[lxc-users] apparmor profile for systemd containers (WAS: Fedora container thinks it is not running)
Christian Seiler
christian at iwakd.de
Fri May 30 08:28:20 UTC 2014
Hi,
as I said before, I'll have a chance of looking at the whole thing
tomorrow myself, but just two quick things:
> First it turns out I also needed to add lxc.mount.auto = sys before
> lxc.mount.auto = cgroup:mixed (otherwise I'd get double /sys/fs/cgroup
> tmpfs mount).
Huh? So lxc.mount.auto = sys has to be there, obiously (otherwise /sys
is not mounted), but what exactly do you mean by "double"?
> What happpens is:
> - the container still "Freezing execution" while starting root slice
> - /sys/fs/cgroup/cpuset (and friends) are bind-mounted (there's
> additional "user/0.user/13.session" directory, but I assume it's the
> effect of the ubuntu hosts's systemd, and is okay)
> - systemd mount in the container happens at
> /sys/fs/cgroup/systemd/user/0.user/13.session/lxc-all/f20 , but the
> container expects /sys/fs/cgroup/systemd/ to be writable
>
> So lxc.mount.auto = cgroup:mixed and lxc.cgroup.use = @all works, but
> it's not enough for fedora (and other sytemd-based container) to work
> properly.
Could you try the following?
lxc.mount.auto = sys cgroup-full:mixed
That will mount the whole cgroup tree, but the parts outside of the
container read-only.
In any case, I'll take a close look myself tomorrow.
Regards,
Christian
More information about the lxc-users
mailing list