[lxc-users] Status: Debian Jessie support for unprivileged containers?
gendre.reivax at gmail.com
Wed Oct 14 18:18:16 UTC 2015
>> and i use this image in my
>> Jessie host (where i tweak my cgroups through a custom systemd service in
>> order to give ownerships to the unprivileged users).
> Could you maybe also share that custom systemd service configuration?
> Then I can continue to sit on my lazy butt and don't have to reinvent
> the wheel :-) No, I'm just really busy with a migration right now and
> it would be a great help to get this out of the way quickly! I'm not
> really up to speed with systemd yet... :-\
Here is the script i run as forking systemd service (i.e. "Type=forking"
in service file) to start an unprivileged container called 'unpriv'
which belongs to an user called 'bobby':
# List of cgroups to chown
SUBSYS="perf_event blkio net_cls,net_prio freezer devices cpu,cpuacct
# Needed to start unprivileged container
echo 1 > /sys/fs/cgroup/cpuset/cgroup.clone_children
# Create a dedicated cgroup and give it to 'bobby'
for S in $SUBSYS; do
mkdir -p /sys/fs/cgroup/$S/lxc-bobby
chown bobby:bobby /sys/fs/cgroup/$S/lxc-bobby
chown bobby:bobby /sys/fs/cgroup/$S/lxc-bobby/tasks
# Clean the cgroup hierarchy
for S in $SUBSYS; do
if [ -d /sys/fs/cgroup/$S/lxc-bobby/unpriv ]; then
find /sys/fs/cgroup/$S/lxc-bobby/unpriv/ -type d | tac | xargs rmdir
# Start the container
su bobby --shell /bin/bash --command " \
echo \$\$ >> /sys/fs/cgroup/perf_event/lxc-bobby/tasks; \
echo \$\$ >> /sys/fs/cgroup/blkio/lxc-bobby/tasks; \
echo \$\$ >> /sys/fs/cgroup/net_cls,net_prio/lxc-bobby/tasks; \
echo \$\$ >> /sys/fs/cgroup/freezer/lxc-bobby/tasks; \
echo \$\$ >> /sys/fs/cgroup/devices/lxc-bobby/tasks; \
echo \$\$ >> /sys/fs/cgroup/cpu,cpuacct/lxc-bobby/tasks; \
echo \$\$ >> /sys/fs/cgroup/cpuset/lxc-bobby/tasks; \
lxc-start -n unpriv -d"
Maybe some steps are overkill but it works ;-) Here are some explanations:
* according to Serge Hallyn, the cgroups in SUBSYS are not all properly
needed but i never success to run my unprivileged containers without all
of them (i think that it is fixed in next versions but, with Jessie, we
are stuck to 1.0.6).
* you have to put 1 in clone_children to start unprivileged containers
(i don't know why this is not set by default in Debian but it is
correctly set in Ubuntu).
* after creating and chowning the cgroup, i clean it. It is useful when
you restart the container. Otherwise, it will name the new cgroup
'unpriv-1', 'unpriv-2', ... The trick with tac is simply to remove all
the stuff in the right order.
* thus, i add the pid in the tasks files and the unprivileged container
Hope that it helps you and your lazy butt ;-)
More information about the lxc-users