[systemd-devel] Howto run systemd within a linux container

Thu Feb 6 02:55:01 PST 2014

On Wed, Feb 05, 2014 at 11:44:33PM +0100, Richard Weinberger wrote:
> Hi!
> 
> We're heavily using Linux containers in our production environment.
> As modern Linux distributions move forward to systemd have to make sure that
> systemd works within our containers.
> 
> Sadly we're facing issues with cgroups.
> Our testbed consists of openSUSE 13.1 with Linux 3.13.1 and libvirt 1.2.1.
> 
> In a plain setup systemd stops immediately because it is unable to
> create the cgroup hierarchy.
> Mostly because the container uid 0 is in a user namespace and has no
> rights to do that.

FYI I have succesfully run Fedora 19 with systemd inside a container
with libvirt LXC, however, I did *not* enable user namespaces. Every
time I try user namespaces I find some other bug in either the kernel
or libvirt, so I wouldn't be surprised if yet more breakage has
occurred in user namepsaces :-(

> Next try, fool systemd by mounting a tmpfs to /sys/fs/cgroup/systemd/.
> This seems to work. openSUSE boots, I can start/stop services...
> Shutdown hangs forever, had no time to investigate so far.
> 
> But is this tmpfs hack the correct way to run systemd in a container?
> I really don't think so.

Yeah that really shouldnt' be needed. When libvirt runs a container it
creates a cgroup just for that container to run in, and systemd should
be able to create its hierarchy under that location.

That said, I wonder if libvirt is perhaps forgetting to chown() the
cgroup to the UID/GID you've mapped for the root user. That would
certainly prevent systemd using it and could cause the sort of pain
you see.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|