[lxc-users] unprivileged LXC and lxc-attach...

Serge E. Hallyn serge at hallyn.com
Sat Jul 22 00:26:40 UTC 2017 

Quoting Dirk Geschke (dirk at lug-erding.de):
> Hi Serge,
> 
> > > Now I get two error messages:
> > > 
> > >    lxc_cgfs - cgroups/cgfs.c:lxc_cgroupfs_attach:2538 - could not move attached process 22869 to cgroup of container
> > >    lxc_attach - attach.c:lxc_attach:992 - Expected to receive sequence number 0: No such file or directory.
> > 
> > Ok, if you look at the source, that message is a bit misleading - lxc
> > never got around to trying to move the task into the cgroup, it failed
> > to load a suitable set of cgroups data in the first place.
> > 
> > You really should be using cfsng, not cgfs.  Can you show your
> > cgroup layout?  (cat /proc/self/cgroup and mount | grep cgroup)
> 
> hmm, how can I use cfsng instead of cgfs? I simply use the newest
> cgmanager and start it the usual way:
> 
>    /usr/local/sbin/cgmanager --daemon -m name=systemd

Hm, you may be running cgmanager, but lxc is not recognizing that else
you would be using cgmanager, not cgfs, as the cgroup driver.  Since you
are running cgmanager from /usr/local/sbin, is it possible that lxc is
built looking for the cgmanager socket in a different path than what
cgmanager is providing?

> And
> 
>    $ cat /proc/self/cgroup 
>    14:name=systemd:/
>    13:pids:/
>    12:perf_event:/
>    11:net_prio:/
>    10:net_cls:/
>    9:memory:/
>    8:hugetlb:/
>    7:freezer:/
>    6:devices:/
>    5:debug:/
>    4:cpuset:/
>    3:cpuacct:/
>    2:cpu:/
>    1:blkio:/

Right, so the above shows that you do not have any cgroups which you
can manipulate.  Even freezer.  So pam_cgm (or pam_cgfs) did not create
cgroups for you.  As suc, lxc recognizes that you are not allowed to
create cgroups.

>    $ mount |grep cgroup
>    cgroup on /sys/fs/cgroup type tmpfs (rw,relatime,size=12k,mode=755)

Ok, that's a tmpfs.  Is anything mounted under that?

what does

cgm ping

show?

If that looks succesful, you could try

sudo cgm create all me
sudo cgm chown all $(id -u) $(id -g)

cgm movepid all me $$

That should create a cgroup called 'me', make it owned by you, and
move your shell into that cgroup.  Then, from that shell, you should
be able to create and lxc-attach to containers.

> On older systems, where lxc-attach works, I see also:

Well this is also interesting - you're saying that lxc-attach fails, but
implying that lxc-start succeeded?  How did lxc-start succeed?  Did you
start the containers from a different shell?

>    cgmfs                 100          0       100    0% /run/cgmanager/fs
> 
> Can this cause the problem? I don't see it on the newer system...
> (I have no idea, where this mount is coming from...)
> 
> > It might help if you set the lxc.cgroup.use in your personal
> > lxc.system.conf (~/.config/lxc/lxc.conf) to only include the cgroups
> > your container needs -  just freezer is the bare minimum.  That might
> > get your container running without switching to cgfsng.
> 
> hmm, you mean ~/.config/lxc/default.conf? I added it:
> 
>    ~$ grep lxc.cgroup.use .config/lxc/default.conf 
>    lxc.cgroup.use = freezer

Yeah that won't work since the above shows you do not own your freezer
cgroup.

> But it doesn't change anything, even if I add it to
> 
>    ~/.local/share/lxc/lxc-stretch/config
> 
> It's all a little bit strange. As user root, I can use lxc-attach
> with setting the right Path via option -P. But it does not work
> with the unpriviliged user, who started the container...
> 
> For me it is not a major problem, since I can attach as user
> root. And if the network is up and running, I can manage it
> via ssh. But I am a little bit irritated.
> 
> The old system works with
> 
>   cgmanager 0.33
>   lxc 1.0.7
> 
> The new system uses the newest versions:
> 
>   cgmanager 0.41
>   lxc 2.0.8
> 
> Best regards
> 
> Dirk
> 
> -- 
> +----------------------------------------------------------------------+
> | Dr. Dirk Geschke       / Plankensteinweg 61    / 85435 Erding        |
> | Telefon: 08122-559448  / Mobil: 0176-96906350 / Fax: 08122-9818106   |
> | dirk at geschke-online.de / dirk at lug-erding.de  / kontakt at lug-erding.de |
> +----------------------------------------------------------------------+
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

More information about the lxc-users mailing list