[lxc-users] apparmor profile for systemd containers (WAS: Fedora container thinks it is not running)

[Christian Seiler]

Hi,

>> ### lxc-start output
>> <30>systemd[1]: Starting Root Slice.
>> <27>systemd[1]: Caught <SEGV>, dumped core as pid 12.
>> <30>systemd[1]: Freezing execution.
>> ###
> 
> Hm, that's unfortunate.  I thought lxc.mount.auto = cgroup:mixed
> with cgfs would mount named subsystems?  Christian?

Yes, but this is actually controlled by lxc.cgroup.use (in
lxc.system.conf(5), *not* lxc.container.conf(5)). Basically, we were
conservative back then and decided to only touch cgroups (both for
putting the container into and also for bind-mounting) that were either
kernel cgroups or that the user explicitly specified.

BUT I think for the auto-mounting hook we should maybe change that to
use *all* hierarchies. It's just that auto-mounting came a bit later and
I just reused the existing code at that point and didn't properly think
through the implications. I can provide a patch for changing this to all
hierarchies for the auto-mounting case, but not today.

In the mean time, you can just create a /etc/lxc/lxc.conf (or whatever
LXC looks for on your system) with the following setting:

lxc.cgroup.use = @all

That will resort to using *all* named hierarchies. Or, alternatively,
you can use something like

lxc.cgroup.use = @kernel systemd

to include all kernel hierarchies and the systemd hierarchy, but not
other named ones.

Note btw. that including the systemd hierarchy here actually has some
weird side-effects, since the lxc.cgroup.use setting applies to both the
auto-mounting feature but also the "let's move the container into cgroup
logic", thus directly modifying the systemd cgroup tree, something that
the systemd strongly discourages.

I was actually working on an additional cgroup backend for LXC (in
addition to cgfs and cgmanager) that interfaces with systemd's dbus
interface, but I'm not nearly done yet.

Regards,
Christian