[systemd-devel] [systemd][cgroup in container] problem with cgroup hierarchy in container
Jacek Pielaszkiewicz
j.pielaszkie at samsung.com
Tue Mar 4 07:23:52 PST 2014
Hi,
It seems that systemd builds incorrectly cgroup hierarchy when is
running in the container. Systemd duplicates part of the hierarchy
below machine.slice/machine...scope/. It causes finally that non root
user session cannot be created due to lack of permissions.
In nspawn container problem with non root session creation not
appears. The minor difference between containers that we found is only
in cgroup hierarchy.
Cgroup hierarchy for tested case:
1. cgroup hierarchy for non systemd container
sh-4.2# systemd-cgls
+-user.slice
│ L-user-5000.slice
│ +-session-c1.scope
│ │ L-2362 /usr/bin/user-session-launch seat0 5000
│ L-user at 5000.service
│ +-2365 /usr/lib/systemd/systemd --user
│ +-2366 (sd-pam)
│ +-starter.service
│ │ L-2711 /usr/bin/starter
│ +-xorg.service
│ │ L-2709 /usr/bin/xorg-launch-helper -ac -r +accessx 0 -nocursor
-sharevts
│ +-msg-service.service
│ │ L-2373 /usr/bin/msg-server
│ L-email.service
│ L-2371 /usr/bin/email-service
+-machine.slice
│ L-machine-lxc\x2dtizen\x2dbash\x2d2.scope
│ +-2672 /usr/libexec/libvirt_lxc --name tizen-bash-2 --console 20 --
security=
│ L-2681 /bin/bash
L-system.slice
+-1 /sbin/init
+-connman.service
│ L-29225 /usr/sbin/connmand -n
2. cgroup hierarchy for running container with system
sh-4.2# systemd-cgls
+-user.slice
│ L-user-5000.slice
│ +-session-c1.scope
│ │ L-2362 /usr/bin/user-session-launch seat0 5000
│ L-user at 5000.service
│ +-2365 /usr/lib/systemd/systemd --user
│ +-2366 (sd-pam)
│ +-xorg.service
│ │ L-3185 /usr/bin/xorg-launch-helper -ac -r +accessx 0 -nocursor
-sharevts
│ +-msg-service.service
│ │ L-2373 /usr/bin/msg-server
│ L-email.service
│ L-2371 /usr/bin/email-service
+-machine.slice
│ L-machine-lxc\x2dtizen\x2dbash\x2d2.scope
│ +-2672 /usr/libexec/libvirt_lxc --name tizen-bash-2 --console 20 --
security=
│ L-machine.slice
│ L-machine-lxc\x2dtizen\x2dbash\x2d2.scope
│ L-system.slice
│ +-2681 /usr/lib/systemd/systemd
│ +-systemd-logind.service
│ │ L-3215 /usr/lib/systemd/systemd-logind
│ +-connman.service
│ │ L-3214 /usr/sbin/connmand -n
│ +-dbus.service
│ │ L-3212 /usr/bin/dbus-daemon --system --address=systemd: --
nofork --n
│ +-console-getty.service
│ │ L-3240 /sbin/agetty --noclear -s console 115200 38400 9600
│ +-wpa_supplicant.service
│ │ L-3241 /usr/sbin/wpa_supplicant -u
│ L-systemd-journald.service
│ L-3200 /usr/lib/systemd/systemd-journald
L-system.slice
+-1 /sbin/init
+-connman.service
3. cgroup hierarchy for running container and running user session
h-4.2# systemd-cgls
+-user.slice
│ L-user-5000.slice
│ +-session-c1.scope
│ │ L-2362 /usr/bin/user-session-launch seat0 5000
│ L-user at 5000.service
│ +-2365 /usr/lib/systemd/systemd --user
│ +-2366 (sd-pam)
│ +-xorg.service
│ │ L-3468 /usr/bin/xorg-launch-helper -ac -r +accessx 0 -nocursor
-sharevts
│ +-msg-service.service
│ │ L-2373 /usr/bin/msg-server
│ L-email.service
│ L-2371 /usr/bin/email-service
+-machine.slice
│ L-machine-lxc\x2dtizen\x2dbash\x2d2.scope
│ +-2672 /usr/libexec/libvirt_lxc --name tizen-bash-2 --console 20 --
security=
│ L-machine.slice
│ L-machine-lxc\x2dtizen\x2dbash\x2d2.scope
│ +-machine.slice
│ │ L-machine-lxc\x2dtizen\x2dbash\x2d2.scope
│ │ L-user.slice
│ │ L-user-0.slice
│ │ L-user at 0.service
│ │ L-3483 /usr/lib/systemd/systemd --user
│ +-user.slice
│ │ L-user-0.slice
│ │ +-session-c1.scope
│ │ │ +-3240 login -- root
│ │ │ L-3486 -bash
│ │ L-user at 0.service
│ │ L-3484 (sd-pam)
│ L-system.slice
│ +-2681 /usr/lib/systemd/systemd
│ +-systemd-logind.service
│ │ L-3215 /usr/lib/systemd/systemd-logind
│ +-connman.service
│ │ L-3214 /usr/sbin/connmand -n
│ +-dbus.service
│ │ L-3212 /usr/bin/dbus-daemon --system --address=systemd: --
nofork --n
│ +-wpa_supplicant.service
│ │ L-3241 /usr/sbin/wpa_supplicant -u
│ L-systemd-journald.service
│ L-3200 /usr/lib/systemd/systemd-journald
L-system.slice
+-1 /sbin/init
+-connman.service
Best regards
Jacek Pielaszkiewicz
Samsung R&D Institute Poland
Samsung Electronics
Email: j.pielaszkie at samsung.com
More information about the systemd-devel
mailing list