[libvirt-users] [libvirt] LXC, user namespaces and systemd
Daniel P. Berrange
berrange at redhat.com
Mon Mar 3 15:26:45 UTC 2014
On Mon, Mar 03, 2014 at 03:52:01PM +0100, Dariusz Michaluk wrote:
> Hi.
>
> Another week, another experiment ;) I was trying to run systemd user
> session for non-root user, for example darek (uid=1000), operation
> failed with error:
>
> systemd[26]: pam_unix(systemd-user:session): session opened for user
> darek by (uid=0)
> systemd[1]: Started Login Service.
> systemd[26]: Failed to create root cgroup hierarchy: Permission denied
> systemd[26]: Failed to allocate manager object: Permission denied
> systemd[29]: pam_unix(systemd-user:session): session closed for user darek
>
> The Cgroup hierarchy for the machine looks as follows:
>
> ├─machine.slice
> │ └─machine-lxc\x2dmycontainer.scope
> │ ├─17303 /usr/libexec/libvirt_lxc --name mycontainer --console 22
> --security=selinux --handshake 25 --background
> │ └─machine.slice
> │ └─machine-lxc\x2dmycontainer.scope
> │ ├─17306 /usr/lib/systemd/systemd
> │ ├─machine.slice
> │ │ └─machine-lxc\x2dmycontainer.scope
That looks really bizarre. The same two directory names nested over
and over again. I can't reproduce this kind of thing on my own host.
Libvirt only ever creates the first two levels as expected
/sys/fs/cgroup/systemd/machine.slice
/sys/fs/cgroup/systemd/machine.slice/machine-lxc\x2dmycontainer.scope
The fact that the libvirt_lxc process itself ends up in the right
place suggest that this isn't libvirt, but rather something else
is creating these extra levels and moving systemd into them.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvirt-users
mailing list