[systemd-devel] Put user at .service cgroups into all controllers (user LXC)

Martin Pitt martin.pitt at ubuntu.com
Mon Nov 3 07:25:12 PST 2014


Hello all,

LXC upstream (in CC:) supports "unprivileged containers", i. e. you
can create a rootfs in your $HOME and then run lxc-start on it with
some initial preparation [1]. While of course they have some limits,
they are very useful for a lot of applications and are by nature quite
safe towards other users/containers/services on the same machine.

However, that requires putting at least the per-user session cgroup
(from logind) into *all* available cgroup controllers, not just the
"systemd" one, so that the per-user container actually has privileges
to create sub-cgroups under the session-cN.scope parent.

Thus this currently only works with cgmanager (which creates all
cgroups that way) or with systemd <= 204, which had the "Controllers"
option in logind.conf:

  Controllers=blkio cpu cpuacct cpuset devices freezer hugetlb memory perf_event net_cls net_prio

This certainly wasn't pretty, but it did the job.  This option went
away from later versions with moving to calling pid1's
StartTransientUnit() [2].

I'd like to get this functionality back, to eliminate another blocker
for switching Ubuntu to systemd by default, and would like to pick
your brain what you'd recommend as a solution. Note: this isn't Ubuntu
specific at all, just a generic question whether systemd wants to
support LXC's per-user containers, and whether potentially changing
the default behaviour would collide with anything else systemd wants
(or doesn't want to) do.

AFAIUI, the consequence of just always adding the session-cN.scope
into all controllers is mostly a very small performance penalty due to
the additional cgroup translations. If there are reasons to not do
this by default, the other options would be to (re-)introduce some
config option (which would certainly look different now, as logind
cgroups are now not particularly "special" compared to other service
cgroups), or carrying a downstream patch (least preferred of course,
but if necessary we'll have to do that -- we don't want to regress
LXC).

Hints are appreciated. Thanks!

Martin

[1] https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/
[2] http://cgit.freedesktop.org/systemd/systemd/commit/?id=fb6becb4436ae

-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20141103/12069181/attachment.sig>


More information about the systemd-devel mailing list