[systemd-bugs] [cgroup in lxc container] problem with non root user session in lxc container

Jacek Pielaszkiewicz j.pielaszkie at samsung.com
Thu Feb 27 04:54:29 PST 2014 

Hi

	I try to setup lxc container with systemd. I have the following
configuration:
1. Systemd - 208
2. Kernel - 3.10
3. Libvirt 1.2.1

	I am tiring to start lxc container with full separation (all
namespaces are active, including user namespace). In the container I have
defined uid and gid mapping.

Generally container starts, I have user session for root user, but I cannot
start user session for non root user.


Journal reports the following error:

Dec 31 20:53:29 localhost connmand[13]: eth0 {add} route 192.168.122.1 gw
0.0.0.0 scope 253 <LINK>
Dec 31 20:53:29 localhost connmand[13]: eth0 {add} route 0.0.0.0 gw
192.168.122.1 scope 0 <UNIVERSE>
Dec 31 20:53:29 localhost connmand[13]: Online check failed for 0x917f0
Wired
Dec 31 20:53:50 localhost systemd[1]: Starting Stop Read-Ahead Data
Collection...
Dec 31 20:53:50 localhost systemd[1]: Started Stop Read-Ahead Data
Collection.
Dec 31 20:54:50 localhost systemd[1]: user at 5000.service stopping timed out.
Killing.
Dec 31 20:54:50 localhost systemd[1]: Failed to start User Manager for 5000.
Dec 31 20:54:50 localhost systemd[1]: Unit user at 5000.service entered failed
state.
Dec 31 20:58:29 localhost systemd[1]: Starting Cleanup of Temporary
Directories...
Dec 31 20:58:29 localhost systemd[1]: Started Cleanup of Temporary
Directories.
Dec 31 21:05:12 localhost su[37]: (to root) root on /dev/pts/0
Dec 31 21:23:29 localhost connmand[13]: Setting hostname to localhost
Dec 31 21:44:55 localhost systemd[1]: Starting user-5001.slice.
Dec 31 21:44:55 localhost systemd[1]: Created slice user-5001.slice.
Dec 31 21:44:55 localhost systemd[1]: Starting User Manager for 5001...
Dec 31 21:44:55 localhost systemd[44]: Failed to create root cgroup
hierarchy: Permission denied
Dec 31 21:44:55 localhost systemd[44]: Failed to allocate manager object:
Permission denied
Dec 31 21:44:55 localhost systemd[1]: Started User Manager for 5001.


Strace for the case is below:


...
14722 open("/sys/firmware/acpi/tables/FPDT", O_RDONLY|O_LARGEFILE|O_CLOEXEC)
= -1 ENOENT (No such file or directory)
14722
open("/sys/firmware/efi/efivars/LoaderTimeInitUSec-4a67b082-0a4c-41cf-b6c7-4
40b29bb8c4f", O_RDONLY|O_NOCTTY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such
file or directory)
14722 epoll_create1(EPOLL_CLOEXEC)      = 4
14722 rt_sigaction(SIGCHLD, {SIG_DFL, [],
SA_RESTART|SA_NOCLDSTOP|0x4000000}, NULL, 8) = 0
14722 rt_sigprocmask(SIG_SETMASK, ~[QUIT ILL TRAP ABRT BUS FPE KILL SEGV
PIPE ALRM STKFLT CONT STOP TSTP TTIN TTOU URG XCPU XFSZ VTALRM PROF IO SYS
RTMIN RT_1 RT_9 RT_10 RT_11 RT_12 RT_13 RT_14 RT_19 RT_20 RT_21 RT_27],
NULL, 8) = 0
14722 signalfd4(-1, [HUP INT USR1 USR2 TERM CHLD WINCH PWR], 8,
O_NONBLOCK|O_CLOEXEC) = 5
14722 epoll_ctl(4<anon_inode:[eventpoll]>, EPOLL_CTL_ADD,
5<anon_inode:[signalfd]>, {EPOLLIN, {u32=844028, u64=844028}}) = 0
14722 name_to_handle_at(0xffffff9c, 0x952b8, 0xbec2d648, 0xbec2d6d4, 0) = -1
ENOSYS (Function not implemented)
14722 lstat64("/sys/fs/cgroup/systemd", {st_mode=S_IFDIR|0755, st_size=0,
...}) = 0
14722 lstat64("/sys/fs/cgroup", {st_mode=S_IFDIR|0755, st_size=220, ...}) =
0
14722 open("/proc/self/cgroup", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 6
14722 fstat64(6</proc/44/cgroup>, {st_mode=S_IFREG|0444, st_size=0, ...}) =
0
14722 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb6faf000
14722 read(6</proc/44/cgroup>, "8:name=daemon_mgr:/\n7:freezer:/m"..., 1024)
= 358
14722 close(6</proc/44/cgroup>)         = 0
14722 munmap(0xb6faf000, 4096)          = 0
14722 name_to_handle_at(0xffffff9c, 0x9653c, 0xbec2d628, 0xbec2d6b4, 0) = -1
ENOSYS (Function not implemented)
14722 lstat64("/sys/fs/cgroup", {st_mode=S_IFDIR|0755, st_size=220, ...}) =
0
14722 lstat64("/sys/fs", {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0
14722 access("/sys/fs/cgroup/systemd", F_OK) = 0
14722
stat64("/sys/fs/cgroup/systemd/system.slice/system-server.service/system.sli
ce/system-server.service/user.slice/user-5001.slice", 0xbec2d678) = -1
ENOENT (No such file or directory)
14722 mkdir("/sys", 0755)               = -1 EEXIST (File exists)
14722 mkdir("/sys/fs", 0755)            = -1 EEXIST (File exists)
14722 mkdir("/sys/fs/cgroup", 0755)     = -1 EEXIST (File exists)
14722 mkdir("/sys/fs/cgroup/systemd", 0755) = -1 EEXIST (File exists)
14722 mkdir("/sys/fs/cgroup/systemd/system.slice", 0755) = -1 EEXIST (File
exists)
14722 mkdir("/sys/fs/cgroup/systemd/system.slice/system-server.service",
0755) = -1 EEXIST (File exists)
14722
mkdir("/sys/fs/cgroup/systemd/system.slice/system-server.service/system.slic
e", 0755) = -1 EEXIST (File exists)
14722
mkdir("/sys/fs/cgroup/systemd/system.slice/system-server.service/system.slic
e/system-server.service", 0755) = -1 EEXIST (File exists)
14722
mkdir("/sys/fs/cgroup/systemd/system.slice/system-server.service/system.slic
e/system-server.service/user.slice", 0755) = -1 EEXIST (File exists)
14722
mkdir("/sys/fs/cgroup/systemd/system.slice/system-server.service/system.slic
e/system-server.service/user.slice/user-5001.slice", 0755) = -1 EACCES
(Permission denied)
14722 sendmsg(3, {msg_name(0)=NULL,
msg_iov(4)=[{"PRIORITY=3\nSYSLOG_FACILITY=3\nCOD"..., 132}, {"MESSAGE=", 8},
{"Failed to create root cgroup hie"..., 57}, {"\n", 1}], msg_controllen=0,
msg_flags=0}, MSG_NOSIGNAL) = 198
14722
lstat64("/sys/fs/cgroup/systemd/system.slice/system-server.service/system.sl
ice/system-server.service/user.slice/user-5001.slice/user at 5001.service",
0xbec2d730) = -1 ENOENT (No such file or directory)
...

I have managed to start non root user session by creating manually required
cgroup - for test of course.

I putted below also my container configuration:


<domain type='lxc'>
        <name>tizen-2</name>
        <memory>102400000</memory>
        <os>
                <type>exe</type>
                <init>/usr/lib/systemd/systemd</init>
        </os>
        <on_poweroff>destroy</on_poweroff>
        <on_reboot>restart</on_reboot>
        <on_crash>destroy</on_crash>
        <idmap>
                <uid start='0' target='999' count='100000000'/>
                <gid start='0' target='999' count='100000000'/>
        </idmap>
        <devices>
                <console type="pty"/>
                <filesystem type='mount'>
                        <source dir="/tizen"/>
                        <target dir="/"/>
                </filesystem>

                <filesystem type="ram">
                        <source usage="1024" />
                        <target dir="/tmp"/>
                </filesystem>

                <interface type='network'>
                        <source network='default'/>
                </interface>
        </devices>
</domain>


Best regards


Jacek Pielaszkiewicz
Samsung R&D Institute Poland
Samsung Electronics
Email: j.pielaszkie at samsung.com

More information about the systemd-bugs mailing list