[lxc-users] Starting unprivileged containers at boot - cgroup failures - Ubuntu 14.04

Michael Evans mjevans1983 at gmail.com
Sun Aug 24 03:48:49 UTC 2014 

Using ubuntu the download template creates a container that will work, IF
launched from a 'login' level shell (IE: ssh to the lxc account).

Following (almost exactly) a possible example by Serge Hallyn from this
same list around Thu, 21 Aug 2014 22:25:48 -0700
I've created:

/etc/init/lxc-user-auto.conf
description "start unpriv containers"
start on started lxc
script
 USERS="lxc"
 for u in $USERS; do
  cgm create all lxc$u
  cgm chown all lxc$u $(id -u $u) $(id -g $u)
  lxc-autostart -L -P /home/$u/.local/share/lxc | while read line; do
   set -- $line
   /usr/bin/lxc-start-unprivileged lxc$u $u $1
   sleep $2
  done
 done
end script


/usr/bin/lxc-start-unprivileged
cgm movepid all "$1"
sudo -u "$2" -- lxc-start -P /home/"$2"/.local/share/lxc
-o/home/"$2"/"$3".log -lDEBUG -n "$3" -d


mount | grep cgroup
none on /sys/fs/cgroup type tmpfs (rw)
systemd on /sys/fs/cgroup/systemd type cgroup
(rw,noexec,nosuid,nodev,none,name=systemd)

/sys/fs/cgroup/
/sys/fs/cgroup/systemd
/sys/fs/cgroup/systemd/user
/sys/fs/cgroup/systemd/user/0.user
/sys/fs/cgroup/systemd/user/0.user/1.session
/sys/fs/cgroup/systemd/user/0.user/1.session/notify_on_release
/sys/fs/cgroup/systemd/user/0.user/1.session/tasks
/sys/fs/cgroup/systemd/user/0.user/1.session/cgroup.clone_children
/sys/fs/cgroup/systemd/user/0.user/1.session/cgroup.event_control
/sys/fs/cgroup/systemd/user/0.user/1.session/cgroup.procs
/sys/fs/cgroup/systemd/user/0.user/notify_on_release
/sys/fs/cgroup/systemd/user/0.user/tasks
/sys/fs/cgroup/systemd/user/0.user/cgroup.clone_children
/sys/fs/cgroup/systemd/user/0.user/cgroup.event_control
/sys/fs/cgroup/systemd/user/0.user/cgroup.procs
/sys/fs/cgroup/systemd/user/notify_on_release
/sys/fs/cgroup/systemd/user/tasks
/sys/fs/cgroup/systemd/user/cgroup.clone_children
/sys/fs/cgroup/systemd/user/cgroup.event_control
/sys/fs/cgroup/systemd/user/cgroup.procs
/sys/fs/cgroup/systemd/lxclxc
/sys/fs/cgroup/systemd/lxclxc/notify_on_release
/sys/fs/cgroup/systemd/lxclxc/tasks
/sys/fs/cgroup/systemd/lxclxc/cgroup.clone_children
/sys/fs/cgroup/systemd/lxclxc/cgroup.event_control
/sys/fs/cgroup/systemd/lxclxc/cgroup.procs
/sys/fs/cgroup/systemd/release_agent
/sys/fs/cgroup/systemd/notify_on_release
/sys/fs/cgroup/systemd/tasks
/sys/fs/cgroup/systemd/cgroup.sane_behavior
/sys/fs/cgroup/systemd/cgroup.clone_children
/sys/fs/cgroup/systemd/cgroup.event_control
/sys/fs/cgroup/systemd/cgroup.procs
/sys/fs/cgroup/cgmanager
/sys/fs/cgroup/cgmanager/sock



      lxc-start 1408851088.621 INFO     lxc_start_ui - using rcfile
/home/lxc/.local/share/lxc/test/config
      lxc-start 1408851088.621 INFO     lxc_utils - XDG_RUNTIME_DIR isn't
set in the environment.
      lxc-start 1408851088.621 INFO     lxc_confile - read uid map: type u
nsid 0 hostid 400000 range 65536
      lxc-start 1408851088.621 INFO     lxc_confile - read uid map: type g
nsid 0 hostid 400000 range 65536
      lxc-start 1408851088.622 WARN     lxc_log - lxc_log_init called with
log already initialized
      lxc-start 1408851088.625 INFO     lxc_lsm - LSM security driver
AppArmor
      lxc-start 1408851088.625 INFO     lxc_utils - XDG_RUNTIME_DIR isn't
set in the environment.
      lxc-start 1408851088.626 DEBUG    lxc_conf - allocated pty
'/dev/pts/3' (5/6)
      lxc-start 1408851088.626 DEBUG    lxc_conf - allocated pty
'/dev/pts/4' (7/8)
      lxc-start 1408851088.626 DEBUG    lxc_conf - allocated pty
'/dev/pts/6' (9/10)
      lxc-start 1408851088.626 DEBUG    lxc_conf - allocated pty
'/dev/pts/7' (11/12)
      lxc-start 1408851088.626 INFO     lxc_conf - tty's configured
      lxc-start 1408851088.626 DEBUG    lxc_start - sigchild handler set
      lxc-start 1408851088.626 DEBUG    lxc_console - no console peer
      lxc-start 1408851088.629 INFO     lxc_monitor - using monitor sock
name lxc/101c4d4958dfe913//home/lxc/.local/share/lxc
      lxc-start 1408851088.895 INFO     lxc_start - 'test' is initialized
      lxc-start 1408851088.902 DEBUG    lxc_start - Not dropping
cap_sys_boot or watching utmp
      lxc-start 1408851088.902 INFO     lxc_start - Cloning a new user
namespace
      lxc-start 1408851088.903 INFO     lxc_cgroup - cgroup driver
cgmanager initing for test
      lxc-start 1408851088.904 ERROR    lxc_cgmanager - call to
cgmanager_create_sync failed: invalid request
      lxc-start 1408851088.904 ERROR    lxc_cgmanager - Failed to create
hugetlb:test
      lxc-start 1408851088.904 ERROR    lxc_cgmanager - Error creating
cgroup hugetlb:test
      lxc-start 1408851088.904 INFO     lxc_cgmanager - cgroup removal
attempt: hugetlb:test did not exist
      lxc-start 1408851088.904 INFO     lxc_cgmanager - cgroup removal
attempt: perf_event:test did not exist
      lxc-start 1408851088.905 INFO     lxc_cgmanager - cgroup removal
attempt: blkio:test did not exist
      lxc-start 1408851088.905 INFO     lxc_cgmanager - cgroup removal
attempt: freezer:test did not exist
      lxc-start 1408851088.905 INFO     lxc_cgmanager - cgroup removal
attempt: devices:test did not exist
      lxc-start 1408851088.906 INFO     lxc_cgmanager - cgroup removal
attempt: memory:test did not exist
      lxc-start 1408851088.906 INFO     lxc_cgmanager - cgroup removal
attempt: cpuacct:test did not exist
      lxc-start 1408851088.906 INFO     lxc_cgmanager - cgroup removal
attempt: cpu:test did not exist
      lxc-start 1408851088.906 INFO     lxc_cgmanager - cgroup removal
attempt: cpuset:test did not exist
      lxc-start 1408851088.907 INFO     lxc_cgmanager - cgroup removal
attempt: name=systemd:test did not exist
      lxc-start 1408851088.907 ERROR    lxc_start - failed creating cgroups
      lxc-start 1408851088.907 INFO     lxc_utils - XDG_RUNTIME_DIR isn't
set in the environment.
      lxc-start 1408851088.907 ERROR    lxc_start - failed to spawn 'test'
      lxc-start 1408851088.907 INFO     lxc_utils - XDG_RUNTIME_DIR isn't
set in the environment.
      lxc-start 1408851088.907 INFO     lxc_utils - XDG_RUNTIME_DIR isn't
set in the environment.
      lxc-start 1408851088.907 WARN     lxc_commands - command get_init_pid
failed to receive response
      lxc-start 1408851093.912 ERROR    lxc_start_ui - The container failed
to start.
      lxc-start 1408851093.912 ERROR    lxc_start_ui - To get more details,
run the container in foreground mode.
      lxc-start 1408851093.912 ERROR    lxc_start_ui - Additional
information can be obtained by setting the --logfile and --log-priority
options.


These failures mirror my much of my experience when attempting to start a
container on Debian, as well as any other place (Ubuntu included) when
trying to start a container via bare su / sudo.


If I instead log in via ssh...

/sys/fs/cgroup/systemd/user/1000.user
/sys/fs/cgroup/systemd/user/1000.user/2.session
/sys/fs/cgroup/systemd/user/1000.user/2.session/notify_on_release
/sys/fs/cgroup/systemd/user/1000.user/2.session/tasks
/sys/fs/cgroup/systemd/user/1000.user/2.session/cgroup.clone_children
/sys/fs/cgroup/systemd/user/1000.user/2.session/cgroup.event_control
/sys/fs/cgroup/systemd/user/1000.user/2.session/cgroup.procs
/sys/fs/cgroup/systemd/user/1000.user/notify_on_release
/sys/fs/cgroup/systemd/user/1000.user/tasks
/sys/fs/cgroup/systemd/user/1000.user/cgroup.clone_children
/sys/fs/cgroup/systemd/user/1000.user/cgroup.event_control
/sys/fs/cgroup/systemd/user/1000.user/cgroup.procs


Then

lxc at whatever:~$ lxc-start -d -n mc

works.


What type of cgroup manipulation or modifications to cgmanager are
necessary to automatically start an unprivileged container at boot?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140823/262b6d49/attachment.html>

More information about the lxc-users mailing list