[lxc-users] Disappearing cgroups
Serge E. Hallyn
serge at hallyn.com
Wed Oct 2 22:12:34 UTC 2019
On Tue, Oct 01, 2019 at 11:56:58AM +0100, Ben Green wrote:
> Hi all,
>
> another troubling question from me. This has been stopping me using LXC for
> production environments for a good few years now. The problem persists with
> LXC 3.0 so I'm finally trying to get some help (got nothing on the IRC when
> I tried).
>
> I have number of containers that I have running via my unprivileged user
> account, 'lxcadmin'. They function fine, except for one thing. Their cgroup
> membership disappears on occasion.
>
> I've set the groups I want to be loaded in /etc/pam.d/common-session and
> /etc/pam.d/common-session-noninteractive like this:
>
> session optional pam_cgfs.so -c blkio,cpu,cpuacct,cpuset,devices,freezer,memory,net_cls,net_prio,perf_event,name=systemd
>
> Those options seem to propagate fine. I can run containers in two ways:
>
> 1/ By logging in as root, then su - lxcadmin.
> 2/ By logging is as lxcadmin directly via ssh.
>
> When I do 1/ - cgroups live at
> /sys/fs/cgroup/memory/user/lxcadmin/0/lxc.payload/<container_name>/
> When I do 2/ - cgroups live at /sys/fs/cgroup/memory/user.slice/user-202.slice/session-2074.scope/lxc.payload/<container_name>
> or similar.
>
> I'm not sure which is preferable for security. I assume this is a systemd
> thing. In any case, I lose cgroups for sure when using 2/. Some of them just
> disappear, not sure why. I've log in again at some point and few cgroups
> have disappeared, blkio is gone for example.
>
> I LXC 2.0 the memory cgroup directory had disappeared for the container,
> which made the container too dangerous to use. Now in LXC 3.0 I lose a few
> others, but memory is maintained.
>
> So questions:
>
> * How can I find out why the cgroups are disappearing? I've found nothing in
> the logs. Any help
> * Which user should I be logging in as?
> * A long shot perhaps, but, why are my cgroups disappearing?
I would guess that the reason they are disappearing is that systemd is
using the cgroup to kill all processes on logout, and so then deleting
the cgroup. If you set KillUserProcesses=no in /etc/systemd/logind.conf,
does that help?
More information about the lxc-users
mailing list