[lxc-users] cgrulesengd does not work with lxc-start

José Miguel (sio2) sio2sio2+lxc at gmail.com
Mon Dec 15 18:04:08 UTC 2014 

Hi everyone!

I try to use unprivileged containers in debian jessie. For that purpose, I
use cgconfigparser and cgrulesengd. cgconfigparser creates "lxc" cgroup on
boot (/etc/cgconfig.conf):

#v+
group lxc {
   perm {
      admin {
         uid = root;
         gid = lxc;
         dperm = 755;
         fperm = 644;
      }
      task {
         uid = root;
         gid = lxc;
         fperm = 644;
      }
   }
   memory {
      memory.limit_in_bytes = 512m;
   }
   cpu {}
   blkio {}
   freezer {}
   cpuacct {}
   cpuset {
      cgroup.clone_children = 1;
      cpuset.cpus = 0;
      cpuset.mems = 0;
   }
   devices {}
   net_cls {}
   net_prio {}
   perf_event {}
}
#v-

And in /etc/cgrules.conf I write these rules:

#v+
@lxc:lxc-start  *  lxc/%u
@lxc:sleep      *  lxc/%u
#v-

The second line is for checking purpose, of course.

The lxc/user container is created with pam_exec on login:

#v+
#!/bin/sh

CONTAINER="lxc"
LXC_GROUP="lxc"

groups $PAM_USER | grep -q '\b'$LXC_GROUP'\b' || exit 0

case $PAM_TYPE in
    open_session)
         if [ ! -d /sys/fs/cgroup/memory/$CONTAINER/$PAM_USER ]; then
             cgcreate -a $PAM_USER:$(id $PAM_USER -ng) \
               -g "memory,blkio,cpu,freezer,cpuacct,cpuset,devices,net_cls,net_prio,perf_event:$CONTAINER/$PAM_USER"
         fi
         ;;
   close_session)
         if ! users | grep -q $PAM_USER; then
             cgdelete -g "memory,blkio,cpu,freezer,cpuacct,cpuset,devices,net_cls,net_prio,perf_event:$CONTAINER/$PAM_USER"
         fi
         ;;
esac
#v-

"user" belongs to system group "lxc".

After login I check to see if this configuration is correct:

#v+
user at host:~$ sleep 20 &
[1] 981
user at host:~$ cat /sys/fs/cgroup/memory/lxc/user/tasks 
981
ser at host:~$ sleep 10 &                                                                                                                             
[2] 983
user at host:~$ cat /sys/fs/cgroup/memory/lxc/user/tasks 
981
983
v-

It seems correct. Now I try to start a container with lxc-start:

#v+
user at host:~$ lxc-start -n wheezy -d
user at host:~$ cat /sys/fs/cgroup/memory/lxc/user/tasks
1002
1004
user at host:~$ ps -C lxc-start
  PID TTY          TIME CMD
 1004 ?        00:00:00 lxc-start
#v-

Great! It works. However, after running "lxc-start" for the first time,
cgrulesengd seems to stop working and the following "sleep" processes go
to root cgroup:

#v+
user at host:~$ sleep 10 &
[1] 2242
user at host:~$ cat /sys/fs/cgroup/memory/lxc/user/tasks
1004
user at host:~$ grep 2242 /sys/fs/cgroup/memory/tasks
2242
#v-

Of course, I can not run another container. The only way is to stop the
container and restart cgrulesengd.

Am I doing somethig wrong or is it a bug?

Software:

lxc - 1.0.6-3.
cggroup-tools 0.41-6.

Thanks in advance.

-- 
   Quiere, aborrece, trata bien, maltrata,
y es la mujer, al fin, como sangría,
que a veces da salud y a veces mata.
                  --- Lope de Vega ---

More information about the lxc-users mailing list