I created a per-user container "t1", and confirm that it does start under upstart/cgmanger and doesn't under systemd. I now have a preliminary patch for putting the user slices into all cgroup controllers, plus some hand-crafted "chown ubuntu" for all the user-1000.slice cgroup directories so that they become writable (this part still needs to be added to the patch). I understand that this should now be sufficient:
ubuntu@ulxc:~$ ls -ld /sys/fs/cgroup/*/user.slice/user-1000.slice/
drwxr-xr-x 2 ubuntu root 0 Nov 26 10:41 /sys/fs/cgroup/blkio/user.slice/user-1000.slice/
drwxr-xr-x 2 ubuntu root 0 Nov 26 10:41 /sys/fs/cgroup/cpuacct/user.slice/user-1000.slice/
drwxr-xr-x 2 ubuntu root 0 Nov 26 10:41 /sys/fs/cgroup/cpu,cpuacct/user.slice/user-1000.slice/
drwxr-xr-x 2 ubuntu root 0 Nov 26 10:41 /sys/fs/cgroup/cpuset/user.slice/user-1000.slice/
drwxr-xr-x 2 ubuntu root 0 Nov 26 10:41 /sys/fs/cgroup/cpu/user.slice/user-1000.slice/
drwxr-xr-x 2 ubuntu root 0 Nov 26 10:41 /sys/fs/cgroup/devices/user.slice/user-1000.slice/
drwxr-xr-x 2 ubuntu root 0 Nov 26 10:41 /sys/fs/cgroup/freezer/user.slice/user-1000.slice/
drwxr-xr-x 2 ubuntu root 0 Nov 26 10:41 /sys/fs/cgroup/hugetlb/user.slice/user-1000.slice/
drwxr-xr-x 2 ubuntu root 0 Nov 26 10:41 /sys/fs/cgroup/memory/user.slice/user-1000.slice/
drwxr-xr-x 2 ubuntu root 0 Nov 26 10:41 /sys/fs/cgroup/net_cls,net_prio/user.slice/user-1000.slice/
drwxr-xr-x 2 ubuntu root 0 Nov 26 10:41 /sys/fs/cgroup/net_cls/user.slice/user-1000.slice/
drwxr-xr-x 2 ubuntu root 0 Nov 26 10:41 /sys/fs/cgroup/net_prio/user.slice/user-1000.slice/
drwxr-xr-x 2 ubuntu root 0 Nov 26 10:41 /sys/fs/cgroup/perf_event/user.slice/user-1000.slice/
drwxr-xr-x 4 root root 0 Nov 26 10:33 /sys/fs/cgroup/systemd/user.slice/user-1000.slice/
I'm not sure why my login shell isn't in "cpuset", I'll debug that still. But I chown'ed /sys/fs/cgroup/cpuset/ to "ubuntu" as well.
But still lxc-start fails:
$ lxc-start -n t1 -F
lxc-start: cgfs.c: lxc_cgroupfs_create: 849 Could not set clone_children to 1 for cpuset hierarchy in parent cgroup.
lxc-start: cgfs.c: cgroup_rmdir: 207 Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/devices/user.slice/user-1000.slice
lxc-start: cgfs.c: cgroup_rmdir: 207 Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/memory/user.slice/user-1000.slice
lxc-start: cgfs.c: cgroup_rmdir: 207 Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpuset//user.slice/user-1000.slice
lxc-start: cgfs.c: cgroup_rmdir: 207 Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpuset//user.slice
lxc-start: cgfs.c: cgroup_rmdir: 207 Read-only file system - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpuset/
lxc-start: cgfs.c: cgroup_rmdir: 207 Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/hugetlb/user.slice/user-1000.slice
lxc-start: cgfs.c: cgroup_rmdir: 207 Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/blkio/user.slice/user-1000.slice
lxc-start: cgfs.c: cgroup_rmdir: 207 Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct/user.slice/user-1000.slice
lxc-start: cgfs.c: cgroup_rmdir: 207 Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/freezer/user.slice/user-1000.slice
lxc-start: cgfs.c: cgroup_rmdir: 207 Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/perf_event/user.slice/user-1000.slice
lxc-start: cgfs.c: cgroup_rmdir: 207 Permission denied - cgroup_rmdir: failed to delete /sys/fs/cgroup/net_cls,net_prio/user.slice/user-1000.slice
lxc-start: start.c: lxc_spawn: 864 failed creating cgroups
Questions:
- Why is it trying to *remove* the existing cgroups? It sounds wrong to fuzz around with those, I thought it would merely want and need to create new cgroups below those? And the ubuntu user can definitively do that:
ubuntu@ulxc:~$ mkdir /sys/fs/cgroup/cpu,cpuacct/user.slice/user-1000.slice/mygroup
ubuntu@ulxc:~$ ls -ld /sys/fs/cgroup/cpu,cpuacct/user.slice/user-1000.slice/mygroup
drwxrwxr-x 2 ubuntu ubuntu 0 Nov 26 10:50 /sys/fs/cgroup/cpu,cpuacct/user.slice/user-1000.slice/mygroup
--logpriority debug --logfile /tmp/d doesn't really give much information either. stracing lxc-start only shows rmdir() whose errors are shown above, it doesn't have any mkdir() or similar call which would show an attempt to create new cgroups?
I created a per-user container "t1", and confirm that it does start under upstart/cgmanger and doesn't under systemd. I now have a preliminary patch for putting the user slices into all cgroup controllers, plus some hand-crafted "chown ubuntu" for all the user-1000.slice cgroup directories so that they become writable (this part still needs to be added to the patch). I understand that this should now be sufficient:
ubuntu@ulxc$ cat /proc/$$/cgroup /user.slice/ user-1000. slice /user.slice/ user-1000. slice /user.slice/ user-1000. slice /user.slice/ user-1000. slice /user.slice/ user-1000. slice /user.slice/ user-1000. slice event:/ user.slice/ user-1000. slice net_prio: /user.slice/ user-1000. slice systemd: /user.slice/ user-1000. slice/session- 1.scope
10:devices:
9:memory:
8:cpuset:/
7:hugetlb:
6:blkio:
5:cpu,cpuacct:
4:freezer:
3:perf_
2:net_cls,
1:name=
ubuntu@ulxc:~$ ls -ld /sys/fs/ cgroup/ */user. slice/user- 1000.slice/ cgroup/ blkio/user. slice/user- 1000.slice/ cgroup/ cpuacct/ user.slice/ user-1000. slice/ cgroup/ cpu,cpuacct/ user.slice/ user-1000. slice/ cgroup/ cpuset/ user.slice/ user-1000. slice/ cgroup/ cpu/user. slice/user- 1000.slice/ cgroup/ devices/ user.slice/ user-1000. slice/ cgroup/ freezer/ user.slice/ user-1000. slice/ cgroup/ hugetlb/ user.slice/ user-1000. slice/ cgroup/ memory/ user.slice/ user-1000. slice/ cgroup/ net_cls, net_prio/ user.slice/ user-1000. slice/ cgroup/ net_cls/ user.slice/ user-1000. slice/ cgroup/ net_prio/ user.slice/ user-1000. slice/ cgroup/ perf_event/ user.slice/ user-1000. slice/ cgroup/ systemd/ user.slice/ user-1000. slice/
drwxr-xr-x 2 ubuntu root 0 Nov 26 10:41 /sys/fs/
drwxr-xr-x 2 ubuntu root 0 Nov 26 10:41 /sys/fs/
drwxr-xr-x 2 ubuntu root 0 Nov 26 10:41 /sys/fs/
drwxr-xr-x 2 ubuntu root 0 Nov 26 10:41 /sys/fs/
drwxr-xr-x 2 ubuntu root 0 Nov 26 10:41 /sys/fs/
drwxr-xr-x 2 ubuntu root 0 Nov 26 10:41 /sys/fs/
drwxr-xr-x 2 ubuntu root 0 Nov 26 10:41 /sys/fs/
drwxr-xr-x 2 ubuntu root 0 Nov 26 10:41 /sys/fs/
drwxr-xr-x 2 ubuntu root 0 Nov 26 10:41 /sys/fs/
drwxr-xr-x 2 ubuntu root 0 Nov 26 10:41 /sys/fs/
drwxr-xr-x 2 ubuntu root 0 Nov 26 10:41 /sys/fs/
drwxr-xr-x 2 ubuntu root 0 Nov 26 10:41 /sys/fs/
drwxr-xr-x 2 ubuntu root 0 Nov 26 10:41 /sys/fs/
drwxr-xr-x 4 root root 0 Nov 26 10:33 /sys/fs/
I'm not sure why my login shell isn't in "cpuset", I'll debug that still. But I chown'ed /sys/fs/ cgroup/ cpuset/ to "ubuntu" as well.
But still lxc-start fails:
$ lxc-start -n t1 -F create: 849 Could not set clone_children to 1 for cpuset hierarchy in parent cgroup. cgroup/ devices/ user.slice/ user-1000. slice cgroup/ memory/ user.slice/ user-1000. slice cgroup/ cpuset/ /user.slice/ user-1000. slice cgroup/ cpuset/ /user.slice cgroup/ cpuset/ cgroup/ hugetlb/ user.slice/ user-1000. slice cgroup/ blkio/user. slice/user- 1000.slice cgroup/ cpu,cpuacct/ user.slice/ user-1000. slice cgroup/ freezer/ user.slice/ user-1000. slice cgroup/ perf_event/ user.slice/ user-1000. slice cgroup/ net_cls, net_prio/ user.slice/ user-1000. slice
lxc-start: cgfs.c: lxc_cgroupfs_
lxc-start: cgfs.c: cgroup_rmdir: 207 Permission denied - cgroup_rmdir: failed to delete /sys/fs/
lxc-start: cgfs.c: cgroup_rmdir: 207 Permission denied - cgroup_rmdir: failed to delete /sys/fs/
lxc-start: cgfs.c: cgroup_rmdir: 207 Permission denied - cgroup_rmdir: failed to delete /sys/fs/
lxc-start: cgfs.c: cgroup_rmdir: 207 Permission denied - cgroup_rmdir: failed to delete /sys/fs/
lxc-start: cgfs.c: cgroup_rmdir: 207 Read-only file system - cgroup_rmdir: failed to delete /sys/fs/
lxc-start: cgfs.c: cgroup_rmdir: 207 Permission denied - cgroup_rmdir: failed to delete /sys/fs/
lxc-start: cgfs.c: cgroup_rmdir: 207 Permission denied - cgroup_rmdir: failed to delete /sys/fs/
lxc-start: cgfs.c: cgroup_rmdir: 207 Permission denied - cgroup_rmdir: failed to delete /sys/fs/
lxc-start: cgfs.c: cgroup_rmdir: 207 Permission denied - cgroup_rmdir: failed to delete /sys/fs/
lxc-start: cgfs.c: cgroup_rmdir: 207 Permission denied - cgroup_rmdir: failed to delete /sys/fs/
lxc-start: cgfs.c: cgroup_rmdir: 207 Permission denied - cgroup_rmdir: failed to delete /sys/fs/
lxc-start: start.c: lxc_spawn: 864 failed creating cgroups
Questions:
- Why is it trying to *remove* the existing cgroups? It sounds wrong to fuzz around with those, I thought it would merely want and need to create new cgroups below those? And the ubuntu user can definitively do that:
ubuntu@ulxc:~$ mkdir /sys/fs/ cgroup/ cpu,cpuacct/ user.slice/ user-1000. slice/mygroup cgroup/ cpu,cpuacct/ user.slice/ user-1000. slice/mygroup cgroup/ cpu,cpuacct/ user.slice/ user-1000. slice/mygroup
ubuntu@ulxc:~$ ls -ld /sys/fs/
drwxrwxr-x 2 ubuntu ubuntu 0 Nov 26 10:50 /sys/fs/
--logpriority debug --logfile /tmp/d doesn't really give much information either. stracing lxc-start only shows rmdir() whose errors are shown above, it doesn't have any mkdir() or similar call which would show an attempt to create new cgroups?