[lxc-users] Trying to create a lxc container for running Visual Studio Code
Peter Carlsson
peter.jm.carlsson at gmail.com
Fri Feb 19 08:53:09 UTC 2021
On Wed, Feb 17, 2021 at 11:17:01PM -0600, Serge E. Hallyn wrote:
> > >
> > > dpkg -l libpam-cgfs
> > > ii libpam-cgfs 1:3.1.0+really3.0.3-8 i386 PAM module for managing cgroups for LXC
> > >
> > > My /etc/pam.d/common-session already had a similar line (the last one)
> > > but I added your suggestion as well.
> > >
> > > # here are the per-package modules (the "Primary" block)
> > > session [default=1] pam_permit.so
> > > # here's the fallback if no module succeeds
> > > session requisite pam_deny.so
> > > # prime the stack with a positive return value if there isn't one already;
> > > # this avoids us returning an error just because nothing sets a success code
> > > # since the modules above will each just jump around
> > > session required pam_permit.so
> > > # and here are more per-package modules (the "Additional" block)
> > > session required pam_unix.so
> > > session optional pam_winbind.so
> > > session optional pam_systemd.so
> > > session optional pam_cgfs.so -c freezer,memory,name=systemd
> > > # end of pam-auth-update config
> > >
> > > # Added by Peter Carlsson 2021-02-12 for lxc
> > > common-session:session optional pam_cgfs.so -c freezer,memory,name=systemd
> > >
> > > I also ran pam-auth-update as suggested in the file but I still get:
> > >
> > > lxc-start -n VisualStudioCode -F
> > > Failed to mount cgroup at /sys/fs/cgroup/systemd: Permission denied
> > > [!!!!!!] Failed to mount API filesystems.
> > > Exiting PID 1...
> > >
> > > Thanks for all your help!
> > >
> > > Best regards,
> > > Peter Carlsson
>
> (Sorry for the delay)
No problem. I really appreciate all your help!
> > I decided to remove the line from /etc/pam.d/common-session again since
> > I think I the line you were suggesting was already in the file.
>
> Yeah you don't want it twice.
>
> > But still the same error message.
>
> On my laptop, my unprivileged container has:
>
> cat /proc/3773/cgroup
> 12:net_cls,net_prio:/
> 11:pids:/user.slice/user-1000.slice/session-2.scope
> 10:hugetlb:/
> 9:memory:/user.slice/user-1000.slice/session-2.scope
> 8:cpu,cpuacct:/user.slice
> 7:blkio:/user.slice
> 6:freezer:/user/serge/0/lxc.payload.mail
> 5:rdma:/
> 4:perf_event:/
> 3:cpuset:/
> 2:devices:/user.slice
> 1:name=systemd:/user.slice/user-1000.slice/session-2.scope/lxc.payload.mail/init.scope
> 0::/user.slice/user-1000.slice/session-2.scope
>
> So the systemd cgroup is
>
> /user.slice/user-1000.slice/session-2.scope/lxc.payload.mail/init.scope
>
> where the first part
>
> /user.slice/user-1000.slice/session-2.scope
>
> was inherited from my login shell, and
>
> serge at sl ~$ ls -l /sys/fs/cgroup/systemd/user.slice/user-1000.slice/session-2.scope/
> total 0
> -rw-r--r-- 1 root root 0 Feb 17 23:16 cgroup.clone_children
> -rw-r--r-- 1 root root 0 Feb 17 23:16 cgroup.procs
> drwxr-xr-x 2 serge serge 0 Feb 1 08:32 lxc.monitor.mail
> drwxrwxr-x 5 serge 100000 0 Feb 1 08:32 lxc.payload.mail
> drwxr-xr-x 2 serge serge 0 Feb 9 22:13 lxc.pivot
> -rw-r--r-- 1 root root 0 Feb 17 23:16 notify_on_release
> -rw-r--r-- 1 root root 0 Feb 17 23:16 tasks
I finally got it working by changing the permissions!
ls -l /sys/fs/cgroup/systemd/user.slice/user-1000.slice/session-17.scope/
totalt 0
-rw-r--r-- 1 root root 0 feb 18 16:11 cgroup.clone_children
-rw-r--r-- 1 root root 0 feb 18 16:11 cgroup.procs
drwxr-x--- 2 peter peter 0 feb 17 22:23 lxc
-rw-r--r-- 1 root root 0 feb 18 16:11 notify_on_release
-rw-r--r-- 1 root root 0 feb 18 16:11 tasks
chown peter:100000 /sys/fs/cgroup/systemd/user.slice/user-1000.slice/session-17.scope/lxc
ls -l /sys/fs/cgroup/systemd/user.slice/user-1000.slice/session-17.scope/
totalt 0
-rw-r--r-- 1 root root 0 feb 18 16:11 cgroup.clone_children
-rw-r--r-- 1 root root 0 feb 18 16:11 cgroup.procs
drwxr-x--- 2 peter 100000 0 feb 17 22:23 lxc
-rw-r--r-- 1 root root 0 feb 18 16:11 notify_on_release
-rw-r--r-- 1 root root 0 feb 18 16:11 tasks
Do you think this problem was caused by not having the correct settings
when I initially created the container or could I have prevented this in
any way?
Just to encounter the next problem... But maybe that has not so much to
do about lxc specifically.
I want to run Visual Studio Code inside the lxc container.
After I have done a lxc-attach and installed Visual Studio Code and all
dependencies I run this command:
code-insiders --user-data-dir /home/peter
Nothing shows and my guess is that I somehow need to tell the lxc
container to export the visual presentation to the host?
/Peter
More information about the lxc-users
mailing list