[lxc-users] apparmor profile for systemd containers (WAS: Fedora container thinks it is not running)
Fajar A. Nugraha
list at fajar.net
Fri May 30 08:35:31 UTC 2014
On Fri, May 30, 2014 at 3:28 PM, Christian Seiler <christian at iwakd.de> wrote:
> Hi,
>
> as I said before, I'll have a chance of looking at the whole thing
> tomorrow myself, but just two quick things:
>
>> First it turns out I also needed to add lxc.mount.auto = sys before
>> lxc.mount.auto = cgroup:mixed (otherwise I'd get double /sys/fs/cgroup
>> tmpfs mount).
>
> Huh? So lxc.mount.auto = sys has to be there, obiously (otherwise /sys
> is not mounted), but what exactly do you mean by "double"?
What I meant was (from the previous output, without lxc.mount.auto=sys)
>> cgroup on /sys/fs/cgroup type tmpfs (rw,relatime,size=12k,mode=755)
>> none on /sys/fs/cgroup/cgmanager type tmpfs (rw,relatime,size=4k,mode=755)
>> tmpfs on /sys/fs/cgroup type tmpfs (rw,nosuid,nodev,noexec,mode=755)
notice the double entry for /sys/fs/cgroup?
In any case, it's probably not relevant anymore, since it doesn't
happen with lxc.mount.auto=sys
>
>> What happpens is:
>> - the container still "Freezing execution" while starting root slice
>> - /sys/fs/cgroup/cpuset (and friends) are bind-mounted (there's
>> additional "user/0.user/13.session" directory, but I assume it's the
>> effect of the ubuntu hosts's systemd, and is okay)
>> - systemd mount in the container happens at
>> /sys/fs/cgroup/systemd/user/0.user/13.session/lxc-all/f20 , but the
>> container expects /sys/fs/cgroup/systemd/ to be writable
>>
>> So lxc.mount.auto = cgroup:mixed and lxc.cgroup.use = @all works, but
>> it's not enough for fedora (and other sytemd-based container) to work
>> properly.
>
> Could you try the following?
> lxc.mount.auto = sys cgroup-full:mixed
>
> That will mount the whole cgroup tree, but the parts outside of the
> container read-only.
I don't have the test container handy right now, but in the past test
I've made the whole systemd cgroup tree bind-mounted read only, and it
doesn't work.
>
> In any case, I'll take a close look myself tomorrow.
Great!
--
Fajar
More information about the lxc-users
mailing list