[Bug 1413927] Re: login name=systemd cgroup is not owned by user

Martin Pitt martin.pitt at ubuntu.com
Sun Jan 25 13:29:20 UTC 2015 

> Right so the bug her eis that your session-c2.scope was created
without giving you ownership of the directory

Indeed this hasn't previously been done for the "systemd" controller; it
didn't seem necessary with previous LXC versions, but apparently is now.
Chowning the

> and the tasks and cgroup.procs files.

No, I am not going to own those to the user. This would be a (small)
privilege escalation bug, as the user could then move processes from a
less privileged session (like from ssh) to a more privileged one (like a
local desktop session). This also doesn't seem to be necessary, neither
for upstart nor systemd containers.

** Changed in: systemd (Ubuntu)
     Assignee: (unassigned) => Martin Pitt (pitti)

** Description changed:

  When a user logs in, systemd-logind should create cgroups for the user,
  with the directory (i.e. /user.slice/user-1000.slice/session-c2.scope)
- and the tasks and cgroup.procs files (but no othes) owned by the user.
- This is no longer hapening for the name=systemd cgroup.  This prevents
- containers from starting.  (If lxc were to simply not create/use that
- controller, then it would prevent system in the container from using
- it).
+ owned by the user.  This is no longer hapening for the name=systemd
+ cgroup.  This prevents containers from starting.  (If lxc were to simply
+ not create/use that controller, then it would prevent system in the
+ container from using it).
  
  I wanted to test the new lxc with lxcfs. A system container (with
  upstart or systemd) works perfectly well now (great!), but user
  containers regressed:
  
  $ lxc-create -n v1 -t download -- -d ubuntu -r vivid -a amd64
  $ lxc-start -n v1  -F
  lxc-start: cgmanager.c: lxc_cgmanager_enter: 694 call to cgmanager_move_pid_sync failed: invalid request
  lxc-start: start.c: __lxc_start: 1099 failed to spawn 'v1'
  lxc-start: lxc_start.c: main: 345 The container failed to start.
  
  My host is running systemd, but cgmanager is running (i. e. it's not bug
  1400394, I enabled cgmanager.service).
  
  ProblemType: Bug
  DistroRelease: Ubuntu 15.04
  Package: lxc 1.1.0~rc1-0ubuntu1
  ProcVersionSignature: Ubuntu 3.18.0-9.10-generic 3.18.2
  Uname: Linux 3.18.0-9-generic x86_64
  ApportVersion: 2.15.1-0ubuntu2
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Fri Jan 23 10:35:55 2015
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2014-11-20 (63 days ago)
  InstallationMedia: Ubuntu 15.04 "Vivid Vervet" - Alpha amd64 (20141119)
  SourcePackage: lxc
  UpgradeStatus: No upgrade log present (probably fresh install)
  defaults.conf:
   lxc.network.type = veth
   lxc.network.link = lxcbr0
   lxc.network.flags = up
   lxc.network.hwaddr = 00:16:3e:xx:xx:xx
  lxc.conf: lxc.lxcpath = /srv/lxc

** Changed in: systemd (Ubuntu)
       Status: Confirmed => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1413927

Title:
  login name=systemd cgroup is not owned by user

Status in systemd package in Ubuntu:
  In Progress

Bug description:
  When a user logs in, systemd-logind should create cgroups for the
  user, with the directory (i.e.
  /user.slice/user-1000.slice/session-c2.scope) owned by the user.  This
  is no longer hapening for the name=systemd cgroup.  This prevents
  containers from starting.  (If lxc were to simply not create/use that
  controller, then it would prevent system in the container from using
  it).

  I wanted to test the new lxc with lxcfs. A system container (with
  upstart or systemd) works perfectly well now (great!), but user
  containers regressed:

  $ lxc-create -n v1 -t download -- -d ubuntu -r vivid -a amd64
  $ lxc-start -n v1  -F
  lxc-start: cgmanager.c: lxc_cgmanager_enter: 694 call to cgmanager_move_pid_sync failed: invalid request
  lxc-start: start.c: __lxc_start: 1099 failed to spawn 'v1'
  lxc-start: lxc_start.c: main: 345 The container failed to start.

  My host is running systemd, but cgmanager is running (i. e. it's not
  bug 1400394, I enabled cgmanager.service).

  ProblemType: Bug
  DistroRelease: Ubuntu 15.04
  Package: lxc 1.1.0~rc1-0ubuntu1
  ProcVersionSignature: Ubuntu 3.18.0-9.10-generic 3.18.2
  Uname: Linux 3.18.0-9-generic x86_64
  ApportVersion: 2.15.1-0ubuntu2
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Fri Jan 23 10:35:55 2015
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2014-11-20 (63 days ago)
  InstallationMedia: Ubuntu 15.04 "Vivid Vervet" - Alpha amd64 (20141119)
  SourcePackage: lxc
  UpgradeStatus: No upgrade log present (probably fresh install)
  defaults.conf:
   lxc.network.type = veth
   lxc.network.link = lxcbr0
   lxc.network.flags = up
   lxc.network.hwaddr = 00:16:3e:xx:xx:xx
  lxc.conf: lxc.lxcpath = /srv/lxc

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1413927/+subscriptions

More information about the foundations-bugs mailing list