[lxc-users] Systemd Cannot Start Services within containers

[lxc at brak.space]

On 01/02/2018 08:47 PM, lxc at brak.space wrote:
> Hi all,
>
> Using plain lxc, not lxd, I got my Buster/Sid machine to start a 
> Buster container. However, it seems that systemd cannot start any 
> services. journalctl -xe reveals "failed to change ownership of 
> session keyring". If it matters I tried redis-server and boinc-client 
> systemd services and both produced this result, but work fine on a 
> physical install.
>
> Limited research shows solutions involving seccomp to blacklist 
> syscall keyctl, which I tried, and produced the same result.
>
> I did create a thread yesterday, which I resolved today simply by 
> installing the newest version of lxc available to me 2.0.9-5. I think 
> the problems I was seeing were related to apparmor, which I am afraid 
> is causing these issues too.
>
> Any help would be appreciated.
>
> Paul
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

I was able to search around and find an existing issue.

https://github.com/systemd/systemd/pull/6876

The keyctl syscalls are not setup to handle namespaces which is a 
requirement of unprivileged containers. I eventually figured out the 
right seccomp syntax to disable keyctl syscalls:

|2 blacklistkeyctl_chown errno 38 keyctl errno 38|


What I don't understand is how was this not a problem before, and why 
isn't this in the default lxc config files for debian. And if this is 
worth reporting to the debian packaging team.

I still have a problem starting the boinc service related to keyctl, but 
the problem is resolved if I modify the systemd unit file to not switch 
to the boinc user and remain as root instead.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20180106/1e8b8a2d/attachment.html>