[lxc-users] Trying to create a lxc container for running Visual Studio Code
Peter Carlsson
peter.jm.carlsson at gmail.com
Mon Feb 22 19:25:08 UTC 2021
On Fri, Feb 19, 2021 at 11:27:23AM -0600, Serge E. Hallyn wrote:
> On Fri, Feb 19, 2021 at 09:53:09AM +0100, Peter Carlsson wrote:
> > On Wed, Feb 17, 2021 at 11:17:01PM -0600, Serge E. Hallyn wrote:
> > > > >
> > > > > dpkg -l libpam-cgfs
> > > > > ii libpam-cgfs 1:3.1.0+really3.0.3-8 i386 PAM module for managing cgroups for LXC
> > > > >
> > > > > My /etc/pam.d/common-session already had a similar line (the last one)
> > > > > but I added your suggestion as well.
> > > > >
> > > > > # here are the per-package modules (the "Primary" block)
> > > > > session [default=1] pam_permit.so
> > > > > # here's the fallback if no module succeeds
> > > > > session requisite pam_deny.so
> > > > > # prime the stack with a positive return value if there isn't one already;
> > > > > # this avoids us returning an error just because nothing sets a success code
> > > > > # since the modules above will each just jump around
> > > > > session required pam_permit.so
> > > > > # and here are more per-package modules (the "Additional" block)
> > > > > session required pam_unix.so
> > > > > session optional pam_winbind.so
> > > > > session optional pam_systemd.so
> > > > > session optional pam_cgfs.so -c freezer,memory,name=systemd
> > > > > # end of pam-auth-update config
> > > > >
> > > > > # Added by Peter Carlsson 2021-02-12 for lxc
> > > > > common-session:session optional pam_cgfs.so -c freezer,memory,name=systemd
> > > > >
> > > > > I also ran pam-auth-update as suggested in the file but I still get:
> > > > >
> > > > > lxc-start -n VisualStudioCode -F
> > > > > Failed to mount cgroup at /sys/fs/cgroup/systemd: Permission denied
> > > > > [!!!!!!] Failed to mount API filesystems.
> > > > > Exiting PID 1...
> > > > >
> > > > > Thanks for all your help!
> > > > >
> > > > > Best regards,
> > > > > Peter Carlsson
> > >
> > > (Sorry for the delay)
> >
> > No problem. I really appreciate all your help!
> >
> > > > I decided to remove the line from /etc/pam.d/common-session again since
> > > > I think I the line you were suggesting was already in the file.
> > >
> > > Yeah you don't want it twice.
> > >
> > > > But still the same error message.
> > >
> > > On my laptop, my unprivileged container has:
> > >
> > > cat /proc/3773/cgroup
> > > 12:net_cls,net_prio:/
> > > 11:pids:/user.slice/user-1000.slice/session-2.scope
> > > 10:hugetlb:/
> > > 9:memory:/user.slice/user-1000.slice/session-2.scope
> > > 8:cpu,cpuacct:/user.slice
> > > 7:blkio:/user.slice
> > > 6:freezer:/user/serge/0/lxc.payload.mail
> > > 5:rdma:/
> > > 4:perf_event:/
> > > 3:cpuset:/
> > > 2:devices:/user.slice
> > > 1:name=systemd:/user.slice/user-1000.slice/session-2.scope/lxc.payload.mail/init.scope
> > > 0::/user.slice/user-1000.slice/session-2.scope
> > >
> > > So the systemd cgroup is
> > >
> > > /user.slice/user-1000.slice/session-2.scope/lxc.payload.mail/init.scope
> > >
> > > where the first part
> > >
> > > /user.slice/user-1000.slice/session-2.scope
> > >
> > > was inherited from my login shell, and
> > >
> > > serge at sl ~$ ls -l /sys/fs/cgroup/systemd/user.slice/user-1000.slice/session-2.scope/
> > > total 0
> > > -rw-r--r-- 1 root root 0 Feb 17 23:16 cgroup.clone_children
> > > -rw-r--r-- 1 root root 0 Feb 17 23:16 cgroup.procs
> > > drwxr-xr-x 2 serge serge 0 Feb 1 08:32 lxc.monitor.mail
> > > drwxrwxr-x 5 serge 100000 0 Feb 1 08:32 lxc.payload.mail
> > > drwxr-xr-x 2 serge serge 0 Feb 9 22:13 lxc.pivot
> > > -rw-r--r-- 1 root root 0 Feb 17 23:16 notify_on_release
> > > -rw-r--r-- 1 root root 0 Feb 17 23:16 tasks
> >
> > I finally got it working by changing the permissions!
> >
> > ls -l /sys/fs/cgroup/systemd/user.slice/user-1000.slice/session-17.scope/
> > totalt 0
> > -rw-r--r-- 1 root root 0 feb 18 16:11 cgroup.clone_children
> > -rw-r--r-- 1 root root 0 feb 18 16:11 cgroup.procs
> > drwxr-x--- 2 peter peter 0 feb 17 22:23 lxc
> > -rw-r--r-- 1 root root 0 feb 18 16:11 notify_on_release
> > -rw-r--r-- 1 root root 0 feb 18 16:11 tasks
> >
> > chown peter:100000 /sys/fs/cgroup/systemd/user.slice/user-1000.slice/session-17.scope/lxc
> >
> > ls -l /sys/fs/cgroup/systemd/user.slice/user-1000.slice/session-17.scope/
> > totalt 0
> > -rw-r--r-- 1 root root 0 feb 18 16:11 cgroup.clone_children
> > -rw-r--r-- 1 root root 0 feb 18 16:11 cgroup.procs
> > drwxr-x--- 2 peter 100000 0 feb 17 22:23 lxc
> > -rw-r--r-- 1 root root 0 feb 18 16:11 notify_on_release
> > -rw-r--r-- 1 root root 0 feb 18 16:11 tasks
> >
> > Do you think this problem was caused by not having the correct settings
> > when I initially created the container or could I have prevented this in
> > any way?
>
> Oh. Yes, it's possible. This points to a limitation in how we are
> doing the cgroup handling - it should be perfectly fine for you to
> create several unprivileged containers with disjoint subids. But
> this suggests that the second such container would fail.
>
> @Christian ^ I haven't tested, but we may want to think about this.
> If it is a problem, maybe we should use acls.
>
> > Just to encounter the next problem... But maybe that has not so much to
> > do about lxc specifically.
> >
> > I want to run Visual Studio Code inside the lxc container.
> >
> > After I have done a lxc-attach and installed Visual Studio Code and all
> > dependencies I run this command:
> >
> > code-insiders --user-data-dir /home/peter
> >
> > Nothing shows and my guess is that I somehow need to tell the lxc
> > container to export the visual presentation to the host?
>
> Yes, exactly. A good example from Stéphane is here:
>
> https://stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/
After creating some missing directories and adjusted the privilegies I
got this working too!
Thanks for all your help!
Best regards,
Peter Carlsson
More information about the lxc-users
mailing list