Re: [libvirt-users] [libvirt] LXC, user namespaces and systemd

Hi. Another week, another experiment ;) I was trying to run systemd user session for non-root user, for example darek (uid=1000), operation failed with error: systemd[26]: pam_unix(systemd-user:session): session opened for user darek by (uid=0) systemd[1]: Started Login Service. systemd[26]: Failed to create root cgroup hierarchy: Permission denied systemd[26]: Failed to allocate manager object: Permission denied systemd[29]: pam_unix(systemd-user:session): session closed for user darek The Cgroup hierarchy for the machine looks as follows: ├─machine.slice │ └─machine-lxc\x2dmycontainer.scope │ ├─17303 /usr/libexec/libvirt_lxc --name mycontainer --console 22 --security=selinux --handshake 25 --background │ └─machine.slice │ └─machine-lxc\x2dmycontainer.scope │ ├─17306 /usr/lib/systemd/systemd │ ├─machine.slice │ │ └─machine-lxc\x2dmycontainer.scope │ │ └─user.slice │ │ └─user-0.slice │ │ └─user(a)0.service │ │ └─17400 /usr/lib/systemd/systemd --user │ ├─system.slice │ │ ├─systemd-logind.service │ │ │ └─17373 /usr/lib/systemd/systemd-logind │ │ ├─dbus.service │ │ │ └─17372 /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation │ │ ├─sshd.service │ │ │ └─17379 /usr/sbin/sshd -D │ │ └─systemd-journald.service │ │ └─17348 /usr/lib/systemd/systemd-journald │ └─user.slice │ └─user-0.slice │ ├─session-c1.scope │ │ ├─17377 login -- root │ │ └─17413 -bash │ └─user(a)0.service │ └─17412 (sd-pam) Then I repeated the test, but I used systemd-nspawn, the operation was successful. systemd[25]: pam_unix(systemd-user:session): session opened for user darek by (uid=0) In this case the Cgroup hierarchy is somewhat different, as shown below: ├─machine.slice │ └─machine-mycontainer.scope │ ├─17054 /usr/lib/systemd/systemd │ ├─system.slice │ │ ├─systemd-logind.service │ │ │ └─17099 /usr/lib/systemd/systemd-logind │ │ ├─dbus.service │ │ │ └─17098 /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation │ │ ├─sshd.service │ │ │ └─17103 /usr/sbin/sshd -D │ │ └─systemd-journald.service │ │ └─17069 /usr/lib/systemd/systemd-journald │ └─user.slice │ ├─user-0.slice │ │ ├─session-55.scope │ │ │ ├─17110 login -- root │ │ │ └─17160 -bash │ │ └─user(a)0.service │ │ ├─17147 /usr/lib/systemd/systemd --user │ │ └─17155 (sd-pam) │ └─user-1000.slice │ └─user(a)1000.service │ ├─17109 /usr/lib/systemd/systemd --user │ └─17116 (sd-pam) It looks like the libvirt creates bad Cgroup hierarchy (according to http://libvirt.org/cgroups.html). What do you think? Regards.