[lxc-users] Help needed: lxc unpriv. containers and debian buster sysvinit

[Serge E. Hallyn]

On Mon, Jan 27, 2020 at 05:04:01PM +0100, mlftp at pep.foundation wrote:
> Hi, 
> 
> I am currently trying to figure out how to run lxc on debian with sysvinit.
> I am stuck at the lxc.conf file respectively on /usr/share/lxc/config.
> 
> I get a error when try to launch my container: 
> 
> lxc-start: test: cgroups/cgfsng.c: cg_hybrid_get_controllers: 746 Found hierarchy not under /sys/fs/cgroup: "/sys/fs/cgroup rw,relatime - cgroup cgroup rw,cpuset,cpu,cpuacct,blkio,memory,devices,freezer,net_cls,perf_event,net_prio,pids,rdma "
>  lxc-start: test: lsm/apparmor.c: make_apparmor_namespace: 761 Permission denied - Error creating AppArmor namespace: /sys/kernel/security/apparmor/policy/namespaces/lxc-test_<-home-melodie-.local-share-lxc>
> lxc-start: test: lsm/apparmor.c: apparmor_prepare: 980 Failed to load generated AppArmor profile
> lxc-start: test: start.c: lxc_init: 899 Failed to initialize LSM
> lxc-start: test: start.c: __lxc_start: 1917 Failed to initialize container “test"
> 
> Usually systemd does the the cgroup stuff, said documentation and research. Before I had lxc running on Debian with sysvinit but as privileged containers.
> 
> Has anyone made similar experiences?
> Is there some documentation about manually working with cgroups and unprivileged containers on debian buster?
> Can anyone point me to the right documentation please?
> 
> I hope to save some time.

Been awhile so hopefully you've solved this by now?  Find out where the
/sys/fs/cgroup mount is being done, and make it mount under /sys/fs/cgroup/all.
Better would be to also split them up so you have /sys/fs/cgroup/$controller
for each line in /proc/cgroups.

-serge