[lxc-users] Status: Debian Jessie support for unprivileged containers?

Wed Oct 14 18:18:16 UTC 2015

>> and i use this image in my
>> Jessie host (where i tweak my cgroups through a custom systemd service in
>> order to give ownerships to the unprivileged users).
>
> Could you maybe also share that custom systemd service configuration?
> Then I can continue to sit on my lazy butt and don't have to reinvent
> the wheel :-) No, I'm just really busy with a migration right now and
> it would be a great help to get this out of the way quickly! I'm not
> really up to speed with systemd yet... :-\

Here is the script i run as forking systemd service (i.e. "Type=forking" 
in service file) to start an unprivileged container called 'unpriv' 
which belongs to an user called 'bobby':

<<<
#!/bin/bash

# List of cgroups to chown
SUBSYS="perf_event blkio net_cls,net_prio freezer devices cpu,cpuacct 
cpuset"

# Needed to start unprivileged container
echo 1 > /sys/fs/cgroup/cpuset/cgroup.clone_children

# Create a dedicated cgroup and give it to 'bobby'
for S in $SUBSYS; do
   mkdir -p /sys/fs/cgroup/$S/lxc-bobby
   chown bobby:bobby /sys/fs/cgroup/$S/lxc-bobby
   chown bobby:bobby /sys/fs/cgroup/$S/lxc-bobby/tasks
done

# Clean the cgroup hierarchy
for S in $SUBSYS; do
   if [ -d /sys/fs/cgroup/$S/lxc-bobby/unpriv ]; then
     find /sys/fs/cgroup/$S/lxc-bobby/unpriv/ -type d | tac | xargs rmdir
   fi
done

# Start the container
su bobby --shell /bin/bash --command " \
   echo \$\$ >> /sys/fs/cgroup/perf_event/lxc-bobby/tasks; \
   echo \$\$ >> /sys/fs/cgroup/blkio/lxc-bobby/tasks; \
   echo \$\$ >> /sys/fs/cgroup/net_cls,net_prio/lxc-bobby/tasks; \
   echo \$\$ >> /sys/fs/cgroup/freezer/lxc-bobby/tasks; \
   echo \$\$ >> /sys/fs/cgroup/devices/lxc-bobby/tasks; \
   echo \$\$ >> /sys/fs/cgroup/cpu,cpuacct/lxc-bobby/tasks; \
   echo \$\$ >> /sys/fs/cgroup/cpuset/lxc-bobby/tasks; \
   lxc-start -n unpriv -d"
 >>>

Maybe some steps are overkill but it works ;-) Here are some explanations:

* according to Serge Hallyn, the cgroups in SUBSYS are not all properly 
needed but i never success to run my unprivileged containers without all 
of them (i think that it is fixed in next versions but, with Jessie, we 
are stuck to 1.0.6).

* you have to put 1 in clone_children to start unprivileged containers 
(i don't know why this is not set by default in Debian but it is 
correctly set in Ubuntu).

* after creating and chowning the cgroup, i clean it. It is useful when 
you restart the container. Otherwise, it will name the new cgroup 
'unpriv-1', 'unpriv-2', ... The trick with tac is simply to remove all 
the stuff in the right order.

* thus, i add the pid in the tasks files and the unprivileged container 
can start!

Hope that it helps you and your lazy butt ;-)

Xavier