[systemd-devel] Is there a way to find out if Delegate=yes?
Yuri Kanivetsky
yuri.kanivetsky at gmail.com
Sun Oct 30 12:18:30 UTC 2022
On Thu, Oct 27, 2022 at 1:40 PM Arseny Maslennikov <ar at cs.msu.ru> wrote:
> It had successfully reached this mailing list by 2022-Oct-25, so that
> means you're not subscribed to the list. Strangely enough,
> the mail receiver rejects emails from non-subscribers, so you wouldn't
> be able to reach out to the list at all.
I'm subscribed, and received your second email. Probably some sort of
a glitch. I just decided to notify you, just in case.
> I'll try to explain what I can. I suppose there's someone in the world
> who has really hit the problems described below and is in a better
> position to comment, or provide links to available resources where the
> experience is documented for the perusal of the community.
Thanks for your replies, things are a bit clearer at the moment. And
yeah, I'll probably ask the lxc guys as well. But let me add here what
I've learned so far. In case someone has anything to add.
Locally it works w/o systemd-run, although there's one warning when
running lxc-start (apparently non-fatal):
lxc-start c 20221030073216.345 WARN start -
../src/lxc/start.c:lxc_spawn:1832 - Operation not permitted - Failed
to allocate new network namespace id
On the server w/o systemd-run (these are probably also non-fatal):
lxc-start c 20221030114914.612 WARN apparmor -
lsm/apparmor.c:lsm_apparmor_ops_init:1275 - Per-container AppArmor
profiles are disabled because the mac_admin capability is missing
lxc-start c 20221030114914.626 WARN start - start.c:lxc_spawn:1835
- Operation not permitted - Failed to allocate new network namespace
id
But in the container's console I see:
Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted
[[0;1;31m!!!!!![0m] Failed to mount API filesystems.
Exiting PID 1...
>From what you said it looks like Delegate=yes is not about
permissions, but about not stepping on someone else's toes. Yet on the
server from the console output it looks like it's about permissions.
However that might be a result of stepping on someone else's toes. I'm
not sure.
There's also a related issue. I tried to launch a container locally
from another user (useradd + su), and it failed:
lxc-start c 20221030074222.316 ERROR cgfsng -
../src/lxc/cgroups/cgfsng.c:unpriv_systemd_create_scope:1232 - Failed
to connect to user bus: No medium found
lxc-start c 20221030074222.326 WARN start -
../src/lxc/start.c:lxc_spawn:1832 - Operation not permitted - Failed
to allocate new network namespace id
The console output:
Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted
[^[[0;1;31m!!!!!!^[[0m] Failed to mount API filesystems.
Exiting PID 1...
Which somewhat reminds me of what I saw on the server. But when I
tried it with systemd-run (under this other user), systemd-run failed:
Failed to connect to bus: No medium found
A more detailed logs can be found here:
https://gist.github.com/x-yuri/a6d31154df07405de97217ba75c1ff0f
Regards,
Yuri
More information about the systemd-devel
mailing list