[Bug 1346734] Re: Unprivileged LXC containers don't work under systemd

Launchpad Bug Tracker 1346734 at bugs.launchpad.net
Mon Dec 1 18:37:03 UTC 2014 

This bug was fixed in the package systemd - 217-2ubuntu1

---------------
systemd (217-2ubuntu1) vivid; urgency=medium

  * Merge with Debian unstable. See 217-1ubuntu1 for remaining Ubuntu changes.
  * Put session scopes into all cgroup controllers instead of their parent
    user slices. This works better with killing sessions and is consistent
    with the "systemd" controller.
  * Do not realize and migrate cgroups multiple times, in particular
    "-.slice". This fixes PIDs in non-systemd cgroup controllers to be
    randomly migrated back to /. (LP: #1346734)
  * boot-and-services autopkgtest: Give test apparmor job some time to
    actually finish.

systemd (217-2) experimental; urgency=medium

  * Re-enable journal forwarding to syslog, until Debian's sysloggers
    can/do all read from the journal directly.
  * Fix hostnamectl exit code on success.
  * Fix "diff failed with error code 1" spew with systemd-delta.
    (Closes: #771397)
  * Re-enable systemd-resolved. This wasn't meant to break the entire
    networkd, just disable the new NSS module. Remove that one manually
    instead. (Closes: #771423, LP: #1397361)
  * Import v217-stable patches (up to commit bfb4c47 from 2014-11-07).
  * Disable AppArmor again. This first requires moving libapparmor to /lib
    (see #771667). (Closes: #771652)
  * systemd.bug-script: Capture stderr of systemd-{delta,analyze}.
    (Closes: #771498)
 -- Martin Pitt <martin.pitt at ubuntu.com>   Mon, 01 Dec 2014 17:17:30 +0100

** Changed in: systemd (Ubuntu)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1346734

Title:
  Unprivileged LXC containers don't work under systemd

Status in systemd package in Ubuntu:
  Fix Released

Bug description:
  With systemd 208, unprivileged containers stop working when running
  under systemd (working fine under upstart with cgmanager). Quoting
  Stephane Graber:

  In this setup, things don't work nearly as well. On login I'm only
  placed into the name=systemd cgroup and not in any of the others, which
  means that unprivileged LXC isn't usable.

  Martin suggested setting JoinControllers in /etc/systemd/system.conf but
  upon closer inspection, this isn't at all what we want. This setting is
  used to tell systemd what controllers to co-mount, by default this is
  set to cpu,cpuset (which caused the earlier cgmanager breakage).

  Even though this option isn't helpful for what we want (i.e. setting the
  list of cgroup controllers the first PID of a user session should be
  added to), we should nonetheless set it to an empty string which should
  instruct systemd not to co-mount any controller, therefore giving us a
  more reliable behavior (identical to what we have in the upstart world
  and unlikely to confuse lxc and other stuff doing direct cgroup access).

  Additionally, we need to find an equivalent to our good old
  "Controllers" logind.conf option, or re-introduce it or just patch
  logind so that it will always join all the controllers (similar to what
  the shim does).

  
  == Actions ==
   * Update systemd.conf to set JoinControllers to an empty value.
   * Make it so new user sessions are joined to all the available
     controllers by doing one of the following:
     - Find the magic undocumented config variable
     - Re-introduce the "Controllers" option in logind.conf
     - Patch logind to have it always join all available controllers

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1346734/+subscriptions

More information about the foundations-bugs mailing list