[systemd-devel] Howto run systemd within a linux container

Richard Weinberger richard.weinberger at gmail.com
Wed Feb 5 14:44:33 PST 2014 

Hi!

We're heavily using Linux containers in our production environment.
As modern Linux distributions move forward to systemd have to make sure that
systemd works within our containers.

Sadly we're facing issues with cgroups.
Our testbed consists of openSUSE 13.1 with Linux 3.13.1 and libvirt 1.2.1.

In a plain setup systemd stops immediately because it is unable to
create the cgroup hierarchy.
Mostly because the container uid 0 is in a user namespace and has no
rights to do that.

Bootlog:
---cut---
systemd 208 running in system mode. (+PAM +LIBWRAP +AUDIT +SELINUX
-IMA +SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ)
Detected virtualization 'lxc-libvirt'.

Welcome to openSUSE 13.1 (Bottle) (x86_64)!

Set hostname to <test1>.
Failed to install release agent, ignoring: No such file or directory
Failed to create root cgroup hierarchy: Permission denied
Failed to allocate manager object: Permission denied
---cut---

Next try, trigger the "Ingo Molnar"-branch by mounting a tmpfs to
/sys/fs/cgroup/, systemd segfaults.
Bug filed to https://bugs.freedesktop.org/show_bug.cgi?id=74589

Bootlog:
---cut---

systemd 208 running in system mode. (+PAM +LIBWRAP +AUDIT +SELINUX
-IMA +SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ)
Detected virtualization 'lxc-libvirt'.

Welcome to openSUSE 13.1 (Bottle) (x86_64)!

Set hostname to <test1>.
No control group support available, not creating root group.
Cannot add dependency job for unit getty at console.service, ignoring:
Unit getty at console.service failed to load: Invalid argument.
Cannot add dependency job for unit display-manager.service, ignoring:
Unit display-manager.service failed to load: No such file or
directory.
[  OK  ] Listening on Syslog Socket.
[  OK  ] Reached target Remote File Systems (Pre).
[  OK  ] Reached target Remote File Systems.
[  OK  ] Listening on Delayed Shutdown Socket.
[  OK  ] Listening on /dev/initctl Compatibility Named Pipe.
[  OK  ] Reached target Encrypted Volumes.
[  OK  ] Listening on Journal Socket.
         Starting Create dynamic rule for /dev/root link...
Caught <SEGV>, dumped core as pid 11.
Freezing execution.
---cut---

Next try, fool systemd by mounting a tmpfs to /sys/fs/cgroup/systemd/.
This seems to work. openSUSE boots, I can start/stop services...
Shutdown hangs forever, had no time to investigate so far.

But is this tmpfs hack the correct way to run systemd in a container?
I really don't think so.

Can one please explain me how to achieve this in a sane and unhacky way?

-- 
Thanks,
//richard

More information about the systemd-devel mailing list