On Thu, Feb 06, 2014 at 10:36:09AM +0100, Richard Weinberger wrote:
Hi!
I'm trying to get rid of a hack to make systemd (kind of) work in Linux containers on libvirt. The hack can be found in the first mail of [0]. systemd folks told me that systemd needs a name=systemd cgroup [0], which makes perfectly sense to me.
I found that libvirt does this already, but uid 0 within the container is not allowed to access it. (Maybe as Kay noted a chmod() is missing) Now I'm wondering whether this is simply not supported in libvirt (I'm on 1.2.1) or am I doing something horrible wrong.
The configuration looks fine, provided that you have ensured that your files in /home/container/my2ndcontainer/rootfs have been chown'd to match the target UID/GID values you've setup Libvirt doesn't do chowning of any filesystems you provide, only things it creates.
This is my domain: ---cut--- <domain type='lxc'> <name>my2ndcontainer</name> <memory>524288</memory> <os> <type>exe</type> <init>/bin/bash</init> </os> <idmap> <!-- here be dragons, the mapping is non-linear --> <uid start='0' target='100000' count='998'/> <gid start='0' target='100000' count='998'/> <uid start='65533' target='100998' count='2'/> <gid start='65533' target='100998' count='2'/> </idmap> <devices> <console type='pty'/> <filesystem type='mount'> <source dir='/home/container//my2ndcontainer/rootfs'/> <target dir='/'/> </filesystem> <interface type='bridge'> <source bridge='br0'/> <mac address='4a:19:0a:01:01:a4'/> </interface> </devices> </domain> ---cut---
Within my domain:
test1:/ # ls -la /sys/fs/cgroup/systemd total 0 drwxr-xr-x 2 nobody nogroup 0 Feb 6 09:05 . drwxr-xr-x 11 root root 260 Feb 6 09:05 .. -rw-r--r-- 1 nobody nogroup 0 Feb 6 09:05 cgroup.clone_children --w--w--w- 1 nobody nogroup 0 Feb 6 09:05 cgroup.event_control -rw-r--r-- 1 nobody nogroup 0 Feb 6 09:05 cgroup.procs -rw-r--r-- 1 nobody nogroup 0 Feb 6 09:05 notify_on_release -rw-r--r-- 1 nobody nogroup 0 Feb 6 09:05 tasks
Ok, so this seems to confirm the guess I had in my response to your mail on systemd-devel. Libvirt appears to have forgotten to chown the cgroups directory to provide access to systemd. Hence the system is remapping it to the overflow uid/gid Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|