Ao criar um contêiner LXC de usuários (sem privilégios) no Ubuntu 14.04 com a seguinte linha de comando:
lxc-create -n test1 -t download -- -d $(lsb_release -si|tr 'A-Z' 'a-z') -r $(lsb_release -sc) -a $(dpkg --print-architecture)
e (sem tocar no arquivo de configuração criado) e depois tentar iniciá-lo com:
lxc-start -n test1 -l DEBUG
Falha. O arquivo de log mostra-me:
lxc-start 1420149317.700 INFO lxc_start_ui - using rcfile /home/user/.local/share/lxc/test1/config
lxc-start 1420149317.700 INFO lxc_utils - XDG_RUNTIME_DIR isn't set in the environment.
lxc-start 1420149317.701 INFO lxc_confile - read uid map: type u nsid 0 hostid 100000 range 65536
lxc-start 1420149317.701 INFO lxc_confile - read uid map: type g nsid 0 hostid 100000 range 65536
lxc-start 1420149317.701 WARN lxc_log - lxc_log_init called with log already initialized
lxc-start 1420149317.701 INFO lxc_lsm - LSM security driver AppArmor
lxc-start 1420149317.701 INFO lxc_utils - XDG_RUNTIME_DIR isn't set in the environment.
lxc-start 1420149317.702 DEBUG lxc_conf - allocated pty '/dev/pts/2' (5/6)
lxc-start 1420149317.702 DEBUG lxc_conf - allocated pty '/dev/pts/7' (7/8)
lxc-start 1420149317.702 DEBUG lxc_conf - allocated pty '/dev/pts/8' (9/10)
lxc-start 1420149317.702 DEBUG lxc_conf - allocated pty '/dev/pts/10' (11/12)
lxc-start 1420149317.702 INFO lxc_conf - tty's configured
lxc-start 1420149317.702 DEBUG lxc_start - sigchild handler set
lxc-start 1420149317.702 DEBUG lxc_console - opening /dev/tty for console peer
lxc-start 1420149317.702 DEBUG lxc_console - using '/dev/tty' as console
lxc-start 1420149317.702 DEBUG lxc_console - 14946 got SIGWINCH fd 17
lxc-start 1420149317.702 DEBUG lxc_console - set winsz dstfd:14 cols:118 rows:61
lxc-start 1420149317.905 INFO lxc_start - 'test1' is initialized
lxc-start 1420149317.906 DEBUG lxc_start - Not dropping cap_sys_boot or watching utmp
lxc-start 1420149317.906 INFO lxc_start - Cloning a new user namespace
lxc-start 1420149317.906 INFO lxc_cgroup - cgroup driver cgmanager initing for test1
lxc-start 1420149317.907 ERROR lxc_cgmanager - call to cgmanager_create_sync failed: invalid request
lxc-start 1420149317.907 ERROR lxc_cgmanager - Failed to create hugetlb:test1
lxc-start 1420149317.907 ERROR lxc_cgmanager - Error creating cgroup hugetlb:test1
lxc-start 1420149317.907 INFO lxc_cgmanager - cgroup removal attempt: hugetlb:test1 did not exist
lxc-start 1420149317.908 INFO lxc_cgmanager - cgroup removal attempt: perf_event:test1 did not exist
lxc-start 1420149317.908 INFO lxc_cgmanager - cgroup removal attempt: blkio:test1 did not exist
lxc-start 1420149317.908 INFO lxc_cgmanager - cgroup removal attempt: freezer:test1 did not exist
lxc-start 1420149317.909 INFO lxc_cgmanager - cgroup removal attempt: devices:test1 did not exist
lxc-start 1420149317.909 INFO lxc_cgmanager - cgroup removal attempt: memory:test1 did not exist
lxc-start 1420149317.909 INFO lxc_cgmanager - cgroup removal attempt: cpuacct:test1 did not exist
lxc-start 1420149317.909 INFO lxc_cgmanager - cgroup removal attempt: cpu:test1 did not exist
lxc-start 1420149317.910 INFO lxc_cgmanager - cgroup removal attempt: cpuset:test1 did not exist
lxc-start 1420149317.910 INFO lxc_cgmanager - cgroup removal attempt: name=systemd:test1 did not exist
lxc-start 1420149317.910 ERROR lxc_start - failed creating cgroups
lxc-start 1420149317.910 INFO lxc_utils - XDG_RUNTIME_DIR isn't set in the environment.
lxc-start 1420149317.910 ERROR lxc_start - failed to spawn 'test1'
lxc-start 1420149317.910 INFO lxc_utils - XDG_RUNTIME_DIR isn't set in the environment.
lxc-start 1420149317.910 INFO lxc_utils - XDG_RUNTIME_DIR isn't set in the environment.
lxc-start 1420149317.910 ERROR lxc_start_ui - The container failed to start.
lxc-start 1420149317.910 ERROR lxc_start_ui - Additional information can be obtained by setting the --logfile and --logpriority options.
Agora vejo dois erros aqui, o último provavelmente resultado do primeiro, que é:
lxc_start - falha ao criar cgroups
No entanto, vejo /sys/fs/cgroupmontado:
$ mount|grep cgr
none on /sys/fs/cgroup type tmpfs (rw)
e cgmanagerestá instalado:
$ dpkg -l|awk '$1 ~ /^ii$/ && /cgmanager/ {print $2 " " $3 " " $4}'
cgmanager 0.24-0ubuntu7 amd64
libcgmanager0:amd64 0.24-0ubuntu7 amd64
Nota: Meu host ainda é o padrão upstart.
Caso haja alguma dúvida, o suporte ao kernel cgroups:
$ grep CGROUP /boot/config-$(uname -r)
CONFIG_CGROUPS=y
# CONFIG_CGROUP_DEBUG is not set
CONFIG_CGROUP_FREEZER=y
CONFIG_CGROUP_DEVICE=y
CONFIG_CGROUP_CPUACCT=y
CONFIG_CGROUP_HUGETLB=y
CONFIG_CGROUP_PERF=y
CONFIG_CGROUP_SCHED=y
CONFIG_BLK_CGROUP=y
# CONFIG_DEBUG_BLK_CGROUP is not set
CONFIG_NET_CLS_CGROUP=m
CONFIG_NETPRIO_CGROUP=m
Nota: Meu host ainda é o padrão upstart.
WARN: could not reopen tty: Permission denied. Mas iniciarsudo -H -i -u database lxc-start -n mysql -dfalha como em sua pergunta. Mesmos erros. No entanto, sua correção não funcionasudo. Se eusudo -H -i -u database cat /proc/self/cgroupobtiver exatamente a mesma saída como se eu a executasse como meu usuário de chamada. Então, obviamente, ao tentar iniciar o recipiente usando sudo, ele vai tentar que o outro usuário para escrever no meu cgroup que falha ... :-( Qualquer insight?