps 1-3. See /var/log/auth.log<br>
for possible problems.<br>
<br>
(5) create /etc/systemd/system/lxc-autostart-user.service, Note that<br>
you do NOT want RemainAfterExit=yes<br>
<br>
[Unit]<br>
Description=Autostart "user" containers<br>
<br>
[Service]<br>
Type=oneshot<br>
ExecStart=/opt/lxc/autostart-user<br>
RemainAfterExit=yes<br>
<br>
[Install]<br>
WantedBy=multi-user.target<br>
<br>
(6) Create /opt/lxc/autostart-user, then make it executable (e.g. chmod 700)<br>
#!/bin/bash<br>
export PATH=/usr/sbin:/usr/bin:/sbin:/bin<br>
cgm movepidabs all / $$<br>
sudo -u user -i -- bash -c "lxc-autostart;lxc-ls -f"<br>
<br>
(7) Enable and test with systemd<br>
# systemctl daemon-reload<br>
# systemctl enable lxc-autostart-user<br>
# systemctl start lxc-autostart-user<br>
# systemctl status lxc-autostart-user<br>
<br>
If all works well, you should see something like this:<br>
root@wily:~# systemctl status lxc-autostart-user<br>
● lxc-autostart-user.service - Autostart "user" containers<br>
Loaded: loaded (/etc/systemd/system/lxc-autostart-user.service;<br>
enabled; vendor preset: enabled)<br>
Active: inactive (dead) since Sat 2015-10-10 13:02:55 WIB; 1s ago<br>
Process: 21146 ExecStart=/opt/lxc/autostart-user (code=exited,<br>
status=0/SUCCESS)<br>
Main PID: 21146 (code=exited, status=0/SUCCESS)<br>
<br>
Oct 10 13:02:54 wily systemd[1]: Starting Autostart "user" containers...<br>
Oct 10 13:02:55 wily autostart-user[21146]: NAME STATE IPV4<br>
IPV6 GROUPS AUTOSTART<br>
Oct 10 13:02:55 wily autostart-user[21146]:<br>
----------------------------------------------<br>
Oct 10 13:02:55 wily autostart-user[21146]: trusty RUNNING - -<br>
- YES<br>
Oct 10 13:02:55 wily systemd[1]: Started Autostart "user" containers.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Fajar<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
On Sat, Oct 10, 2015 at 4:20 AM, Paul Jones <<a href="mailto:spacefreak18@gmail.com">spacefreak18@gmail.com</a>> wrote:<br>
> I would also like to note that when I run the script I created through the<br>
> bash interpreter from tty it works just fine. Exactly as intended. I can<br>
> then switch back to my user and move the tty to my new cgroup.<br>
><br>
> The only time it doesn't work is when I attempt to call it from the systemd<br>
> unit.<br>
><br>
> It says i own the cgroup, but it is almost like I do not. Very weird.<br>
><br>
> I can use sudo, but it isn't my preferred method. Also it has the same issue<br>
> if I try to run it via the systemd unit.<br>
><br>
> On Fri, Oct 9, 2015 at 2:18 AM, Fajar A. Nugraha <<a href="mailto:list@fajar.net">list@fajar.net</a>> wrote:<br>
>><br>
>> On Fri, Oct 9, 2015 at 7:19 AM, Paul Jones <<a href="mailto:spacefreak18@gmail.com">spacefreak18@gmail.com</a>> wrote:<br>
>> > I have tried this but for some reason I am having trouble.<br>
>> ><br>
>> > I have pastebins for my systemd unit file and the bash script it calls.<br>
>> > <a href="http://pastebin.com/FLtLWaih" rel="noreferrer" target="_blank">http://pastebin.com/FLtLWaih</a><br>
>> > <a href="http://pastebin.com/b9qM2a9J" rel="noreferrer" target="_blank">http://pastebin.com/b9qM2a9J</a><br>
>> ><br>
>> > It appears as though it succesfully creates the cgroup "me", i see it,<br>
>> > and i<br>
>> > own it and have seemingly correct permission to it. But as my normal<br>
>> > user I<br>
>> > cannot move the current tty to that cgroup. I cannot even do it as root!<br>
>><br>
>><br>
>> Try this:<br>
>><br>
>> (1) on top of /etc/sudoers:<br>
>> Defaults use_pty<br>
>><br>
>> Short version: with this, sudo will create new pty owned by the user.<br>
>> Needed if you intend to run "screen" (or other stuff which needs<br>
>> user-owned tty). Not needed if you only need to run "lxc-attach" or<br>
>> "lxc-console".<br>
>><br>
>> (2) at the bottom of /etc/pam.d/sudo<br>
>> session optional pam_loginuid.so<br>
>> session optional pam_systemd.so<br>
>><br>
>> Short version: make pam_systemd create and use new cgroup owned by the<br>
>> user when you run "sudo". With this, you can use "sudo" for<br>
>> "lxc-autostart".<br>
>><br>
>> (3) on your script ("paul" is your username, right?)<br>
>> /usr/bin/sudo -u paul -i -- /usr/bin/lxc-autostart<br>
>><br>
>> --<br>
>> Fajar<br>
>> _______________________________________________<br>
>> lxc-users mailing list<br>
>> <a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a><br>
>> <a href="http://lists.linuxcontainers.org/listinfo/lxc-users" rel="noreferrer" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a><br>
><br>
><br>
><br>
><br>
> --<br>
> Time To Get an EKG, G!<br>
><br>
> _______________________________________________<br>
> lxc-users mailing list<br>
> <a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a><br>
> <a href="http://lists.linuxcontainers.org/listinfo/lxc-users" rel="noreferrer" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a><br>
_______________________________________________<br>
lxc-users mailing list<br>
<a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a><br>
<a href="http://lists.linuxcontainers.org/listinfo/lxc-users" rel="noreferrer" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a></div></div></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature">Time To Get an EKG, G!</div>
</div>