[lxc-users] /proc hidepid=2 in unprivileged LXC containers, and stopping containers properly on Debian with systemd

Fri Nov 16 10:27:34 UTC 2018

Hello LXC/LXD users!

I'm Maciej and this is my first post on the lxc-users mailing list. I'm
writing an Ansible role to configure and manage a LXC environment based on
Debian Stretch (currently no LXD support due to LXD not being present in the
Debian Stable release yet), for production environments. I have encountered
two issues with this container setup, I wonder if anybody knows some better
solutions.

I'm not sure if there's a way to configure the hidepid=2 option in
unprivileged LXC containers, started by root, without modifying the default
Debian packages in some way. After googling for a bit I've found this forum
thread:
https://discuss.linuxcontainers.org/t/hidepid-2-not-working-in-lxc/2060/17

But solutions there seem to be only usable with Proxmox, and not stock Debian
Stretch with LXC 2.0.7 install. Has anybody been able to mount /proc with
hdepid=2,gid=70 or similar set of options in unprivileged LXC containers?
Privileged containers seem to work fine, but that's probably a given. It's not
a pressing issue though, I can live with container processes visible for now.

The other issue is with stopping the LXC containers using the 'lxc-stop'
command. I know that this is related to the systemd inside of the container
not configured properly to respond to SIGPWR signal, and I saw some solutions
to this issue:
https://bugs.debian.org/831691
https://lists.linuxcontainers.org/pipermail/lxc-users/2017-February/012827.html
https://github.com/lxc/lxd/issues/2947

The behaviour I'm experiencing on Debian Stretch is that after issuing the
'lxc-stop -n <container>' command the container begins the shutdown procedure
but stops after "Stopped Network Service" unit. Terminating the 'lxc-stop'
command with ^C and running it again finishes the container shutdown. However,
this procedure seems to be a bit complicated to implement with the
'lxc.service' unit, so that system shutdown correctly stops the services
inside of the containers, not to mention that currently they just reach the
60s timeout and are forcibly killed anyway.

I decided to switch to using 'lxc at .service' system instances to run the
containers. This allows me to, via the ExecStop= parameter, attach to the
running container and execute 'systemctl --no-block poweroff' command to stop
the container "from the inside", which properly shutdowns the services inside
of the container and exits without reaching the timeout. However, this
solution seems to be counter-intuitive and does not integrate well with lxc-*
commands like lxc-stop or lxc-destroy. The final status of the systemd
instance can result in the failed state with LXC containers that contain lots
of services, or are destroyed with lxc-destroy command without stopping the
container first via systemd, but that I can live with. I just wonder if the
proposed solution could be improved without modifying official Debian
packages.

Thanks for reading and have a nice day.
Maciej Delmanowski