Re: [libvirt] systemd, LXC and user namespaces

Hi! I'm trying to get rid of a hack to make systemd (kind of) work in Linux containers on libvirt. The hack can be found in the first mail of [0]. systemd folks told me that systemd needs a name=systemd cgroup [0], which makes perfectly sense to me. I found that libvirt does this already, but uid 0 within the container is not allowed to access it. (Maybe as Kay noted a chmod() is missing) Now I'm wondering whether this is simply not supported in libvirt (I'm on 1.2.1) or am I doing something horrible wrong.

This is my domain: ---cut--- <domain type='lxc'> <name>my2ndcontainer</name> <memory>524288</memory> <os> <type>exe</type> <init>/bin/bash</init> </os> <idmap> <!-- here be dragons, the mapping is non-linear --> <uid start='0' target='100000' count='998'/> <gid start='0' target='100000' count='998'/> <uid start='65533' target='100998' count='2'/> <gid start='65533' target='100998' count='2'/> </idmap> <devices> <console type='pty'/> <filesystem type='mount'> <source dir='/home/container//my2ndcontainer/rootfs'/> <target dir='/'/> </filesystem> <interface type='bridge'> <source bridge='br0'/> <mac address='4a:19:0a:01:01:a4'/> </interface> </devices> </domain> ---cut--- Within my domain:

test1:/ # ls -la /sys/fs/cgroup/systemd total 0 drwxr-xr-x 2 nobody nogroup 0 Feb 6 09:05 . drwxr-xr-x 11 root root 260 Feb 6 09:05 .. -rw-r--r-- 1 nobody nogroup 0 Feb 6 09:05 cgroup.clone_children --w--w--w- 1 nobody nogroup 0 Feb 6 09:05 cgroup.event_control -rw-r--r-- 1 nobody nogroup 0 Feb 6 09:05 cgroup.procs -rw-r--r-- 1 nobody nogroup 0 Feb 6 09:05 notify_on_release -rw-r--r-- 1 nobody nogroup 0 Feb 6 09:05 tasks