Unprivileged lxc as systemd service / cgroups default paths

Kernels & Hardware, configuring network, installing services

Unprivileged lxc as systemd service / cgroups default paths

Postby unicodeone » 2017-10-11 23:28

I had the idea of managing starting and stopping unprivileged lxc containers via systemd.

The unit.service file I wrote looks like this:

Code: Select all
[Unit]                       
Description=lxc container ttimer   

[Service]                           
Type=forking                       
PIDFile=/var/lib/lxc-home/pid
ExecStart=/usr/bin/lxc-start -n lxc01.dev -p /var/lib/lxc-home/pid --logpriority DEBUG                                   
#ExecStart=/bin/bash -c '/bin/cat /proc/self/cgroup'
User=lxc_user
Group=lxc_user


Logs show me that I am on the right track, except the message

Code: Select all
lxc_cgfs - cgroups/cgfs.c:lxc_cgroupfs_create:1022 - Permission denied - Could not create cgroup '/lxc' in '/sys/fs/cgroup/freezer'.


I used the day to get a better knowledge about systemd, cgroups, lxc and the big picture. I learned its an error about the cgroup hierarchy.

When I am logged in as lxc_user I get

Code: Select all
$ /bin/cat /proc/self/cgroup
10:devices:/user.slice
9:pids:/user.slice/user-900.slice/session-20.scope
8:memory:/user/lxc_user/0
7:net_cls,net_prio:/
6:cpu,cpuacct:/user.slice
5:blkio:/user.slice
4:perf_event:/
3:freezer:/user/lxc_user/0
2:cpuset:/
1:name=systemd:/user/lxc_user/0


But when running this via systemd (the commented out line in the unit file) i get

Code: Select all
Oct 11 22:45:25 lxc03 bash[21263]: 10:devices:/machine.slice
Oct 11 22:45:25 lxc03 bash[21263]: 9:pids:/machine.slice/lxc_user.service
Oct 11 22:45:25 lxc03 bash[21263]: 8:memory:/machine.slice
Oct 11 22:45:25 lxc03 bash[21263]: 7:net_cls,net_prio:/
Oct 11 22:45:25 lxc03 bash[21263]: 6:cpu,cpuacct:/machine.slice
Oct 11 22:45:25 lxc03 bash[21263]: 5:blkio:/machine.slice
Oct 11 22:45:25 lxc03 bash[21263]: 4:perf_event:/
Oct 11 22:45:25 lxc03 bash[21263]: 3:freezer:/
Oct 11 22:45:25 lxc03 bash[21263]: 2:cpuset:/
Oct 11 22:45:25 lxc03 bash[21263]: 1:name=systemd:/machine.slice/lxc-ttimer.service


I know that it is possible to change the cgroup via a running processes pid but in this case that would be to late. I need to change the path of the controller "freezer" before starting the container.

And that is the point where I can't find an answer to my question. How does this default cgroup paths are defined? Why are some paths set to / and others to subgroups?
unicodeone
 
Posts: 1
Joined: 2017-10-11 23:05

Return to System configuration

Who is online

Users browsing this forum: No registered users and 11 guests

fashionable