[libvirt-users] [libvirt] LXC, user namespaces and systemd

[Daniel P. Berrange]

On Mon, Mar 03, 2014 at 03:52:01PM +0100, Dariusz Michaluk wrote:
> Hi.
> 
> Another week, another experiment ;) I was trying to run systemd user
> session for non-root user, for example darek (uid=1000), operation
> failed with error:
> 
> systemd[26]: pam_unix(systemd-user:session): session opened for user
> darek by (uid=0)
> systemd[1]: Started Login Service.
> systemd[26]: Failed to create root cgroup hierarchy: Permission denied
> systemd[26]: Failed to allocate manager object: Permission denied
> systemd[29]: pam_unix(systemd-user:session): session closed for user darek
> 
> The Cgroup hierarchy for the machine looks as follows:
> 
> ├─machine.slice
> │ └─machine-lxc\x2dmycontainer.scope
> │   ├─17303 /usr/libexec/libvirt_lxc --name mycontainer --console 22
> --security=selinux --handshake 25 --background
> │   └─machine.slice
> │     └─machine-lxc\x2dmycontainer.scope
> │       ├─17306 /usr/lib/systemd/systemd
> │       ├─machine.slice
> │       │ └─machine-lxc\x2dmycontainer.scope


That looks really bizarre. The same two directory names nested over
and over again. I can't reproduce this kind of thing on my own host.
Libvirt only ever creates the first two levels as expected

/sys/fs/cgroup/systemd/machine.slice
/sys/fs/cgroup/systemd/machine.slice/machine-lxc\x2dmycontainer.scope

The fact that the libvirt_lxc process itself ends up in the right
place suggest that this isn't libvirt, but rather something else
is creating these extra levels and moving systemd into them.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|