[lxc-users] unprivileged LXC and lxc-attach...

Dirk Geschke dirk at lug-erding.de
Sat Jul 22 08:35:00 UTC 2017 

Hi Serge,

> > hmm, how can I use cfsng instead of cgfs? I simply use the newest
> > cgmanager and start it the usual way:
> > 
> >    /usr/local/sbin/cgmanager --daemon -m name=systemd
> 
> Hm, you may be running cgmanager, but lxc is not recognizing that else
> you would be using cgmanager, not cgfs, as the cgroup driver.  Since you
> are running cgmanager from /usr/local/sbin, is it possible that lxc is
> built looking for the cgmanager socket in a different path than what
> cgmanager is providing?

how can I find out? The only libcgmanager I have is the one in
/usr/local/lib. This one is linked against liblxc.so.1:

   $ ldd  /usr/local/lib/liblxc.so.1  |grep cgmanager
           libcgmanager.so.0 => /usr/local/lib/libcgmanager.so.0 (0x00007f53dd505000)

> > And
> > 
> >    $ cat /proc/self/cgroup 
> >    14:name=systemd:/
> >    13:pids:/
> >    12:perf_event:/
> >    11:net_prio:/
> >    10:net_cls:/
> >    9:memory:/
> >    8:hugetlb:/
> >    7:freezer:/
> >    6:devices:/
> >    5:debug:/
> >    4:cpuset:/
> >    3:cpuacct:/
> >    2:cpu:/
> >    1:blkio:/
> 
> Right, so the above shows that you do not have any cgroups which you
> can manipulate.  Even freezer.  So pam_cgm (or pam_cgfs) did not create
> cgroups for you.  As suc, lxc recognizes that you are not allowed to
> create cgroups.
> 
> >    $ mount |grep cgroup
> >    cgroup on /sys/fs/cgroup type tmpfs (rw,relatime,size=12k,mode=755)
> 
> Ok, that's a tmpfs.  Is anything mounted under that?

no, nothing. 

> what does
> 
> cgm ping
> 
> show?

it results in 

  $ cgm ping
  $ echo $?
  0

> If that looks succesful, you could try
> 
> sudo cgm create all me
> sudo cgm chown all $(id -u) $(id -g)
> 
> cgm movepid all me $$
> 
> That should create a cgroup called 'me', make it owned by you, and
> move your shell into that cgroup.  Then, from that shell, you should
> be able to create and lxc-attach to containers.

Ah, yes, that works.

> > On older systems, where lxc-attach works, I see also:
> 
> Well this is also interesting - you're saying that lxc-attach fails, but
> implying that lxc-start succeeded?  How did lxc-start succeed?  Did you
> start the containers from a different shell?

Yes, it's started by an init script, which does all the above cgm
commands before starting the container. That works without problem.

So all I have to do is moving the shell starting lxc-attach in 
the same cgroup the LXC was started.

But why does it work on the older system? There it works without
problems:

   $ cat /proc/self/cgroup 
   14:name=systemd:/
   13:pids:/
   12:perf_event:/
   11:net_prio:/
   10:net_cls:/
   9:memory:/
   8:hugetlb:/
   7:freezer:/
   6:devices:/
   5:debug:/
   4:cpuset:/
   3:cpuacct:/
   2:cpu:/
   1:blkio:/

and

   $ lxc-attach -n lxc-squid
   root at lxc-squid:/#

So the only difference is, that I have now to move the user shell
in the cgroup before starting lxc-attach. But with older version
of lxc/cgmanager this is not necessary...

Strange, but now I have a workaround.

Best regards and many thanks for the help

Dirk

-- 
+----------------------------------------------------------------------+
| Dr. Dirk Geschke       / Plankensteinweg 61    / 85435 Erding        |
| Telefon: 08122-559448  / Mobil: 0176-96906350 / Fax: 08122-9818106   |
| dirk at geschke-online.de / dirk at lug-erding.de  / kontakt at lug-erding.de |
+----------------------------------------------------------------------+

More information about the lxc-users mailing list