[lxc-users] Autostart Unpriviledged Containers

Fajar A. Nugraha list at fajar.net
Sat Oct 10 06:14:06 UTC 2015


This one was a pain in the a$$

Apparently newer systemd is picky, saying "Cannot create session:
Already running in a session" if it already runs in a session (e.g.
root's session). Latest systemd have "machinectl shell"
(https://github.com/systemd/systemd/pull/1022) which should eliminate
the need to abuse sudo. However it's not in ubuntu/debian yet, so a
workaround is needed.

Here's what I did on Ubuntu Wily:

(1) on top of /etc/sudoers:
Defaults        use_pty

(2) at the bottom of /etc/pam.d/sudo
session    optional     pam_loginuid.so
session    optional     pam_systemd.so

(3) Make SURE libpam-systemd is installed (e,g "dpkg -l")

(4) Test
# bash -c 'cgm movepidabs all / $$ && sudo -u user -i cat /proc/self/cgroup'

Note the single quote, and "cgm movepidabs" command. That's the
workaround. It should print something like

10:hugetlb:/user.slice/user-1000.slice/session-47.scope
...
1:name=systemd:/user.slice/user-1000.slice/session-47.scope

The main thing is "user.slice/user-UID.slice". If you don't see your
"normal", non-0 uid there, recheck steps 1-3. See /var/log/auth.log
for possible problems.

(5) create /etc/systemd/system/lxc-autostart-user.service, Note that
you do NOT want RemainAfterExit=yes

[Unit]
Description=Autostart "user" containers

[Service]
Type=oneshot
ExecStart=/opt/lxc/autostart-user
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

(6) Create /opt/lxc/autostart-user, then make it executable (e.g. chmod 700)
#!/bin/bash
export PATH=/usr/sbin:/usr/bin:/sbin:/bin
cgm movepidabs all / $$
sudo -u user -i -- bash -c "lxc-autostart;lxc-ls -f"

(7) Enable and test with systemd
# systemctl daemon-reload
# systemctl enable lxc-autostart-user
# systemctl start lxc-autostart-user
# systemctl status lxc-autostart-user

If all works well, you should see something like this:
root at wily:~# systemctl status lxc-autostart-user
● lxc-autostart-user.service - Autostart "user" containers
   Loaded: loaded (/etc/systemd/system/lxc-autostart-user.service;
enabled; vendor preset: enabled)
   Active: inactive (dead) since Sat 2015-10-10 13:02:55 WIB; 1s ago
  Process: 21146 ExecStart=/opt/lxc/autostart-user (code=exited,
status=0/SUCCESS)
 Main PID: 21146 (code=exited, status=0/SUCCESS)

Oct 10 13:02:54 wily systemd[1]: Starting Autostart "user" containers...
Oct 10 13:02:55 wily autostart-user[21146]: NAME    STATE    IPV4
IPV6  GROUPS  AUTOSTART
Oct 10 13:02:55 wily autostart-user[21146]:
----------------------------------------------
Oct 10 13:02:55 wily autostart-user[21146]: trusty  RUNNING  -     -
  -       YES
Oct 10 13:02:55 wily systemd[1]: Started Autostart "user" containers.

-- 
Fajar

On Sat, Oct 10, 2015 at 4:20 AM, Paul Jones <spacefreak18 at gmail.com> wrote:
> I would also like to note that when I run the script I created through the
> bash interpreter from tty it works just fine. Exactly as intended. I can
> then switch back to my user and move the tty to my new cgroup.
>
> The only time it doesn't work is when I attempt to call it from the systemd
> unit.
>
> It says i own the cgroup, but it is almost like I do not. Very weird.
>
> I can use sudo, but it isn't my preferred method. Also it has the same issue
> if I try to run it via the systemd unit.
>
> On Fri, Oct 9, 2015 at 2:18 AM, Fajar A. Nugraha <list at fajar.net> wrote:
>>
>> On Fri, Oct 9, 2015 at 7:19 AM, Paul Jones <spacefreak18 at gmail.com> wrote:
>> > I have tried this but for some reason I am having trouble.
>> >
>> > I have pastebins for my systemd unit file and the bash script it calls.
>> > http://pastebin.com/FLtLWaih
>> > http://pastebin.com/b9qM2a9J
>> >
>> > It appears as though it succesfully creates the cgroup "me", i see it,
>> > and i
>> > own it and have seemingly correct permission to it. But as my normal
>> > user I
>> > cannot move the current tty to that cgroup. I cannot even do it as root!
>>
>>
>> Try this:
>>
>> (1) on top of /etc/sudoers:
>> Defaults        use_pty
>>
>> Short version: with this, sudo will create new pty owned by the user.
>> Needed if you intend to run "screen" (or other stuff which needs
>> user-owned tty). Not needed if you only need to run "lxc-attach" or
>> "lxc-console".
>>
>> (2) at the bottom of /etc/pam.d/sudo
>> session    optional     pam_loginuid.so
>> session    optional     pam_systemd.so
>>
>> Short version: make pam_systemd create and use new cgroup owned by the
>> user when you run "sudo". With this, you can use "sudo" for
>> "lxc-autostart".
>>
>> (3) on your script ("paul" is your username, right?)
>> /usr/bin/sudo -u paul -i -- /usr/bin/lxc-autostart
>>
>> --
>> Fajar
>> _______________________________________________
>> lxc-users mailing list
>> lxc-users at lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-users
>
>
>
>
> --
> Time To Get an EKG, G!
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users


More information about the lxc-users mailing list