[pkg-lxc-devel] Bug#944389: lxc support status of cgroupv2 / unified hierarchy

Ryutaroh Matsumoto ryutaroh.matsumoto at nagoya-u.jp
Mon Dec 16 02:55:55 GMT 2019 

Control: tags -1 + fixed-upstream upstream

Dear LXC maintainers and Systemd maintainers,

I added fixed-upstream to #944389, and it seems that blocking of #943981
by LXC can be lifted after some work. If LXC is the only reason for systemd
package to revert to hybrid hierarchy, it can probably return to the unified
default.
The below is justification/explanation.

I did

1. "apt-get source lxc" on Ubuntu Eoan (sorry not Debian Bullseye),
2. overwirtten the source by the * stable-3.0 * branch of lxc github,
3. and rebuilt it by "debuild -b -uc -us".

The built package worked as expected with no problem under
cgroupv2 / unified hierarchy, on Ubuntu Eoan. Some adjustment to
the config file was necessary as below:

ERROR    cgfsng - cgroups/cgfsng.c:cg_legacy_set_data:2415 - Failed to setup limits for the "devices" controller. The controller seems to be unused by "cgfsng" cgroup driver or not enabled on the cgroup hierarchy
ERROR    start - start.c:lxc_spawn:1910 - Failed to setup legacy device cgroup controller limits

The above error is caused by failed attempt to use Cgroup V1 device controller, to fix it
we need:
lxc.cgroup.devices.allow =
lxc.cgroup.devices.deny =

The newer systemd refuses to start in the LXC container by the error message:
Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted
[!!!!!!] Failed to mount API filesystems.
Exiting PID 1...

The reason of this error is lack of /sys/fs/cgroup in the container. To fix this, we need
lxc.mount.auto = cgroup:rw:force

In another bug report #946480 I reported that a non-root user cannot start an
LXC container. The reason of the failure is lack a manipulable CGroup directory
by a non-root user. To fix this issue, a non-root user has to start a container by

systemd-run --user --scope -p "Delegate=yes" lxc-start -F ... (foreground)
or 
systemd-run --user -r -p "Delegate=yes" lxc-start -F ... (backgroud)

so that non-root lxc-start has a manipulable cgroup directory.
The essential problem in #946480 is that there is no user instruction of how to
start an LXC container by non-root, and #946480 is a purely documentation issue.
Maybe updating https://wiki.debian.org/LXC is enough.

Conventionally, libpam-cgfs chowned non-root user's session scope so that
a non-root LXC container can manipulate it. But merely chowning the
session scope is insufficient to make cgroup.subtree_control writable by non-root
users under cgroupv2 / unified hierarchy.
So libpam-cgfs has become useless in cgroupv2 / unified hierarchy, which was
#946170

Best regards,
Ryutaroh Matsumoto

More information about the Pkg-lxc-devel mailing list