[systemd-devel] [systemd][cgroup in container] problem with cgroup hierarchy in container

Jacek Pielaszkiewicz j.pielaszkie at samsung.com
Tue Mar 4 07:23:52 PST 2014 

Hi,

	It seems that systemd builds incorrectly cgroup hierarchy when is
running in the container. Systemd duplicates part of the hierarchy
below machine.slice/machine...scope/. It causes finally that non root
user session cannot be created due to lack of permissions.

	In nspawn container problem with non root session creation not
appears. The minor difference between containers that we found is only
in cgroup hierarchy.

	Cgroup hierarchy for tested case:

1. cgroup hierarchy for non systemd container


sh-4.2# systemd-cgls
+-user.slice
│ L-user-5000.slice
│   +-session-c1.scope
│   │ L-2362 /usr/bin/user-session-launch seat0 5000
│   L-user at 5000.service
│     +-2365 /usr/lib/systemd/systemd --user
│     +-2366 (sd-pam)
│     +-starter.service
│     │ L-2711 /usr/bin/starter
│     +-xorg.service
│     │ L-2709 /usr/bin/xorg-launch-helper -ac -r +accessx 0 -nocursor
-sharevts
│     +-msg-service.service
│     │ L-2373 /usr/bin/msg-server
│     L-email.service
│       L-2371 /usr/bin/email-service
+-machine.slice
│ L-machine-lxc\x2dtizen\x2dbash\x2d2.scope
│   +-2672 /usr/libexec/libvirt_lxc --name tizen-bash-2 --console 20 --
security=
│   L-2681 /bin/bash
L-system.slice
  +-1 /sbin/init
  +-connman.service
  │ L-29225 /usr/sbin/connmand -n


2. cgroup hierarchy for running container with system


sh-4.2# systemd-cgls
+-user.slice
│ L-user-5000.slice
│   +-session-c1.scope
│   │ L-2362 /usr/bin/user-session-launch seat0 5000
│   L-user at 5000.service
│     +-2365 /usr/lib/systemd/systemd --user
│     +-2366 (sd-pam)
│     +-xorg.service
│     │ L-3185 /usr/bin/xorg-launch-helper -ac -r +accessx 0 -nocursor
-sharevts
│     +-msg-service.service
│     │ L-2373 /usr/bin/msg-server
│     L-email.service
│       L-2371 /usr/bin/email-service
+-machine.slice
│ L-machine-lxc\x2dtizen\x2dbash\x2d2.scope
│   +-2672 /usr/libexec/libvirt_lxc --name tizen-bash-2 --console 20 --
security=
│   L-machine.slice
│     L-machine-lxc\x2dtizen\x2dbash\x2d2.scope
│       L-system.slice
│         +-2681 /usr/lib/systemd/systemd
│         +-systemd-logind.service
│         │ L-3215 /usr/lib/systemd/systemd-logind
│         +-connman.service
│         │ L-3214 /usr/sbin/connmand -n
│         +-dbus.service
│         │ L-3212 /usr/bin/dbus-daemon --system --address=systemd: --
nofork --n
│         +-console-getty.service
│         │ L-3240 /sbin/agetty --noclear -s console 115200 38400 9600
│         +-wpa_supplicant.service
│         │ L-3241 /usr/sbin/wpa_supplicant -u
│         L-systemd-journald.service
│           L-3200 /usr/lib/systemd/systemd-journald
L-system.slice
  +-1 /sbin/init
  +-connman.service


3. cgroup hierarchy for running container and running user session


h-4.2# systemd-cgls
+-user.slice
│ L-user-5000.slice
│   +-session-c1.scope
│   │ L-2362 /usr/bin/user-session-launch seat0 5000
│   L-user at 5000.service
│     +-2365 /usr/lib/systemd/systemd --user
│     +-2366 (sd-pam)
│     +-xorg.service
│     │ L-3468 /usr/bin/xorg-launch-helper -ac -r +accessx 0 -nocursor
-sharevts
│     +-msg-service.service
│     │ L-2373 /usr/bin/msg-server
│     L-email.service
│       L-2371 /usr/bin/email-service
+-machine.slice
│ L-machine-lxc\x2dtizen\x2dbash\x2d2.scope
│   +-2672 /usr/libexec/libvirt_lxc --name tizen-bash-2 --console 20 --
security=
│   L-machine.slice
│     L-machine-lxc\x2dtizen\x2dbash\x2d2.scope
│       +-machine.slice
│       │ L-machine-lxc\x2dtizen\x2dbash\x2d2.scope
│       │   L-user.slice
│       │     L-user-0.slice
│       │       L-user at 0.service
│       │         L-3483 /usr/lib/systemd/systemd --user
│       +-user.slice
│       │ L-user-0.slice
│       │   +-session-c1.scope
│       │   │ +-3240 login -- root
│       │   │ L-3486 -bash
│       │   L-user at 0.service
│       │     L-3484 (sd-pam)
│       L-system.slice
│         +-2681 /usr/lib/systemd/systemd
│         +-systemd-logind.service
│         │ L-3215 /usr/lib/systemd/systemd-logind
│         +-connman.service
│         │ L-3214 /usr/sbin/connmand -n
│         +-dbus.service
│         │ L-3212 /usr/bin/dbus-daemon --system --address=systemd: --
nofork --n
│         +-wpa_supplicant.service
│         │ L-3241 /usr/sbin/wpa_supplicant -u
│         L-systemd-journald.service
│           L-3200 /usr/lib/systemd/systemd-journald
L-system.slice
  +-1 /sbin/init
  +-connman.service



Best regards



Jacek Pielaszkiewicz
Samsung R&D Institute Poland
Samsung Electronics
Email: j.pielaszkie at samsung.com

More information about the systemd-devel mailing list