Hi.
Another week, another experiment ;) I was trying to run systemd user
session for non-root user, for example darek (uid=1000), operation
failed with error:
systemd[26]: pam_unix(systemd-user:session): session opened for user
darek by (uid=0)
systemd[1]: Started Login Service.
systemd[26]: Failed to create root cgroup hierarchy: Permission denied
systemd[26]: Failed to allocate manager object: Permission denied
systemd[29]: pam_unix(systemd-user:session): session closed for user darek
The Cgroup hierarchy for the machine looks as follows:
├─machine.slice
│ └─machine-lxc\x2dmycontainer.scope
│ ├─17303 /usr/libexec/libvirt_lxc --name mycontainer --console 22
--security=selinux --handshake 25 --background
│ └─machine.slice
│ └─machine-lxc\x2dmycontainer.scope
│ ├─17306 /usr/lib/systemd/systemd
│ ├─machine.slice
│ │ └─machine-lxc\x2dmycontainer.scope
│ │ └─user.slice
│ │ └─user-0.slice
│ │ └─user(a)0.service
│ │ └─17400 /usr/lib/systemd/systemd --user
│ ├─system.slice
│ │ ├─systemd-logind.service
│ │ │ └─17373 /usr/lib/systemd/systemd-logind
│ │ ├─dbus.service
│ │ │ └─17372 /bin/dbus-daemon --system --address=systemd:
--nofork --nopidfile --systemd-activation
│ │ ├─sshd.service
│ │ │ └─17379 /usr/sbin/sshd -D
│ │ └─systemd-journald.service
│ │ └─17348 /usr/lib/systemd/systemd-journald
│ └─user.slice
│ └─user-0.slice
│ ├─session-c1.scope
│ │ ├─17377 login -- root
│ │ └─17413 -bash
│ └─user(a)0.service
│ └─17412 (sd-pam)
Then I repeated the test, but I used systemd-nspawn, the operation was
successful.
systemd[25]: pam_unix(systemd-user:session): session opened for user
darek by (uid=0)
In this case the Cgroup hierarchy is somewhat different, as shown below:
├─machine.slice
│ └─machine-mycontainer.scope
│ ├─17054 /usr/lib/systemd/systemd
│ ├─system.slice
│ │ ├─systemd-logind.service
│ │ │ └─17099 /usr/lib/systemd/systemd-logind
│ │ ├─dbus.service
│ │ │ └─17098 /bin/dbus-daemon --system --address=systemd: --nofork
--nopidfile --systemd-activation
│ │ ├─sshd.service
│ │ │ └─17103 /usr/sbin/sshd -D
│ │ └─systemd-journald.service
│ │ └─17069 /usr/lib/systemd/systemd-journald
│ └─user.slice
│ ├─user-0.slice
│ │ ├─session-55.scope
│ │ │ ├─17110 login -- root
│ │ │ └─17160 -bash
│ │ └─user(a)0.service
│ │ ├─17147 /usr/lib/systemd/systemd --user
│ │ └─17155 (sd-pam)
│ └─user-1000.slice
│ └─user(a)1000.service
│ ├─17109 /usr/lib/systemd/systemd --user
│ └─17116 (sd-pam)
It looks like the libvirt creates bad Cgroup hierarchy (according to
http://libvirt.org/cgroups.html). What do you think?
Regards.