[lxc-users] ghost services on LXC containers

0 views
Skip to first unread message

Harald Dunkel

unread,
Aug 13, 2020, 3:02:30 AM8/13/20
to lxc-...@lists.linuxcontainers.org
Hi folks,

using Debian 10 and lxc 4.0.2 (or 4.0.4) I found ghost services in my
containers. Sample:

# cat /sys/fs/cgroup/unified/system.slice/cron.service/cgroup.procs
50
0

# cat /sys/fs/cgroup/unified/system.slice/dbus.service/cgroup.procs
48
0

# cat /sys/fs/cgroup/unified/system.slice/zabbix-agent.service/cgroup.procs
0
0
0
0
0
0


PID 0 is not valid here, AFAICT. And zabbix-agent isn't even installed
in my container. Its installed on the host only.

Can anybody reproduce this? See also

https://lists.freedesktop.org/archives/systemd-devel/2020-August/044999.html
https://bugs.debian.org/968049


Every insightful comment is highly appreciated
Harri

Harald Dunkel

unread,
Aug 13, 2020, 6:23:36 AM8/13/20
to lxc-...@lists.linuxcontainers.org
On 8/13/20 9:02 AM, Harald Dunkel wrote:
>
> # cat /sys/fs/cgroup/unified/system.slice/zabbix-agent.service/cgroup.procs
> 0
> 0
> 0
> 0
> 0
> 0
>
>
> PID 0 is not valid here, AFAICT. And zabbix-agent isn't even installed
> in my container. Its installed on the host only.
>

PS:
Lennart Pottering wrote about this:

Is it possible the container and the host run in the very same cgroup
hierarchy?

If that's the case (and it looks like it): this is not
supported. Please file a bug against LXC, it's very clearly broken.

(https://lists.freedesktop.org/archives/systemd-devel/2020-August/045022.html)


I would be highly interested in your thoughts about this.

Harri

Fajar A. Nugraha

unread,
Aug 13, 2020, 6:32:54 AM8/13/20
to LXC users mailing-list


Try (two times, once inside the container, once inside the host):
- cat /proc/self/cgroup
- ls -la /proc/self/ns

--
Fajar

Harald Dunkel

unread,
Aug 13, 2020, 6:47:41 AM8/13/20
to lxc-...@lists.linuxcontainers.org
On 8/13/20 12:32 PM, Fajar A. Nugraha wrote:
> Try (two times, once inside the container, once inside the host):
> - cat /proc/self/cgroup
> - ls -la /proc/self/ns

On the host:

root@il08:~# cat /proc/self/cgroup
13:name=systemd:/
12:rdma:/
11:pids:/
10:perf_event:/
9:net_prio:/
8:net_cls:/
7:memory:/
6:freezer:/
5:devices:/
4:cpuset:/
3:cpuacct:/
2:cpu:/
1:blkio:/
0::/
root@il08:~# ls -la /proc/self/ns
total 0
dr-x--x--x 2 root root 0 Aug 13 12:40 .
dr-xr-xr-x 9 root root 0 Aug 13 12:40 ..
lrwxrwxrwx 1 root root 0 Aug 13 12:40 cgroup -> 'cgroup:[4026531835]'
lrwxrwxrwx 1 root root 0 Aug 13 12:40 ipc -> 'ipc:[4026531839]'
lrwxrwxrwx 1 root root 0 Aug 13 12:40 mnt -> 'mnt:[4026531840]'
lrwxrwxrwx 1 root root 0 Aug 13 12:40 net -> 'net:[4026531992]'
lrwxrwxrwx 1 root root 0 Aug 13 12:40 pid -> 'pid:[4026531836]'
lrwxrwxrwx 1 root root 0 Aug 13 12:40 pid_for_children -> 'pid:[4026531836]'
lrwxrwxrwx 1 root root 0 Aug 13 12:40 time -> 'time:[4026531834]'
lrwxrwxrwx 1 root root 0 Aug 13 12:40 time_for_children -> 'time:[4026531834]'
lrwxrwxrwx 1 root root 0 Aug 13 12:40 user -> 'user:[4026531837]'
lrwxrwxrwx 1 root root 0 Aug 13 12:40 uts -> 'uts:[4026531838]'


Entering the container:

root@il08:~# lxc-attach -n il02
root@il02:~# cat /proc/self/cgroup
13:name=systemd:/
12:rdma:/
11:pids:/
10:perf_event:/
9:net_prio:/
8:net_cls:/
7:memory:/
6:freezer:/
5:devices:/
4:cpuset:/
3:cpuacct:/
2:cpu:/
1:blkio:/
0::/
root@il02:~# ls -la /proc/self/ns
total 0
dr-x--x--x 2 root root 0 Aug 13 12:42 .
dr-xr-xr-x 9 root root 0 Aug 13 12:42 ..
lrwxrwxrwx 1 root root 0 Aug 13 12:42 cgroup -> 'cgroup:[4026532376]'
lrwxrwxrwx 1 root root 0 Aug 13 12:42 ipc -> 'ipc:[4026532313]'
lrwxrwxrwx 1 root root 0 Aug 13 12:42 mnt -> 'mnt:[4026532311]'
lrwxrwxrwx 1 root root 0 Aug 13 12:42 net -> 'net:[4026532316]'
lrwxrwxrwx 1 root root 0 Aug 13 12:42 pid -> 'pid:[4026532314]'
lrwxrwxrwx 1 root root 0 Aug 13 12:42 pid_for_children -> 'pid:[4026532314]'
lrwxrwxrwx 1 root root 0 Aug 13 12:42 time -> 'time:[4026531834]'
lrwxrwxrwx 1 root root 0 Aug 13 12:42 time_for_children -> 'time:[4026531834]'
lrwxrwxrwx 1 root root 0 Aug 13 12:42 user -> 'user:[4026531837]'
lrwxrwxrwx 1 root root 0 Aug 13 12:42 uts -> 'uts:[4026532312]'


I am not sure what this is trying to tell me, though. Is this the same
hierarchy? And would you agree that this is really a bad thing to do?

Harri

Fajar A. Nugraha

unread,
Sep 10, 2020, 1:27:02 AM9/10/20
to LXC users mailing-list

It shouldn't be. /proc/self/ns says the two has different cgroup
namespace, so even if /proc/self/cgroup look the same, they are not.

> And would you agree that this is really a bad thing to do?

If they're the same hierarchy on the same namespace, yes.
If they're on different namespace, no.

Not sure what's wrong on your setup though. Your debian bug page link
says 'No longer marked as found in versions systemd/241-7~deb10u4', so
perhaps there's that.

If this is still reproducible on systems with that (or newer) versions
of systemd, I'd suggest these to help find the root cause:
- try latest lxd from snap
- try on ubuntu host and container

I'm using ubuntu with systemd 237-3ubuntu10.20 and 245.4-4ubuntu3.1,
and dont experience your bug report.

--
Fajar

Reply all
Reply to author
Forward
0 new messages