[pkg-lxc-devel] Bug#888647: Bug#888647: lxc: unprivileged container doesn't boot due to cgroup ownership

[Evgeni Golov]

Hi Andrea,

On Sun, Jan 28, 2018 at 11:34:03AM +0100, Andrea Villa wrote:
>    Just create a simple user unprivileged lxc container after following the
> official Debian documentation https://wiki.debian.org/LXC#
> Unprivileged_container.

Can we for a second pretend, wiki.d.o is not official documentation,
thanks ;)

And looking at the page, it lists at least a few steps that should not
be needed.

>    Container fails when started with:
> 
>    ----------------
>          lxc-start 20170124115651.107 ERROR    lxc_cgfs -
> cgroups/cgfs.c:lxc_cgroupfs_create:909 - Could not set clone_children to 1
> for cpuset hierarchy in parent cgroup.
>          lxc-start 20170124115651.107 ERROR    lxc_cgfs -
> cgroups/cgfs.c:cgroup_rmdir:209 - Read-only file system - cgroup_rmdir:
> failed to delete /sys/fs/cgroup/perf_event/

You're running a BPO kernel, right? Can you please try with the kernel
from stable?

I am running stable boxes with unprivileged containers just fine, so
there is something weird here, and it might very well be the kernel.

>    * What exactly did you do (or not do) that was effective (or
>      ineffective)?
> 
>    I have found this thread on LXC forums https://discuss.
> linuxcontainers.org/t/failed-creating-cgroups/272/4 that suggests to use
> the Ubuntu's version of the libpam-cgfs package.
>    The Ubuntu version of the package seems to include some patches that
> properly set user's CGroups permission upon user's login.

Ubuntus version (which one, btw?) does not carry patches, their
packaging is usually just what we ship in Debian, plus sometimes faster
upstream releases.

> 
>    * What was the outcome of this action?
> 
>          Installing the Ubuntu version of the libpam-cgfs fixes the problem.
> 
> 
> I was not sure if I should have posted the bug here on in libpam-cfgs. I
> hope you don't mind my choice.

We can re-assing at will, so that's fine.

Evgeni