[lxc-users] Ubuntu 14.04, systemd and cgroups

Charles Ricketts githlar at gmail.com
Sat Nov 29 23:38:27 UTC 2014 

I posted a question in Ask Ubuntu, but I believe that my problem may be
LXC-specific (though I'm not entirely sure), so I'll ask here too! I am
attempting to run an Ubuntu 14.04 container within an Ubuntu 14.04 and
have Spice access to it. After quite a bit of work, I was finally able
to get it working within a Fedora LXC container using the newest Spice
sources from git. However, I am not having the same luck within an
Ubuntu 14.04 container.

Spice, being a Redhat project, relies on Systemd. Systemd's login
implementation, specifically. This shouldn't be a problem since Ubuntu
14.04 uses the libsystemd-login0 to manage X sessions. However, when
spice-vdagent starts up, spice-vdagentd attempts to get spice-vdagent's
session information via a call to sd_pid_get_session(), which is handled
by libsystemd-login0. spice-vdagentd then complains:

spice-vdagent[1831]: debug: 0xbd9010 connected to
/var/run/spice-vdagentd/spice-vdagent-sock
spice-vdagentd: err: Error getting session for pid 1831: No such file or
directory

After digging around in the Ubuntu libsystemd-login0 source, it looks
like this call is reliant on the existence of the systemd cgroup within
/sys/fs/cgroup/systemd. However, this cgroup never gets populated within
the LXC container. I thought I had tracked down the solution within the
file /etc/init/systemd-logind.conf, which has a line that tests whether
the system is running within a container and, if it is, doesn't mount
the cgroup. It is prefixed by a comment that says "mounting the cgroup
does not work in LXC, there it uses cgmanager," which isn't really that
explanatory to me -- is it a problem that LXC uses cgmanager? I removed
the container check, rebooted my container and, sure enough, the systemd
cgroup did show up. Unfortunately, the cgroup does not actually get
populated by any PIDs. /sys/fs/cgroup/systemd/cgroup.procs is always
empty. I looked at my host Ubuntu 14.04 system, and the systemd cgroup
seems to be working just fine in that regard.

To try to eliminate the number of possible variables in this problem, so
I am running my container using the "unrestricted" profile. Below are
the configs for my working Fedora container and my problematic LXC
container, though I don't believe it is a configuration problem per se.

Fedora:

lxc.tty = 4
lxc.pts = 1024
lxc.devttydir = lxc
lxc.arch = x86_64
lxc.aa_profile = unconfined
lxc.seccomp = /usr/share/lxc/config/common.seccomp
lxc.autodev = 1
lxc.cgroup.devices.deny = a
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
lxc.cgroup.devices.allow = c 1:7 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
lxc.utsname = fedora2
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = lxcbr0
lxc.network.hwaddr = 00:16:3e:4a:58:88
lxc.cap.drop = mac_admin
lxc.cap.drop = mac_override
lxc.cap.drop = sys_module
lxc.cap.drop = sys_nice
lxc.cap.drop = sys_pacct
lxc.cap.drop = sys_rawio
lxc.cap.drop = sys_time
lxc.hook.clone = /usr/share/lxc/hooks/clonehostname
lxc.rootfs =
overlayfs:/var/lib/lxc/fedora/rootfs:/var/lib/lxc/fedora2/delta0

Ubuntu 14.04:

lxc.mount = /var/lib/lxc/ubuntu2/fstab
lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
lxc.mount.entry = sysfs sys sysfs defaults 0 0
lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none
bind,optional 0 0
lxc.mount.entry = /sys/kernel/debug sys/kernel/debug none bind,optional 0 0
lxc.mount.entry = /sys/kernel/security sys/kernel/security none
bind,optional 0 0
lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0
lxc.aa_profile = unconfined
#lxc.mount.auto = cgroup:mixed
#lxc.mount.auto = proc:mixed
lxc.autodev = 1
lxc.tty = 4
lxc.pts = 1024
lxc.devttydir = lxc
lxc.arch = x86_64
lxc.seccomp = /usr/share/lxc/config/common.seccomp
lxc.cgroup.devices.deny = a
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 5:2 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 254:0 rm
lxc.cgroup.devices.allow = c 10:229 rwm
lxc.cgroup.devices.allow = c 10:200 rwm
lxc.cgroup.devices.allow = c 1:7 rwm
lxc.cgroup.devices.allow = c 10:228 rwm
lxc.cgroup.devices.allow = c 10:232 rwm
lxc.utsname = ubuntu2
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = lxcbr0
lxc.network.hwaddr = 00:16:3e:be:57:ad
lxc.cap.drop = sys_module
lxc.cap.drop = mac_admin
lxc.cap.drop = mac_override
lxc.cap.drop = sys_time
lxc.rootfs =
overlayfs:/var/lib/lxc/ubuntu/rootfs:/var/lib/lxc/ubuntu2/delta0
lxc.pivotdir = lxc_putold

More information about the lxc-users mailing list