[lxc-users] Minor issues with unprivileged systemd containers on Debian 8

Mathias Gibbens mathias at calenhad.com
Wed Jul 22 05:55:43 UTC 2015


  Bringing this up again, since there were no replies before.

  I've been creating more Debian 8 unprivileged containers, and they
have been working great. However, I am still encountering the annoyances
listed in my initial email. Has anyone else been running into these
issues?

Thanks,
Mathias

On Thu, 2015-05-28 at 22:32 +0000, Mathias Gibbens wrote:
> Hello all,
> 
>   I've been working on moving some of my unprivileged lxc containers to
> a new Debian 8 ("jessie") host. For the most part, they are working
> really well. Thanks to everyone who has helped make this possible!
> However, I've found a few minor issues that I'm hoping I could get some
> feedback on and figure out how to fix them.
> 
>   Here are the versions of the software I'm running: cgmanager 0.37,
> lxcfs 0.9, lxc 1.1.2, systemd 215-17 (Debian package), Linux 4.0.4
> x86_64 with the grsec patch (with the various knobs tuned to allow
> unprivileged containers; if anyone's interested I can share the
> details).
> 
>   All the containers are unprivileged Debian 8 images created through
> the download template that ships with lxc.
> 
>   Throughout this email, the container name is "test", the host name is
> "narya", and the user account creating unprivileged containers is "lxc"
> accessed via SSH. The cgroups.sh attached script is run by the lxc user
> to setup cgroups before running lxc-* commands.
> 
> 
> Issue 1: When starting a container, systemd consumes 100% CPU for ~25
> seconds
> 
>   When I start an unprivileged container, it hangs for ~25 seconds
> immediately after the output "Set hostname to <test>." appears. On the
> host, I can see via `top` that the container's systemd process is
> consuming 100% of the CPU. After 25 seconds, the container continues to
> boot normally. I have attached the output of `journalctl` obtained from
> the container immediately after boot (attachment journalctl.txt).
> 
>   I don't think this is the systemd-journald 100% CPU issue, since my
> understanding is that this has been fixed. Also, the only time I've seen
> systemd consume 100% in a container is right at boot.
> 
> Issue 2: When shutting down a container, `lxc-stop` hangs for ~60
> seconds
> 
>   When I stop an unprivileged container, it shuts down promptly and I
> see the final line of output "[  OK  ] Reached target Shutdown."
> However, the command `lxc-stop` then hangs for about 60 seconds before
> finally returning to the command line. I'm not sure why this is
> happening. It's not really a big issue, unless I'm trying to do a
> `lxc-stop && lxc-start` which causes an extra 60 second delay in
> rebooting the container.
> 
> Issue 3: Within container, seeing "Failed at step CGROUP spawning" for
> services
> 
>   Occasionally I'm seeing the following sorts of errors in my
> containers' logs:
> 
>     systemd[27337]: Failed at step CGROUP spawning /etc/init.d/apache2:
> No such file or directory
>     systemd[27339]: Failed at step CGROUP spawning /etc/init.d/exim4: No
> such file or directory
> 
>   I'm not sure what's causing this, other than it seems (from my limited
> testing) to be occurring more frequently/only when the lxc user's
> environment/cgroup mapping goes away when the lxc user logs out. If I
> leave the lxc user logged in after starting my containers the above
> errors don't seem to occur. However, once lxc logs out they begin to
> appear.
> 
>   Maybe this is intended behavior? I'm still learning about systemd and
> cgroups so maybe someone else will be able to better understand the
> error.
> 
> Issue 4: On host, seeing cgmanager and lxcfs errors
> 
>   Finally, I sometimes see cgmanager and lxcfs errors in the host's logs
> (attachment cgmanager-lxcfs.txt). In this example, I restarted the sshd
> service running in a container. ssh continues to run just fine in the
> container, so I'm not sure if these errors are just supposed to be
> informative or if there's really some error occurring.
> 
> 
> 
>   Thanks for any help,
> Mathias
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150722/6c07399d/attachment.sig>


More information about the lxc-users mailing list