Re[2]: LXC backport for jessie?

To: debian-backports@lists.debian.org
Subject: Re[2]: LXC backport for jessie?
From: Bogdan <do.IT@i.ua>
Date: Wed, 30 Mar 2016 15:03:50 +0300
Message-id: <[🔎] E1alEqk-00007F-Hn@web03.mi6.kiev.ua>
In-reply-to: <[🔎] 56FAC6A8.5080508@iwakd.de>
References: <[🔎] E1ac9Tm-0005X4-Ov@st11.mi6.kiev.ua> <[🔎] 56FAC6A8.5080508@iwakd.de> <[🔎] 56FAC6A8.5080508@iwakd.de> <[🔎] 56FAC6A8.5080508@iwakd.de>

Dear Christian,

29.03.2016 21:17, Christian Seiler <christian@iwakd.de>
>On 03/05/2016 11:30 AM, Bogdan wrote:
> > Would someone be interested in creating such a backport?
> 
> Just for your information: lxc 1:1.1.5-1~bpo8+1 was accepted into
> jessie-backports today (thanks, backports ftp-masters!)

Thanks a lot! Just installed it :)

> Take note of two things:
> 1. To create a container as a normal user (which was your use case for
> requesting the backport, I believe) needs some manual intervention
> (also on Stretch, this is not specific to the backport):

I've "played" quite a lot with my local backport, unfortunately with no success yet.

I was trying to start unprivileged but system-wide container - so I worked from a `sudo -s`
(which is definitely not the same as sshing in as root - at least for cgroups purposes),
with properly mapped subuid/subgid (to a sub-range of a different, non-root host user).
The reason to do so: wanted easy container autostart, and no extra fiddling with settings :)

The container did start fine under the specified subuid, but for some reason systemd wasn't starting in it.
Symptoms include:
- 'Failed to get D-Bus connection: Unknown error -1' in response to `systemctl`;
- 'Failed to talk to init daemon.' in response to `halt`;
- systemd is listed in top as PID 1 in the container, but running `systemd` says 'Trying to run as user instance, but the system has not been booted with systemd.'

Removing subuid/subgid mapping from container config file does solve the problem, and container functions as a normal privileged one.

I think I have also tried chowning /var/lib/lxc/containername to the configured subuser/subgroup,
but still had the same failure.
I have already almost given up :)

>     a. You need to explicitly tell the kernel to allow it (it's
>        disabled by default), so set the following sysctl:
>        kernel.unprivileged_userns_clone = 1
>        (Make it permanent in /etc/sysctl.d.)

Haven't seen this one anywhere, thanks!
Must have been looking in all the wrong places :)

This alone did not fix my 'systemd not running' problem.

>     b. You need to make sure that the process starting the LXC
>        container is in a cgroup where the current user can create
>        sub-cgroups for _every_ controller. In Ubuntu their systemd
>        version carries a patch that session scopes have that
>        property by default to support LXC, but that is not the case
>        in Debian, which basically means this still needs to be done
>        manually at the moment. Examples of how to do so can be found
>        in the first repsonse in this stackexchange thread: [1]
> If you follow that, you can in fact create unprivileged containers
> as a normal user, both on Stretch and also on Jessie with this backport.
> [1] http://unix.stackexchange.com/questions/170998/how-to-create-user-cgroups-with-systemd

Thanks, haven't seen this either!

Let me just try this right now:
- wasn't able to `systemctl start cgmanager` (cgmanager 0.33-2+deb8u2):
Mar 30 12:49:36 Debian-83-jessie-64-minimal cgmanager[29410]: cgmanager: failed to create release agent for perf_event
Mar 30 12:49:36 Debian-83-jessie-64-minimal cgmanager[29410]: cgmanager: Error creating release agent symlinks
Mar 30 12:49:36 Debian-83-jessie-64-minimal systemd[1]: cgmanager.service: main process exited, code=exited, status=1/FAILURE
- installed backported cgmanager+lib 0.39-2~bpo8+1, started successfully
- with USER=root, succeeded with `sudo cgm create all $USER && sudo cgm chown all $USER $(id -u) $(id -g) && sudo cgm movepid all $USER $PPID`
- this hasn't fixed systemd not starting in the container
- with USER=unpriv_owner_of_subuids_subgids, succeeded with `sudo cgm create all $USER && sudo cgm chown all $USER $(id -u) $(id -g) && sudo cgm movepid all $USER $PPID`
- this hasn't fixed systemd not starting in the container

I must be doing something very wrong... Something simple, I suspect.

I'll try creating/starting the container from the actual unpriv_owner_of_subuids_subgids account,
and then on success will figure out how to make it autostart (I guess a usual systemd service file will work fine).

> 2. As per backports policy, we will track the LXC package in Stretch
> with jessie-backports, and the plan for Stretch is to include LXC 2.0.

Ok, good to know.

Thanks a lot,
Bogdan


 

this freemail appends ads, sorry:

-- реклама -----------------------------------------------------------
Поторопись зарегистрировать самый короткий почтовый адрес @i.ua
http://mail.i.ua/reg - и получи 1Gb для хранения писем

Reply to:

References:
- LXC backport for jessie?
  - From: Bogdan <do.IT@i.ua>
- Re: LXC backport for jessie?
  - From: Christian Seiler <christian@iwakd.de>

Prev by Date: Re: LXC backport for jessie?
Next by Date: Re: backport pcl to jessie
Previous by thread: Re: LXC backport for jessie?
Next by thread: Re: LXC backport for jessie?
Index(es):
- Date
- Thread