recently (re) introduced systemd mount problems on unpriviledged containers?
8 views
Skip to first unread message
Ede Wolf
May 14, 2021, 5:24:48 AM5/14/21
to LXC users mailing-list
Hello,
After an upgrade of either lxc or systemd, unpriviledged containers
using systemd as init system fail to start, because they cannot mount
/sys/fs/cgroup/systemd:
"Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted"
[!!!!!!] "Failed to mount API filesystems."
Fair enough, as this directory does not exist on the host. Creating it
manually and assigning it the proper permissions makes the continer
start up:
mkdir /sys/fs/cgroup/systemd
mount -t cgroup -o none,name=systemd systemd /sys/fs/cgroup/systemd
chown unpriv:lxc /sys/fs/cgroup/systemd
Now, while it is no deal to create this directory beforehand, what makes
me wonder, if I have multiple containers running under different users,
how would that be accomplished, when all are trying to mount the same
cgroup directory?
Therefore I am not too confident, this is the proper way of handling this.
Further, another, not yet updated host, does neither feature this
cgroup/systemd directory, but the containers do still start up fine. And
we are not talking about a big version jump:
lxc-4.0.6 vs. 4.0.8,
systemd 248-5 vs. 248.2-2.
kernel 5.10.31 vs. 5.10.36
respectively, with the lower versions still working flawlessly.
Has there been any major change, that is not reflected by the versioning?
Or are there any hints for an obvious misconfiguration on my side that
I've just been getting away with so far?
Thanks
Ede
After an upgrade of either lxc or systemd, unpriviledged containers
using systemd as init system fail to start, because they cannot mount
/sys/fs/cgroup/systemd:
"Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted"
[!!!!!!] "Failed to mount API filesystems."
Fair enough, as this directory does not exist on the host. Creating it
manually and assigning it the proper permissions makes the continer
start up:
mkdir /sys/fs/cgroup/systemd
mount -t cgroup -o none,name=systemd systemd /sys/fs/cgroup/systemd
chown unpriv:lxc /sys/fs/cgroup/systemd
Now, while it is no deal to create this directory beforehand, what makes
me wonder, if I have multiple containers running under different users,
how would that be accomplished, when all are trying to mount the same
cgroup directory?
Therefore I am not too confident, this is the proper way of handling this.
Further, another, not yet updated host, does neither feature this
cgroup/systemd directory, but the containers do still start up fine. And
we are not talking about a big version jump:
lxc-4.0.6 vs. 4.0.8,
systemd 248-5 vs. 248.2-2.
kernel 5.10.31 vs. 5.10.36
respectively, with the lower versions still working flawlessly.
Has there been any major change, that is not reflected by the versioning?
Or are there any hints for an obvious misconfiguration on my side that
I've just been getting away with so far?
Thanks
Ede
Reply all
Reply to author
Forward
0 new messages