[lxc-users] apparmor profile for systemd containers (WAS: Fedora container thinks it is not running)

Fajar A. Nugraha list at fajar.net
Thu May 29 21:58:44 UTC 2014


On Thu, May 29, 2014 at 11:14 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> Quoting Christian Seiler (christian at iwakd.de):
>> Hi,
>>
>> >> ### lxc-start output
>> >> <30>systemd[1]: Starting Root Slice.
>> >> <27>systemd[1]: Caught <SEGV>, dumped core as pid 12.
>> >> <30>systemd[1]: Freezing execution.
>> >> ###
>> >
>> > Hm, that's unfortunate.  I thought lxc.mount.auto = cgroup:mixed
>> > with cgfs would mount named subsystems?  Christian?
>>
>> Yes, but this is actually controlled by lxc.cgroup.use (in
>> lxc.system.conf(5), *not* lxc.container.conf(5)). Basically, we were
>> conservative back then and decided to only touch cgroups (both for
>> putting the container into and also for bind-mounting) that were either
>> kernel cgroups or that the user explicitly specified.
>
> Ah, thanks.
>
> Fajar, does that fix it for you?

Unfortunately, no.

# cat /etc/lxc/lxc.conf
lxc.cgroup.use = @all
lxc.cgroup.pattern = lxc-all/%n

the last line is for test purposes, to verify that lxc is reading the
right lxc.conf (the file doesn't exist by default).

# grep cgroup /var/lib/lxc/f20/config
lxc.mount.auto = cgroup:mixed

# lxc-start -n f20
...
<30>systemd[1]: Starting Root Slice.
<27>systemd[1]: Caught <SEGV>, dumped core as pid 12.
<30>systemd[1]: Freezing execution.

stopped at the same point.

# lxc-attach -n f20 -- mount | grep cgroup
cgroup on /sys/fs/cgroup type tmpfs (rw,relatime,size=12k,mode=755)
none on /sys/fs/cgroup/cgmanager type tmpfs (rw,relatime,size=4k,mode=755)
tmpfs on /sys/fs/cgroup type tmpfs (rw,nosuid,nodev,noexec,mode=755)

the cgroup mounts from the host is not bind-mounted in the container

>
>> BUT I think for the auto-mounting hook we should maybe change that to
>> use *all* hierarchies. It's just that auto-mounting came a bit later and
>> I just reused the existing code at that point and didn't properly think
>> through the implications. I can provide a patch for changing this to all
>> hierarchies for the auto-mounting case, but not today.
>>
>> In the mean time, you can just create a /etc/lxc/lxc.conf (or whatever
>> LXC looks for on your system) with the following setting:
>>
>> lxc.cgroup.use = @all
>>
>> That will resort to using *all* named hierarchies.

lxc does read the file /etc/lxc/lxc.conf that I created, verfied by
the fact that lxc.cgroup.pattern works correctly. It does not,
however, create the directory /sys/fs/cgroup/systemd/lxc-all/f20
(which, if I understand correctly, it should, since I use
lxc.cgroup.use = @all)

# ls -d /sys/fs/cgroup/*/lxc-all/f20
/sys/fs/cgroup/blkio/lxc-all/f20    /sys/fs/cgroup/cpuset/lxc-all/f20
 /sys/fs/cgroup/hugetlb/lxc-all/f20
/sys/fs/cgroup/cpuacct/lxc-all/f20  /sys/fs/cgroup/devices/lxc-all/f20
 /sys/fs/cgroup/memory/lxc-all/f20
/sys/fs/cgroup/cpu/lxc-all/f20      /sys/fs/cgroup/freezer/lxc-all/f20
 /sys/fs/cgroup/perf_event/lxc-all/f20

# mount | grep cgroup
none on /sys/fs/cgroup type tmpfs (rw,relatime,size=4k,mode=755)
cgroup on /sys/fs/cgroup/cpuset type cgroup
(rw,relatime,cpuset,release_agent=/run/cgmanager/agents/cgm-release-agent.cpuset,clone_children)
cgroup on /sys/fs/cgroup/cpu type cgroup
(rw,relatime,cpu,release_agent=/run/cgmanager/agents/cgm-release-agent.cpu)
cgroup on /sys/fs/cgroup/cpuacct type cgroup
(rw,relatime,cpuacct,release_agent=/run/cgmanager/agents/cgm-release-agent.cpuacct)
cgroup on /sys/fs/cgroup/memory type cgroup
(rw,relatime,memory,release_agent=/run/cgmanager/agents/cgm-release-agent.memory)
cgroup on /sys/fs/cgroup/devices type cgroup
(rw,relatime,devices,release_agent=/run/cgmanager/agents/cgm-release-agent.devices)
cgroup on /sys/fs/cgroup/freezer type cgroup
(rw,relatime,freezer,release_agent=/run/cgmanager/agents/cgm-release-agent.freezer)
cgroup on /sys/fs/cgroup/blkio type cgroup
(rw,relatime,blkio,release_agent=/run/cgmanager/agents/cgm-release-agent.blkio)
cgroup on /sys/fs/cgroup/perf_event type cgroup
(rw,relatime,perf_event,release_agent=/run/cgmanager/agents/cgm-release-agent.perf_event)
cgroup on /sys/fs/cgroup/hugetlb type cgroup
(rw,relatime,hugetlb,release_agent=/run/cgmanager/agents/cgm-release-agent.hugetlb)
systemd on /sys/fs/cgroup/systemd type cgroup
(rw,nosuid,nodev,noexec,relatime,release_agent=/run/cgmanager/agents/cgm-release-agent.systemd,name=systemd)

-- 
Fajar


More information about the lxc-users mailing list