[lxc-users] Unable to Start Unprivileged Containers on Debian / Jessie
Chris
berzerkatives at gmail.com
Tue Sep 23 00:16:46 UTC 2014
On 22/09/14 16:34, Serge Hallyn wrote:
> Quoting Naoki Kawakami (dolenin at parallels.com):
>> Hi Chris,
>>
>> Insure your plato user indeed has write access to the cgroups
>> created by prep.sh and that the bash PID which would run lxc-start
>> is indeed in the tasks file of each created cgroup.
>> I remember having to edit this script because it did not work for me
>> as is (though I am not on debian-based OS).
This script seems to complete without errors, and I can see what appears
to be the desired effect in the hierarchy. Sorry for making it
confusing. "socrates" is both the unprivileged user, and the container
name. Plato is the physical machine. Putting "Controllers=cpuset cpu
cpuacct memory devices freezer net_cls blkio perf_event" into
/etc/systemd/logind.conf didn't make any difference, incidentally
(systemd version 208-8).
Can someone confirm that the script is/not the problem? Or is there
something I'm missing?
socrates at plato:~$ find /sys/fs/cgroup/ -ls | grep socrates
socrates at plato:~$ ./prep.sh
looking at blkio
[sudo] password for socrates:
looking at cgmanager
looking at cpu
looking at cpuacct
looking at cpu,cpuacct
looking at cpuset
1
looking at devices
looking at freezer
looking at net_cls
looking at perf_event
looking at systemd
socrates at plato:~$ find /sys/fs/cgroup/ -ls | grep socrates
10533 0 drwxr-xr-x 2 socrates root 60 Sep 23
00:59 /sys/fs/cgroup/cgmanager/socrates
9820 4 -rw-r--r-- 1 socrates socrates 4 Sep
23 00:59 /sys/fs/cgroup/cgmanager/socrates/tasks
10170 0 drwxr-xr-x 2 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/perf_event/socrates
10174 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/perf_event/socrates/notify_on_release
10173 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/perf_event/socrates/tasks
10172 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/perf_event/socrates/cgroup.clone_children
10171 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/perf_event/socrates/cgroup.procs
9717 0 drwxr-xr-x 2 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/blkio/socrates
9748 0 -r--r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/blkio/socrates/blkio.io_queued_recursive
9747 0 -r--r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/blkio/socrates/blkio.io_merged_recursive
9746 0 -r--r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/blkio/socrates/blkio.io_wait_time_recursive
9745 0 -r--r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/blkio/socrates/blkio.io_service_time_recursive
9744 0 -r--r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/blkio/socrates/blkio.io_serviced_recursive
9743 0 -r--r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/blkio/socrates/blkio.io_service_bytes_recursive
9742 0 -r--r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/blkio/socrates/blkio.sectors_recursive
9741 0 -r--r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/blkio/socrates/blkio.time_recursive
9740 0 -r--r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/blkio/socrates/blkio.io_queued
9739 0 -r--r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/blkio/socrates/blkio.io_merged
9738 0 -r--r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/blkio/socrates/blkio.io_wait_time
9737 0 -r--r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/blkio/socrates/blkio.io_service_time
9736 0 -r--r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/blkio/socrates/blkio.io_serviced
9735 0 -r--r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/blkio/socrates/blkio.io_service_bytes
9734 0 -r--r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/blkio/socrates/blkio.sectors
9733 0 -r--r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/blkio/socrates/blkio.time
9732 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/blkio/socrates/blkio.leaf_weight
9731 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/blkio/socrates/blkio.leaf_weight_device
9730 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/blkio/socrates/blkio.weight
9729 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/blkio/socrates/blkio.weight_device
9728 0 -r--r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/blkio/socrates/blkio.throttle.io_serviced
9727 0 -r--r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/blkio/socrates/blkio.throttle.io_service_bytes
9726 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/blkio/socrates/blkio.throttle.write_iops_device
9725 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/blkio/socrates/blkio.throttle.read_iops_device
9724 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/blkio/socrates/blkio.throttle.write_bps_device
9723 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/blkio/socrates/blkio.throttle.read_bps_device
9722 0 --w------- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/blkio/socrates/blkio.reset_stats
9721 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/blkio/socrates/notify_on_release
9720 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/blkio/socrates/tasks
9719 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/blkio/socrates/cgroup.clone_children
9718 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/blkio/socrates/cgroup.procs
10843 0 drwxr-xr-x 2 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/net_cls/socrates
10848 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/net_cls/socrates/net_cls.classid
10847 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/net_cls/socrates/notify_on_release
10846 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/net_cls/socrates/tasks
10845 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/net_cls/socrates/cgroup.clone_children
10844 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/net_cls/socrates/cgroup.procs
10062 0 drwxr-xr-x 2 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/freezer/socrates
10069 0 -r--r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/freezer/socrates/freezer.parent_freezing
10068 0 -r--r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/freezer/socrates/freezer.self_freezing
10067 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/freezer/socrates/freezer.state
10066 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/freezer/socrates/notify_on_release
10065 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/freezer/socrates/tasks
10064 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/freezer/socrates/cgroup.clone_children
10063 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/freezer/socrates/cgroup.procs
10014 0 drwxr-xr-x 2 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/devices/socrates
10021 0 -r--r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/devices/socrates/devices.list
10020 0 --w------- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/devices/socrates/devices.deny
10019 0 --w------- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/devices/socrates/devices.allow
10018 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/devices/socrates/notify_on_release
10017 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/devices/socrates/tasks
10016 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/devices/socrates/cgroup.clone_children
10015 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/devices/socrates/cgroup.procs
9831 0 drwxr-xr-x 2 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/cpu,cpuacct/socrates
9839 0 -r--r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/cpu,cpuacct/socrates/cpuacct.stat
9838 0 -r--r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/cpu,cpuacct/socrates/cpuacct.usage_percpu
9837 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/cpu,cpuacct/socrates/cpuacct.usage
9836 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/cpu,cpuacct/socrates/cpu.shares
9835 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/cpu,cpuacct/socrates/notify_on_release
9834 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/cpu,cpuacct/socrates/tasks
9833 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/cpu,cpuacct/socrates/cgroup.clone_children
9832 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/cpu,cpuacct/socrates/cgroup.procs
10724 0 drwxr-xr-x 2 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/cpuset/socrates
10739 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/cpuset/socrates/cpuset.memory_spread_slab
10738 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/cpuset/socrates/cpuset.memory_spread_page
10737 0 -r--r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/cpuset/socrates/cpuset.memory_pressure
10736 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/cpuset/socrates/cpuset.memory_migrate
10735 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/cpuset/socrates/cpuset.sched_relax_domain_level
10734 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/cpuset/socrates/cpuset.sched_load_balance
10733 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/cpuset/socrates/cpuset.mem_hardwall
10732 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/cpuset/socrates/cpuset.mem_exclusive
10731 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/cpuset/socrates/cpuset.cpu_exclusive
10730 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/cpuset/socrates/cpuset.mems
10729 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/cpuset/socrates/cpuset.cpus
10728 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/cpuset/socrates/notify_on_release
10727 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/cpuset/socrates/tasks
10726 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/cpuset/socrates/cgroup.clone_children
10725 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/cpuset/socrates/cgroup.procs
10215 0 drwxr-xr-x 2 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/systemd/socrates
10219 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/systemd/socrates/notify_on_release
10218 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/systemd/socrates/tasks
10217 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/systemd/socrates/cgroup.clone_children
10216 0 -rw-r--r-- 1 socrates root 0 Sep 23
00:59 /sys/fs/cgroup/systemd/socrates/cgroup.procs
> Indeed it looks like that's the problem.
>
> If you are running systemd, logind should be creating your cgroups
> (and placing you in them) for you. If not, then you can install
> systemd-shim and cgmanager, which should do it for you.
I've tried both systemd and now systemd-shim/cgmanager, they both seem
to fail. The systemd/cgmanager system doesn't allocate cgroups at login
and seems to significantly impair cgroup initiation.
socrates at plato:~$ /etc/init.d/cgmanager status
[ ok ] cgmanager is running.
socrates at plato:~$ find /sys/fs/cgroup/ -ls | grep socrates
socrates at plato:~$ ./prep.sh
looking at cgmanager
[sudo] password for socrates:
socrates at plato:~$ find /sys/fs/cgroup/ -ls | grep socrates
8902 0 drwxr-xr-x 2 socrates root 60 Sep 23
01:10 /sys/fs/cgroup/cgmanager/socrates
8925 4 -rw-r--r-- 1 socrates socrates 5 Sep
23 01:10 /sys/fs/cgroup/cgmanager/socrates/tasks
root at plato:~# lxc-checkconfig | grep required
Cgroup namespace: required
root at plato:~# mount | grep cgroup
cgroup on /sys/fs/cgroup type tmpfs (rw,relatime,size=12k)
Any thoughts? In the meantime I'll revert the system back to the default
systemd-sysv.
More information about the lxc-users
mailing list