[lxc-users] Trying to create a lxc container for running Visual Studio Code

Peter Carlsson peter.jm.carlsson at gmail.com
Fri Feb 19 08:53:09 UTC 2021 

On Wed, Feb 17, 2021 at 11:17:01PM -0600, Serge E. Hallyn wrote:
> > > 
> > >   dpkg -l libpam-cgfs
> > >     ii  libpam-cgfs    1:3.1.0+really3.0.3-8 i386         PAM module for managing cgroups for LXC
> > > 
> > > My /etc/pam.d/common-session already had a similar line (the last one)
> > > but I added your suggestion as well.
> > > 
> > >   # here are the per-package modules (the "Primary" block)
> > >   session [default=1]                     pam_permit.so
> > >   # here's the fallback if no module succeeds
> > >   session requisite                       pam_deny.so
> > >   # prime the stack with a positive return value if there isn't one already;
> > >   # this avoids us returning an error just because nothing sets a success code
> > >   # since the modules above will each just jump around
> > >   session required                        pam_permit.so
> > >   # and here are more per-package modules (the "Additional" block)
> > >   session required        pam_unix.so
> > >   session optional                        pam_winbind.so
> > >   session optional        pam_systemd.so
> > >   session optional        pam_cgfs.so -c freezer,memory,name=systemd
> > >   # end of pam-auth-update config
> > > 
> > >   # Added by Peter Carlsson 2021-02-12 for lxc
> > >   common-session:session  optional        pam_cgfs.so -c freezer,memory,name=systemd
> > > 
> > > I also ran pam-auth-update as suggested in the file but I still get:
> > > 
> > >   lxc-start -n VisualStudioCode -F
> > >     Failed to mount cgroup at /sys/fs/cgroup/systemd: Permission denied
> > >     [!!!!!!] Failed to mount API filesystems.
> > >     Exiting PID 1...
> > > 
> > > Thanks for all your help!
> > > 
> > > Best regards,
> > > Peter Carlsson
> 
> (Sorry for the delay)

No problem. I really appreciate all your help!
 
> > I decided to remove the line from /etc/pam.d/common-session again since
> > I think I the line you were suggesting was already in the file.
> 
> Yeah you don't want it twice.
> 
> > But still the same error message.
> 
> On my laptop, my unprivileged container has:
> 
> cat /proc/3773/cgroup
> 12:net_cls,net_prio:/
> 11:pids:/user.slice/user-1000.slice/session-2.scope
> 10:hugetlb:/
> 9:memory:/user.slice/user-1000.slice/session-2.scope
> 8:cpu,cpuacct:/user.slice
> 7:blkio:/user.slice
> 6:freezer:/user/serge/0/lxc.payload.mail
> 5:rdma:/
> 4:perf_event:/
> 3:cpuset:/
> 2:devices:/user.slice
> 1:name=systemd:/user.slice/user-1000.slice/session-2.scope/lxc.payload.mail/init.scope
> 0::/user.slice/user-1000.slice/session-2.scope
> 
> So the systemd cgroup is
> 
> /user.slice/user-1000.slice/session-2.scope/lxc.payload.mail/init.scope
> 
> where the first part
> 
> /user.slice/user-1000.slice/session-2.scope
> 
> was inherited from my login shell, and
> 
> serge at sl ~$ ls -l /sys/fs/cgroup/systemd/user.slice/user-1000.slice/session-2.scope/
> total 0
> -rw-r--r-- 1 root  root   0 Feb 17 23:16 cgroup.clone_children
> -rw-r--r-- 1 root  root   0 Feb 17 23:16 cgroup.procs
> drwxr-xr-x 2 serge serge  0 Feb  1 08:32 lxc.monitor.mail
> drwxrwxr-x 5 serge 100000 0 Feb  1 08:32 lxc.payload.mail
> drwxr-xr-x 2 serge serge  0 Feb  9 22:13 lxc.pivot
> -rw-r--r-- 1 root  root   0 Feb 17 23:16 notify_on_release
> -rw-r--r-- 1 root  root   0 Feb 17 23:16 tasks

I finally got it working by changing the permissions!

  ls -l /sys/fs/cgroup/systemd/user.slice/user-1000.slice/session-17.scope/
    totalt 0
    -rw-r--r-- 1 root  root  0 feb 18 16:11 cgroup.clone_children
    -rw-r--r-- 1 root  root  0 feb 18 16:11 cgroup.procs
    drwxr-x--- 2 peter peter 0 feb 17 22:23 lxc
    -rw-r--r-- 1 root  root  0 feb 18 16:11 notify_on_release
    -rw-r--r-- 1 root  root  0 feb 18 16:11 tasks

  chown peter:100000 /sys/fs/cgroup/systemd/user.slice/user-1000.slice/session-17.scope/lxc

  ls -l /sys/fs/cgroup/systemd/user.slice/user-1000.slice/session-17.scope/
    totalt 0
    -rw-r--r-- 1 root  root   0 feb 18 16:11 cgroup.clone_children
    -rw-r--r-- 1 root  root   0 feb 18 16:11 cgroup.procs
    drwxr-x--- 2 peter 100000 0 feb 17 22:23 lxc
    -rw-r--r-- 1 root  root   0 feb 18 16:11 notify_on_release
    -rw-r--r-- 1 root  root   0 feb 18 16:11 tasks

Do you think this problem was caused by not having the correct settings
when I initially created the container or could I have prevented this in
any way?

Just to encounter the next problem... But maybe that has not so much to
do about lxc specifically.

I want to run Visual Studio Code inside the lxc container.

After I have done a lxc-attach and installed Visual Studio Code and all
dependencies I run this command:

  code-insiders --user-data-dir /home/peter

Nothing shows and my guess is that I somehow need to tell the lxc
container to export the visual presentation to the host?

/Peter

More information about the lxc-users mailing list