Bug#903265: systemd-container: --property=Delegate=... does not work with systemd-nspawn

Sun Jul 8 12:43:55 BST 2018

Package: systemd-container
Version: 239-5
Severity: normal

Dear Maintainer,

According to the manual page, --property=Delegate=... with systemd-nspawn
should let the executed container to have access to "...", but it does not
work as documented with the newest Debian package (and possibly with
the upstream?).
I wonder if it is a problem with Linux 4.17.0-1-amd64 installed from
Debian experimental, or AppArmor...
So I first report this to Debian BTS.

I also wonder if this behavior and #903011 are just two different symptoms
arising from the single root cause.

Specifically, when I executed the command
systemd-nspawn -b -M container-unstable --network-ipvlan=wls3
--property="Delegate=memory pids cpu io"

I see the below. Please note that the CGroup V2 is used with systemd, i.e.,
systemd.unified_cgroup_hierarcy=1 is given to the kernel command line.

Spawning container container-unstable on /var/lib/machines/container-unstable.
Press ^] three times within 1s to kill container.
systemd 239 running in system mode. (+PAM +AUDIT +SELINUX +IMA
+APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL
+XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2
default-hierarchy=hybrid)
Detected virtualization systemd-nspawn.
Detected architecture x86-64.

Welcome to Debian GNU/Linux buster/sid

Set hostname to <container-unstable>.
File /lib/systemd/system/systemd-journald.service:36 configures an IP
firewall (IPAddressDeny=any), but the local system does not support
BPF/cgroup based firewalling.
Proceeding WITHOUT firewalling in effect! (This warning is only shown
for the first loaded unit using IP firewalling.)
-.slice: Failed to set cpu.weight: Operation not permitted
-.slice: Failed to set cpu.max: Operation not permitted
-.slice: Failed to set io.weight: Operation not permitted
-.slice: Failed to set memory.low: Operation not permitted
-.slice: Failed to set memory.high: Operation not permitted
-.slice: Failed to set memory.max: Operation not permitted
-.slice: Failed to set pids.max: Operation not permitted

(The above messages show the problem, and many lines are deleted here)

[  OK  ] Started Update UTMP about System Runlevel Changes.

Debian GNU/Linux buster/sid container-unstable console

container-unstable login: root
Password:
Last login: Sun Jul  8 18:08:54 JST 2018 on console
Linux container-unstable 4.17.0-1-amd64 #1 SMP Debian 4.17.3-1
(2018-07-02) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root at container-unstable:~# cd /sys/fs/cgroup/

Here I moved to the root CGroup V2 hirarachy.

root at container-unstable:/sys/fs/cgroup# ls -l
total 0
-r--r--r--  1 root root 0 Jul  8 18:26 cgroup.controllers
-r--r--r--  1 root root 0 Jul  8 18:26 cgroup.events
-rw-r--r--  1 root root 0 Jul  8 18:27 cgroup.max.depth
-rw-r--r--  1 root root 0 Jul  8 18:27 cgroup.max.descendants
-rw-r--r--  1 root root 0 Jul  8 18:26 cgroup.procs
-r--r--r--  1 root root 0 Jul  8 18:26 cgroup.stat
-rw-r--r--  1 root root 0 Jul  8 18:26 cgroup.subtree_control
-rw-r--r--  1 root root 0 Jul  8 18:26 cgroup.threads
-rw-r--r--  1 root root 0 Jul  8 18:27 cgroup.type
-rw-r--r--  1 root root 0 Jul  8 18:26 cpu.max
-r--r--r--  1 root root 0 Jul  8 18:27 cpu.stat
-rw-r--r--  1 root root 0 Jul  8 18:26 cpu.weight
-rw-r--r--  1 root root 0 Jul  8 18:27 cpu.weight.nice
drwxr-xr-x  2 root root 0 Jul  8 18:26 init.scope
-rw-r--r--  1 root root 0 Jul  8 18:27 io.max
-r--r--r--  1 root root 0 Jul  8 18:27 io.stat
-rw-r--r--  1 root root 0 Jul  8 18:26 io.weight
-r--r--r--  1 root root 0 Jul  8 18:27 memory.current
-r--r--r--  1 root root 0 Jul  8 18:27 memory.events
-rw-r--r--  1 root root 0 Jul  8 18:26 memory.high
-rw-r--r--  1 root root 0 Jul  8 18:26 memory.low
-rw-r--r--  1 root root 0 Jul  8 18:26 memory.max
-r--r--r--  1 root root 0 Jul  8 18:27 memory.stat
-r--r--r--  1 root root 0 Jul  8 18:27 pids.current
-r--r--r--  1 root root 0 Jul  8 18:27 pids.events
-rw-r--r--  1 root root 0 Jul  8 18:26 pids.max
drwxr-xr-x 13 root root 0 Jul  8 18:26 system.slice
drwxr-xr-x  3 root root 0 Jul  8 18:26 user.slice

I see that I have (as root) write permission to the relevant files above.
BUT I cannot write values to the relevant files:

root at container-unstable:/sys/fs/cgroup# echo 1000 >pids.max
-bash: echo: write error: Operation not permitted
root at container-unstable:/sys/fs/cgroup# echo 3G >memory.high
-bash: echo: write error: Operation not permitted

When I executed the above command, I checked the
Delegation status of the container from another console,
and I got:

ryutaroh at unstable:~$ systemctl show
systemd-nspawn at container-unstable.service | grep Delegate
Delegate=yes
DelegateControllers=cpu io memory pids

Systemd also thinks that it delegates the requested permissions...

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.17.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages systemd-container depends on:
ii  dbus             1.12.8-3
ii  libacl1          2.2.52-3+b1
ii  libbz2-1.0       1.0.6-8.1
ii  libc6            2.27-3
ii  libcurl3-gnutls  7.60.0-2
ii  libgcrypt20      1.8.3-1
ii  liblzma5         5.2.2-1.3
ii  libseccomp2      2.3.3-3
ii  libselinux1      2.8-1+b1
ii  systemd          239-5
ii  zlib1g           1:1.2.11.dfsg-1

Versions of packages systemd-container recommends:
ii  btrfs-progs        4.16.1-2
ii  libnss-mymachines  239-5

systemd-container suggests no packages.

-- no debconf information