[lxc-users] apparmor profile for systemd containers (WAS: Fedora container thinks it is not running)
Serge Hallyn
serge.hallyn at ubuntu.com
Thu May 29 16:14:58 UTC 2014
Quoting Christian Seiler (christian at iwakd.de):
> Hi,
>
> >> ### lxc-start output
> >> <30>systemd[1]: Starting Root Slice.
> >> <27>systemd[1]: Caught <SEGV>, dumped core as pid 12.
> >> <30>systemd[1]: Freezing execution.
> >> ###
> >
> > Hm, that's unfortunate. I thought lxc.mount.auto = cgroup:mixed
> > with cgfs would mount named subsystems? Christian?
>
> Yes, but this is actually controlled by lxc.cgroup.use (in
> lxc.system.conf(5), *not* lxc.container.conf(5)). Basically, we were
> conservative back then and decided to only touch cgroups (both for
> putting the container into and also for bind-mounting) that were either
> kernel cgroups or that the user explicitly specified.
Ah, thanks.
Fajar, does that fix it for you?
> BUT I think for the auto-mounting hook we should maybe change that to
> use *all* hierarchies. It's just that auto-mounting came a bit later and
> I just reused the existing code at that point and didn't properly think
> through the implications. I can provide a patch for changing this to all
> hierarchies for the auto-mounting case, but not today.
>
> In the mean time, you can just create a /etc/lxc/lxc.conf (or whatever
> LXC looks for on your system) with the following setting:
>
> lxc.cgroup.use = @all
>
> That will resort to using *all* named hierarchies. Or, alternatively,
> you can use something like
>
> lxc.cgroup.use = @kernel systemd
>
> to include all kernel hierarchies and the systemd hierarchy, but not
> other named ones.
>
> Note btw. that including the systemd hierarchy here actually has some
> weird side-effects, since the lxc.cgroup.use setting applies to both the
> auto-mounting feature but also the "let's move the container into cgroup
> logic", thus directly modifying the systemd cgroup tree, something that
> the systemd strongly discourages.
>
> I was actually working on an additional cgroup backend for LXC (in
> addition to cgfs and cgmanager) that interfaces with systemd's dbus
> interface, but I'm not nearly done yet.
Oh, great. Clearly finding a good place for cgmanager and systemd to
intersect is on my todo list, maybe your driver will be inspiration.
(My primary goal is to continue support unprivileged nested containers
as well with systemd as we do with upstart+cgmanager)
-serge
More information about the lxc-users
mailing list