[systemd-devel] Put user at .service cgroups into all controllers (user LXC)

[Lennart Poettering]

On Mon, 03.11.14 16:25, Martin Pitt (martin.pitt at ubuntu.com) wrote:

> Hello all,
> 
> LXC upstream (in CC:) supports "unprivileged containers", i. e. you
> can create a rootfs in your $HOME and then run lxc-start on it with
> some initial preparation [1]. While of course they have some limits,
> they are very useful for a lot of applications and are by nature quite
> safe towards other users/containers/services on the same machine.
> 
> However, that requires putting at least the per-user session cgroup
> (from logind) into *all* available cgroup controllers, not just the
> "systemd" one, so that the per-user container actually has privileges
> to create sub-cgroups under the session-cN.scope parent.

We cannot blindly add user scopes/slices into all cgroup controllers,
since simply adding them to a cgroup might already affect on the
runtime. For example, if you add a cgroup to the "cpu" controller then
RT automatically becomes unavailable, and the processes get scheduled
evenly against all other cgroups on the same level.

Also, we cannot allow unprivileged access to most of the controllers,
not even "cpu". You can easily configure contradicting parameters in
the "cpu" controller in a way that can severely hurt the system. This
is not different for the other controllers either.

This isn't really something to solve in systemd, it requires kernel
work (and that work is quite far actually, with the unified cgroup
heirarchy).

To say this clearly: unpriviliged access to any of the hierarchies but
name=systemd is something we will *explicitly* not support until this
is deemed safe by the kernel folks.

Priviliged containers is less problematic, as they usually come
without security guarantees anyway.

Lennart

-- 
Lennart Poettering, Red Hat